diff --git a/.gitignore b/.gitignore index 73bde65..128fbb8 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ /openldap-2.4.45.tgz /openldap-2.4.46.tgz /openldap-2.4.47.tgz +/openldap-2.4.50.tgz diff --git a/openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch b/openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch new file mode 100644 index 0000000..350626e --- /dev/null +++ b/openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch @@ -0,0 +1,36 @@ +From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount +Date: Tue, 28 Apr 2020 20:49:53 +0000 +Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format + +--- + libraries/libldap/tls2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index c1f15cbc1..ebe5bf125 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + } else if ( sb->sb_trans_needs_write ) { + wr=1; + } +- Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", +- wr ? "write": "read" ); ++ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", ++ wr ? "write": "read", 0, 0 ); + + /* This is mostly copied from result.c:wait4msg(), should + * probably be moved into a separate function */ +@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + start_time_tv.tv_sec = curr_time_tv.tv_sec; + start_time_tv.tv_usec = curr_time_tv.tv_usec; + tv = tv0; +- Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", ++ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", + (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); + ret = ldap_int_poll( ld, sd, &tv, wr); + if ( ret < 0 ) { +-- +2.25.4 + diff --git a/openldap-ldapi-sasl.patch b/openldap-ldapi-sasl.patch deleted file mode 100644 index 058cc1c..0000000 --- a/openldap-ldapi-sasl.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 7 May 2013 17:02:57 +0200 -Subject: [PATCH] LDAPI SASL fix - -Resolves: #960222 ---- - libraries/libldap/cyrus.c | 19 ++++++++++++++++--- - 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) - -diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c -index 28c241b..a9acf36 100644 ---- a/libraries/libldap/cyrus.c -+++ b/libraries/libldap/cyrus.c -@@ -394,6 +394,8 @@ ldap_int_sasl_bind( - struct berval ccred = BER_BVNULL; - int saslrc, rc; - unsigned credlen; -+ char my_hostname[HOST_NAME_MAX + 1]; -+ int free_saslhost = 0; - - Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", - mechs ? mechs : "", 0, 0 ); -@@ -454,14 +456,25 @@ ldap_int_sasl_bind( - - /* If we don't need to canonicalize just use the host - * from the LDAP URI. -+ * Always use the result of gethostname() for LDAPI. - */ -- if ( nocanon ) -+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && -+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { -+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1); -+ if (rc == 0) { -+ saslhost = my_hostname; -+ } else { -+ saslhost = "localhost"; -+ } -+ } else if ( nocanon ) - saslhost = ld->ld_defconn->lconn_server->lud_host; -- else -+ else { - saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, - "localhost" ); -+ free_saslhost = 1; -+ } - rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); -- if ( !nocanon ) -+ if ( free_saslhost ) - LDAP_FREE( saslhost ); - } - --- -1.7.11.7 - diff --git a/openldap-openssl-ITS7595-Add-EC-support-1.patch b/openldap-openssl-ITS7595-Add-EC-support-1.patch deleted file mode 100644 index 61e1df5..0000000 --- a/openldap-openssl-ITS7595-Add-EC-support-1.patch +++ /dev/null @@ -1,227 +0,0 @@ -ITS#7595 Add Elliptic Curve support for OpenSSL - -Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08 -Author: Howard Chu -Date: Sat Sep 7 09:47:19 2013 -0700 - -diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 -index 9c72e8296..2311c3096 100644 ---- a/doc/man/man5/slapd-config.5 -+++ b/doc/man/man5/slapd-config.5 -@@ -922,6 +922,13 @@ are not used. - When using Mozilla NSS these parameters are always generated randomly - so this directive is ignored. - .TP -+.B olcTLSECName: -+Specify the name of a curve to use for Elliptic curve Diffie-Hellman -+ephemeral key exchange. This is required to enable ECDHE algorithms in -+OpenSSL. This option is not used with GnuTLS; the curves may be -+chosen in the GnuTLS ciphersuite specification. This option is also -+ignored for Mozilla NSS. -+.TP - .B olcTLSProtocolMin: [.] - Specifies minimum SSL/TLS protocol version that will be negotiated. - If the server doesn't support at least that version, -diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 -index f504adcf9..ef03e0ad8 100644 ---- a/doc/man/man5/slapd.conf.5 -+++ b/doc/man/man5/slapd.conf.5 -@@ -1153,6 +1153,13 @@ are not used. - When using Mozilla NSS these parameters are always generated randomly - so this directive is ignored. - .TP -+.B TLSECName -+Specify the name of a curve to use for Elliptic curve Diffie-Hellman -+ephemeral key exchange. This is required to enable ECDHE algorithms in -+OpenSSL. This option is not used with GnuTLS; the curves may be -+chosen in the GnuTLS ciphersuite specification. This option is also -+ignored for Mozilla NSS. -+.TP - .B TLSProtocolMin [.] - Specifies minimum SSL/TLS protocol version that will be negotiated. - If the server doesn't support at least that version, -diff --git a/include/ldap.h b/include/ldap.h -index c245651c2..0964a193e 100644 ---- a/include/ldap.h -+++ b/include/ldap.h -@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_TLS_NEWCTX 0x600f - #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ - #define LDAP_OPT_X_TLS_PACKAGE 0x6011 -+#define LDAP_OPT_X_TLS_ECNAME 0x6012 - - #define LDAP_OPT_X_TLS_NEVER 0 - #define LDAP_OPT_X_TLS_HARD 1 -diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h -index 66e04ae80..db7193f4f 100644 ---- a/libraries/libldap/ldap-int.h -+++ b/libraries/libldap/ldap-int.h -@@ -165,6 +165,7 @@ struct ldaptls { - char *lt_ciphersuite; - char *lt_crlfile; - char *lt_randfile; /* OpenSSL only */ -+ char *lt_ecname; /* OpenSSL only */ - int lt_protocol_min; - }; - #endif -@@ -250,6 +251,7 @@ struct ldapoptions { - #define ldo_tls_certfile ldo_tls_info.lt_certfile - #define ldo_tls_keyfile ldo_tls_info.lt_keyfile - #define ldo_tls_dhfile ldo_tls_info.lt_dhfile -+#define ldo_tls_ecname ldo_tls_info.lt_ecname - #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile - #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir - #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index d25c190ea..0451b01af 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) - LDAP_FREE( lo->ldo_tls_dhfile ); - lo->ldo_tls_dhfile = NULL; - } -+ if ( lo->ldo_tls_ecname ) { -+ LDAP_FREE( lo->ldo_tls_ecname ); -+ lo->ldo_tls_ecname = NULL; -+ } - if ( lo->ldo_tls_cacertfile ) { - LDAP_FREE( lo->ldo_tls_cacertfile ); - lo->ldo_tls_cacertfile = NULL; -@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) - lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); - __atoe( lts.lt_dhfile ); - } -+ if ( lts.lt_ecname ) { -+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname ); -+ __atoe( lts.lt_ecname ); -+ } - #endif - lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); - if ( lo->ldo_tls_ctx == NULL ) { -@@ -257,6 +265,7 @@ error_exit: - LDAP_FREE( lts.lt_crlfile ); - LDAP_FREE( lts.lt_cacertdir ); - LDAP_FREE( lts.lt_dhfile ); -+ LDAP_FREE( lts.lt_ecname ); - #endif - return rc; - } -@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) - *(char **)arg = lo->ldo_tls_dhfile ? - LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; - break; -+ case LDAP_OPT_X_TLS_ECNAME: -+ *(char **)arg = lo->ldo_tls_ecname ? -+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL; -+ break; - case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ - *(char **)arg = lo->ldo_tls_crlfile ? - LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; -@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) - if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); - lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; - return 0; -+ case LDAP_OPT_X_TLS_ECNAME: -+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname ); -+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL; -+ return 0; - case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ - if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); - lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index f24060b7e..1370923af 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - return -1; - } - -- if ( lo->ldo_tls_dhfile ) { -- DH *dh = NULL; -+ if ( is_server && lo->ldo_tls_dhfile ) { -+ DH *dh; - BIO *bio; -- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); - - if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { - Debug( LDAP_DEBUG_ANY, -@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - } - BIO_free( bio ); - SSL_CTX_set_tmp_dh( ctx, dh ); -+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); -+ DH_free( dh ); -+ } -+ -+#ifdef SSL_OP_SINGLE_ECDH_USE -+ if ( is_server && lo->ldo_tls_ecname ) { -+ EC_KEY *ecdh; -+ -+ int nid = OBJ_sn2nid( lt->lt_ecname ); -+ if ( nid == NID_undef ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not use EC name `%s'.\n", -+ lo->ldo_tls_ecname,0,0); -+ tlso_report_error(); -+ return -1; -+ } -+ ecdh = EC_KEY_new_by_curve_name( nid ); -+ if ( ecdh == NULL ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not generate key for EC name `%s'.\n", -+ lo->ldo_tls_ecname,0,0); -+ tlso_report_error(); -+ return -1; -+ } -+ SSL_CTX_set_tmp_ecdh( ctx, ecdh ); -+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); -+ EC_KEY_free( ecdh ); - } -+#endif - - if ( tlso_opt_trace ) { - SSL_CTX_set_info_callback( ctx, tlso_info_cb ); -diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c -index 250f14100..8b1e4e582 100644 ---- a/servers/slapd/bconfig.c -+++ b/servers/slapd/bconfig.c -@@ -194,6 +194,7 @@ enum { - CFG_ACL_ADD, - CFG_SYNC_SUBENTRY, - CFG_LTHREADS, -+ CFG_TLS_ECNAME, - - CFG_LAST - }; -@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = { - #endif - "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " - "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, -+ { "TLSECName", NULL, 2, 2, 0, -+#ifdef HAVE_TLS -+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option, -+#else -+ ARG_IGNORED, NULL, -+#endif -+ "( OLcfgGlAt:96 NAME 'olcTLSECName' " -+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, - { "TLSProtocolMin", NULL, 2, 2, 0, - #ifdef HAVE_TLS - CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, -@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = { - "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " - "olcTLSCACertificatePath $ olcTLSCertificateFile $ " - "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " -- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ " -+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ " - "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " - "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " - "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, -@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) { - case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break; - case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break; - case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break; -+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break; - #ifdef HAVE_GNUTLS - case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; - #endif diff --git a/openldap-openssl-ITS7595-Add-EC-support-2.patch b/openldap-openssl-ITS7595-Add-EC-support-2.patch deleted file mode 100644 index 6c28f3f..0000000 --- a/openldap-openssl-ITS7595-Add-EC-support-2.patch +++ /dev/null @@ -1,34 +0,0 @@ -ITS#7595 don't try to use EC if OpenSSL lacks it - -Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d -Author: Howard Chu -Date: Sun Sep 8 06:32:23 2013 -0700 - -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index 1a81bc625..71c2b055c 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - DH_free( dh ); - } - --#ifdef SSL_OP_SINGLE_ECDH_USE - if ( is_server && lo->ldo_tls_ecname ) { -+#ifdef OPENSSL_NO_EC -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: Elliptic Curves not supported.\n", 0,0,0 ); -+ return -1; -+#else - EC_KEY *ecdh; - - int nid = OBJ_sn2nid( lt->lt_ecname ); -@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - SSL_CTX_set_tmp_ecdh( ctx, ecdh ); - SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); - EC_KEY_free( ecdh ); -- } - #endif -+ } - - if ( tlso_opt_trace ) { - SSL_CTX_set_info_callback( ctx, tlso_info_cb ); diff --git a/openldap.spec b/openldap.spec index 7f799ff..26d5e5c 100644 --- a/openldap.spec +++ b/openldap.spec @@ -4,8 +4,8 @@ %global check_password_version 1.1 Name: openldap -Version: 2.4.47 -Release: 5%{?dist} +Version: 2.4.50 +Release: 1%{?dist} Summary: LDAP support libraries License: OpenLDAP URL: http://www.openldap.org/ @@ -32,11 +32,8 @@ Patch17: openldap-allop-overlay.patch # the proper fix is to link all perl modules against libperl # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch -# ldapi sasl fix pending upstream inclusion -Patch20: openldap-ldapi-sasl.patch -Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch -Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch Patch24: openldap-openssl-manpage-defaultCA.patch +Patch25: openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -113,10 +110,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch5 -p1 %patch17 -p1 %patch19 -p1 -%patch20 -p1 -%patch22 -p1 -%patch23 -p1 %patch24 -p1 +%patch25 -p1 # build smbk5pwd with other overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays @@ -486,6 +481,9 @@ exit 0 %{_mandir}/man3/* %changelog +* Wed Jun 17 2020 Matus Honek - 2.4.50-1 +- Rebase to version 2.4.50 (#1742285) + * Tue Jun 16 2020 Tom Stellard - 2.4.47-5 - Spec file cleanups - Add BuildRequres: gcc [1] diff --git a/sources b/sources index 7ad4ad1..8b790c5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (ltb-project-openldap-ppolicy-check-password-1.1.tar.gz) = f3384a164ce5db488908cf6380bad8500b800b09d12a8f04e1b6ccb6f6af6ab3971fcdbe4acca7a1b6d16b408a11065c2b1ab2497863fe07d3c28262b0f6776e -SHA512 (openldap-2.4.47.tgz) = d424079e34207e3d24383a2bea70a07ded40714982a6767174d2b2cb208cd94feab5ef12157accae915b8e404e5773a7547aaef65f06b44dc3cc09c6a64d5a11 +SHA512 (openldap-2.4.50.tgz) = f528043ff9de36f7b65d8816c9a9c24f0ac400041b2969965178ee6eae62c92a11af33a0a883e4954e5fff98a0738a9f9aa2faf5b385d21974754e045aab31ae