From 95f81a9eb2a62982e9437871d8d9aae02a6c9837 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:02:07 +0000 Subject: import openldap-2.4.40-13.el7 --- diff --git a/SOURCES/check-password-loglevels.patch b/SOURCES/check-password-loglevels.patch new file mode 100644 index 0000000..e8ddea7 --- /dev/null +++ b/SOURCES/check-password-loglevels.patch @@ -0,0 +1,124 @@ +Correct log levels in check_password module. + +Author: Matus Honek +Resolves: #1356158 + +diff --git a/check_password.c b/check_password.c +--- a/check_password.c ++++ b/check_password.c +@@ -108,7 +108,7 @@ char* chomp(char *s) + static int set_quality (char *value) + { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value); ++ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value); + #endif + + /* No need to require more quality than we can check for. */ +@@ -120,7 +120,7 @@ static int set_quality (char *value) + static int set_cracklib (char *value) + { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value); ++ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value); + #endif + + +@@ -131,7 +131,7 @@ static int set_cracklib (char *value) + static int set_digit (char *value) + { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value); ++ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value); + #endif + if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0; + return (int) (value[0] - '0'); +@@ -152,14 +152,14 @@ static validator valid_word (char *word) + int index = 0; + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word); ++ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word); + #endif + + while (list[index].parameter != NULL) { + if (strlen(word) == strlen(list[index].parameter) && + strcmp(list[index].parameter, word) == 0) { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Parameter accepted."); ++ syslog(LOG_DEBUG, "check_password: Parameter accepted."); + #endif + return list[index].dealer; + } +@@ -167,7 +167,7 @@ static validator valid_word (char *word) + } + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Parameter rejected."); ++ syslog(LOG_DEBUG, "check_password: Parameter rejected."); + #endif + + return NULL; +@@ -203,7 +203,7 @@ static int read_config_file () + + #if defined(DEBUG) + /* Debug traces to syslog. */ +- syslog(LOG_NOTICE, "check_password: Got line |%s|", line); ++ syslog(LOG_DEBUG, "check_password: Got line |%s|", line); + #endif + + while (isspace(*start) && isascii(*start)) start++; +@@ -212,7 +212,7 @@ static int read_config_file () + if ( ispunct(*start)) { + #if defined(DEBUG) + /* Debug traces to syslog. */ +- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); ++ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line); + #endif + continue; + } +@@ -227,7 +227,7 @@ static int read_config_file () + if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); ++ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value); + #endif + + centry[i].value = chomp(value); +@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nLower && (minLower < 1)) { + nLower = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality); + #endif + } + continue; +@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nUpper && (minUpper < 1)) { + nUpper = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality); + #endif + } + continue; +@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nDigit && (minDigit < 1)) { + nDigit = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality); + #endif + } + continue; +@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nPunct && (minPunct < 1)) { + nPunct = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality); + #endif + } + continue; diff --git a/SOURCES/libexec-convert-config.sh b/SOURCES/libexec-convert-config.sh index ca9884f..824c3b1 100755 --- a/SOURCES/libexec-convert-config.sh +++ b/SOURCES/libexec-convert-config.sh @@ -52,7 +52,7 @@ fi tmp_convert=`mktemp --tmpdir=/var/run/openldap` if [ `id -u` -eq 0 ]; then - install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert else @@ -61,7 +61,7 @@ if [ `id -u` -eq 0 ]; then retcode=$? else error "You are not root! Permission will not be set." - install -d --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert else diff --git a/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch b/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch new file mode 100644 index 0000000..26ece7d --- /dev/null +++ b/SOURCES/openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch @@ -0,0 +1,28 @@ +commit aa66d539543de0ad884f1b8e38948ecd946bf47a +Author: Howard Chu +Date: Mon Dec 15 14:36:55 2014 +0000 + + ITS#8003 fix off-by-one in LDIF length + + must account for leading space when counting total number of lines + +diff --git a/include/ldif.h b/include/ldif.h +index f638ef9..69bb0c9 100644 +--- a/include/ldif.h ++++ b/include/ldif.h +@@ -52,12 +52,12 @@ LDAP_LDIF_V (int) ldif_debug; + */ + #define LDIF_SIZE_NEEDED(nlen,vlen) \ + ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \ +- + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / LDIF_LINE_WIDTH * 2 )) ++ + ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (LDIF_LINE_WIDTH-1) * 2 )) + + #define LDIF_SIZE_NEEDED_WRAP(nlen,vlen,wrap) \ + ((nlen) + 4 + LDIF_BASE64_LEN(vlen) \ +- + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH ) * 2 ) : \ +- ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap) * 2 )))) ++ + ((wrap) == 0 ? ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / ( LDIF_LINE_WIDTH-1 ) * 2 ) : \ ++ ((wrap) == LDIF_LINE_WIDTH_MAX ? 0 : ((LDIF_BASE64_LEN(vlen) + (nlen) + 3) / (wrap-1) * 2 )))) + + LDAP_LDIF_F( int ) + ldif_parse_line LDAP_P(( diff --git a/SOURCES/openldap-ITS8329-back_sql-id_query.patch b/SOURCES/openldap-ITS8329-back_sql-id_query.patch new file mode 100644 index 0000000..cf05c96 --- /dev/null +++ b/SOURCES/openldap-ITS8329-back_sql-id_query.patch @@ -0,0 +1,27 @@ +fix: id_query option is not available after rebasing openldap to 2.4.39 +Resolves: rhbz#1311832 +Upstream: ITS#8329 +diff --git a/servers/slapd/back-sql/config.c b/servers/slapd/back-sql/config.c +--- a/servers/slapd/back-sql/config.c ++++ b/servers/slapd/back-sql/config.c +@@ -213,6 +213,11 @@ static ConfigTable sqlcfg[] = { + ARG_ON_OFF|ARG_MAGIC|SQL_AUTOCOMMIT, (void *)sql_cf_gen, + "( OLcfgDbAt:6.45 NAME 'olcSqlAutocommit' " + "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL }, ++ { "id_query", "SQL expression", 2, 0, 0, ARG_STRING|ARG_QUOTE|ARG_OFFSET, ++ (void *)offsetof(struct backsql_info, sql_id_query), ++ "( OLcfgDbAt:6.46 NAME 'olcSqlIdQuery' " ++ "DESC 'Query used to collect entryID mapping data' " ++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { NULL, NULL, 0, 0, 0, ARG_IGNORED, + NULL, NULL, NULL, NULL } + }; +@@ -233,7 +238,7 @@ static ConfigOCs sqlocs[] = { + "olcSqlFailIfNoMapping $ olcSqlAllowOrphans $ olcSqlBaseObject $ " + "olcSqlLayer $ olcSqlUseSubtreeShortcut $ olcSqlFetchAllAttrs $ " + "olcSqlFetchAttrs $ olcSqlCheckSchema $ olcSqlAliasingKeyword $ " +- "olcSqlAliasingQuote $ olcSqlAutocommit ) )", ++ "olcSqlAliasingQuote $ olcSqlAutocommit $ olcSqlIdQuery ) )", + Cft_Database, sqlcfg }, + { NULL, Cft_Abstract, NULL } + }; diff --git a/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch b/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch new file mode 100644 index 0000000..76cc3fd --- /dev/null +++ b/SOURCES/openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch @@ -0,0 +1,21 @@ +commit 901fe3318f1c4ea7adac45f906d5447d71e43f8a +Author: Howard Chu +Date: Sat Dec 12 16:14:02 2015 +0000 + + ITS#8337 fix missing olcDbChecksum config attr + +diff --git a/servers/slapd/back-bdb/config.c b/servers/slapd/back-bdb/config.c +index e07381f..a5b5888 100644 +--- a/servers/slapd/back-bdb/config.c ++++ b/servers/slapd/back-bdb/config.c +@@ -163,8 +163,8 @@ static ConfigOCs bdbocs[] = { + #endif + "SUP olcDatabaseConfig " + "MUST olcDbDirectory " +- "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ " +- "olcDbCryptFile $ olcDbCryptKey $ " ++ "MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbChecksum $ " ++ "olcDbConfig $ olcDbCryptFile $ olcDbCryptKey $ " + "olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ " + "olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ " + "olcDbMode $ olcDbSearchStack $ olcDbShmKey $ " diff --git a/SOURCES/openldap-ITS8428-init-sc_writewait.patch b/SOURCES/openldap-ITS8428-init-sc_writewait.patch new file mode 100644 index 0000000..a1af400 --- /dev/null +++ b/SOURCES/openldap-ITS8428-init-sc_writewait.patch @@ -0,0 +1,21 @@ +Backport upstream fix for a crash in back-relay when doing do_search. +RHBZ: #1316450 + +commit 2e60bf5ed00c1a8794131f53a6c72a78c0766e21 +Author: Howard Chu +Date: Wed May 18 12:30:31 2016 +0100 + + ITS#8428 init sc_writewait + +diff --git a/servers/slapd/back-relay/op.c b/servers/slapd/back-relay/op.c +index 4fdc08a..f7c1fee 100644 +--- a/servers/slapd/back-relay/op.c ++++ b/servers/slapd/back-relay/op.c +@@ -97,6 +97,7 @@ relay_back_response_cb( Operation *op, SlapReply *rs ) + (rcb)->rcb_sc.sc_next = (op)->o_callback; \ + (rcb)->rcb_sc.sc_response = relay_back_response_cb; \ + (rcb)->rcb_sc.sc_cleanup = 0; \ ++ (rcb)->rcb_sc.sc_writewait = 0; \ + (rcb)->rcb_sc.sc_private = (op)->o_bd; \ + (op)->o_callback = (slap_callback *) (rcb); \ + } diff --git a/SOURCES/openldap-allop-overlay.patch b/SOURCES/openldap-allop-overlay.patch new file mode 100644 index 0000000..8281bd0 --- /dev/null +++ b/SOURCES/openldap-allop-overlay.patch @@ -0,0 +1,40 @@ +Compile AllOp together with other overlays. + +Author: Matus Honek +Resolves: #990893 + +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + translucent.c \ + unique.c \ + valsort.c \ +- smbk5pwd.c ++ smbk5pwd.c \ ++ allop.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + smbk5pwd.la : smbk5pwd.lo + $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + ++allop.lo : allop.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++allop.la : allop.lo ++ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch b/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch new file mode 100644 index 0000000..641ecb1 --- /dev/null +++ b/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch @@ -0,0 +1,17 @@ +Correct key pointer usage in bdb_idl_fetch_key. + +Author: Shogo Matsumoto +Resolves: #1356165 + +diff --git a/servers/slapd/back-bdb/idl.c b/servers/slapd/back-bdb/idl.c +--- a/servers/slapd/back-bdb/idl.c ++++ b/servers/slapd/back-bdb/idl.c +@@ -628,7 +628,7 @@ bdb_idl_fetch_key( + BDB_DISK2ID( j, i ); + } + } +- rc = cursor->c_get( cursor, key, &data, flags | DB_NEXT_DUP ); ++ rc = cursor->c_get( cursor, kptr, &data, flags | DB_NEXT_DUP ); + } + if ( rc == DB_NOTFOUND ) rc = 0; + ids[0] = i - ids; diff --git a/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch b/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch new file mode 100644 index 0000000..f7ff064 --- /dev/null +++ b/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch @@ -0,0 +1,24 @@ +A mutex lock might not get unlocked when plausible + +In the preceding if-statement a mutex may get locked. This is unlocked on +'done' label, but not called when plausible. Based on the current code logic +this seems to not be able to happen, but might when code gets changed at +some point in time. This patch fixes the issue. + +The issue was found by Coverity scan +http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/11054/38577/ + +Author: Matus Honek +Resolves: #1261003 + +--- a/servers/slapd/overlays/accesslog.c ++++ b/servers/slapd/overlays/accesslog.c +@@ -1519,7 +1519,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) { + + /* ignore these internal reads */ + if (( lo->mask & LOG_OP_READS ) && op->o_do_not_cache ) { +- return SLAP_CB_CONTINUE; ++ goto done; + } + + if ( li->li_success && rs->sr_err != LDAP_SUCCESS ) diff --git a/SOURCES/openldap-module-passwd-sha2.patch b/SOURCES/openldap-module-passwd-sha2.patch new file mode 100644 index 0000000..864607d --- /dev/null +++ b/SOURCES/openldap-module-passwd-sha2.patch @@ -0,0 +1,42 @@ +Include sha2 module + +Author: Matus Honek + +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -35,7 +35,8 @@ SRCS = overlays.c \ + unique.c \ + valsort.c \ + smbk5pwd.c \ +- allop.c ++ allop.c \ ++ sha2.c slapd-sha2.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -55,7 +56,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -139,6 +140,15 @@ allop.lo : allop.c + allop.la : allop.lo + $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + ++sha2.lo : sha2.c ++ $(LTCOMPILE_MOD) $< ++ ++slapd-sha2.lo : slapd-sha2.c ++ $(LTCOMPILE_MOD) $< ++ ++pw-sha2.la : sha2.lo slapd-sha2.lo ++ $(LTLINK_MOD) -module -o $@ $? version.lo $(LINK_LIBS) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch index 247085c..75832da 100644 --- a/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch +++ b/SOURCES/openldap-nss-ciphersuite-handle-masks-correctly.patch @@ -82,17 +82,18 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c break; } -@@ -654,7 +665,9 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -654,7 +665,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) } } else { int mask = 0; + int multi_mask = 0; ++ int negative_mask = 0; int strength = 0; + int multi_strength = 0; int protocol = 0; char *c; -@@ -665,16 +678,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -665,16 +678,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) *c++ = '\0'; } @@ -100,11 +101,9 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c - mask |= SSL_RSA; + if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) { + mask |= SSL_kRSA; -+ } if (!strcmp(cipher, "aRSA")) { -+ if (!(mask & SSL_kECDH)) //kECDH means no aRSA -+ mask |= SSL_aRSA; -+ else if (mask & SSL_kECDHE) //kECDH and aRSA means kECDHE -+ mask |= SSL_kECDHE|SSL_aRSA; ++ } else if (!strcmp(cipher, "aRSA")) { ++ mask |= SSL_aRSA; ++ negative_mask |= SSL_kECDH; } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { mask |= SSL_eNULL; } else if (!strcmp(cipher, "AES128")) { @@ -119,7 +118,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c } else if (!strcmp(cipher, "3DES")) { mask |= SSL_3DES; } else if (!strcmp(cipher, "DES")) { -@@ -685,27 +705,42 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -685,28 +705,43 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) mask |= SSL_RC2; } else if (!strcmp(cipher, "MD5")) { mask |= SSL_MD5; @@ -131,7 +130,8 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + mask |= SSL_SHA384; + } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { + mask |= SSL_SHA1; - } else if (!strcmp(cipher, "EDH")) { +- } else if (!strcmp(cipher, "EDH")) { ++ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) { mask |= SSL_kEDH; - } else if (!strcmp(cipher, "DSS")) { + } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) { @@ -151,8 +151,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + } else if (!strcmp(cipher, "kECDHr")) { + mask |= SSL_kECDH|SSL_aRSA; + } else if (!strcmp(cipher, "kECDH")) { -+ if (!(mask & SSL_aRSA)) //kECDH does not use aRSA -+ mask |= SSL_kECDH; ++ mask |= SSL_kECDH; + } else if (!strcmp(cipher, "aECDH")) { mask |= SSL_kECDH; + } else if (!strcmp(cipher, "EECDH")) { @@ -166,8 +165,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + multi_mask |= SSL_ECDH; + } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) { mask |= SSL_aECDSA; ++ negative_mask |= SSL_kECDH; } else if (!strcmp(cipher, "SSLv2")) { protocol |= SSL2; + } else if (!strcmp(cipher, "SSLv3")) { @@ -721,12 +756,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) strength |= SSL_MEDIUM; } else if (!strcmp(cipher, "LOW")) { @@ -183,7 +184,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c } if (c) -@@ -734,23 +769,37 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -734,23 +769,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) } /* while */ @@ -196,7 +197,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + * if more than one mask is provided then AND logic applies (to match openssl) */ - if (mask || strength || protocol) { -+ if (mask || multi_mask || strength || multi_strength || protocol) { ++ if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) { for (i=0; i +RHBZ: #1249093 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg ) + } + } + +- /* +- * Set the SSL version range. MozNSS SSL versions are the same as openldap's: +- * +- * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* +- */ +- SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ +- range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; +- variant = ssl_variant_stream; +- SSL_VersionRangeSetDefault(variant, &range); +- + NSS_SetDomesticPolicy(); + + PK11_SetPasswordFunc( tlsm_pin_prompt ); +@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg ) + 0, 0, 0 ); + return -1; + } ++ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) { ++ SSLVersionRange supported_range, default_range, selected_range; ++ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n", ++ 0, 0, 0 ); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n", ++ supported_range.min, supported_range.max, 0); ++ } ++ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n", ++ 0, 0, 0 ); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n", ++ default_range.min, default_range.max, 0); ++ } ++ selected_range.min = lt->lt_protocol_min; ++ selected_range.max = supported_range.max; ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: TLS configured protocol minimal version is %#04x.\n", ++ selected_range.min, selected_range.max, 0); ++ if ( (selected_range.min > supported_range.max) || ++ (selected_range.max < supported_range.min) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: selected protocol version range out of NSS-supported version range.\n", ++ 0, 0, 0); ++ return -1; ++ } else { ++ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n", ++ 0, 0, 0); ++ return -1; ++ } ++ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n", ++ 0, 0, 0); ++ return -1; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n", ++ selected_range.min, selected_range.max, 0); ++ } ++ } ++ } + + if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) { + Debug( LDAP_DEBUG_ANY, diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch index 7b8510c..d0d7ae6 100644 --- a/SOURCES/openldap-nss-update-list-of-ciphers.patch +++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch @@ -201,7 +201,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, + {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, + {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ //{"DHE-DSS-AES128-GCM-SHA384", TLS_DHE_DSS_WITH_AES_128_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, ++ {"DHE-DSS-AES256-GCM-SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, + + {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, + {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, diff --git a/SOURCES/openldap-ppolicy-loglevels.patch b/SOURCES/openldap-ppolicy-loglevels.patch new file mode 100644 index 0000000..4e17409 --- /dev/null +++ b/SOURCES/openldap-ppolicy-loglevels.patch @@ -0,0 +1,35 @@ +Correct log levels in ppolicy overlay. + +Author: Matus Honek +Resolves: #1356158 + +diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c +--- a/servers/slapd/overlays/ppolicy.c ++++ b/servers/slapd/overlays/ppolicy.c +@@ -643,7 +643,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE + if ((mod = lt_dlopen( pp->pwdCheckModule )) == NULL) { + err = lt_dlerror(); + +- Debug(LDAP_DEBUG_ANY, ++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, + "check_password_quality: lt_dlopen failed: (%s) %s.\n", + pp->pwdCheckModule, err, 0 ); + ok = LDAP_OTHER; /* internal error */ +@@ -658,7 +658,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE + if ((prog = lt_dlsym( mod, "check_password" )) == NULL) { + err = lt_dlerror(); + +- Debug(LDAP_DEBUG_ANY, ++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, + "check_password_quality: lt_dlsym failed: (%s) %s.\n", + pp->pwdCheckModule, err, 0 ); + ok = LDAP_OTHER; +@@ -667,7 +667,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE + ok = prog( ptr, txt, e ); + ldap_pvt_thread_mutex_unlock( &chk_syntax_mutex ); + if (ok != LDAP_SUCCESS) { +- Debug(LDAP_DEBUG_ANY, ++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, + "check_password_quality: module error: (%s) %s.[%d]\n", + pp->pwdCheckModule, *txt ? *txt : "", ok ); + } diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service index 4a76c2f..8a3a722 100644 --- a/SOURCES/slapd.service +++ b/SOURCES/slapd.service @@ -1,6 +1,6 @@ [Unit] Description=OpenLDAP Server Daemon -After=syslog.target NetworkManager-wait-online.service +After=syslog.target network-online.target Documentation=man:slapd Documentation=man:slapd-config Documentation=man:slapd-hdb diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index fd4c622..f1bbe23 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.40 -Release: 9%{?dist} +Release: 13%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -26,11 +26,13 @@ Source55: libexec-generate-server-cert.sh # patches for 2.4 Patch0: openldap-manpages.patch +Patch1: openldap-ppolicy-loglevels.patch Patch2: openldap-sql-linking.patch Patch3: openldap-reentrant-gethostby.patch Patch4: openldap-smbk5pwd-overlay.patch Patch5: openldap-ldaprc-currentdir.patch Patch6: openldap-userconfig-setgid.patch +Patch7: openldap-allop-overlay.patch Patch8: openldap-syncrepl-unset-tls-options.patch Patch9: openldap-man-sasl-nocanon.patch Patch10: openldap-ai-addrconfig.patch @@ -49,8 +51,11 @@ Patch18: openldap-ssl-deadlock-revert.patch Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch # ldapi sasl fix pending upstream inclusion Patch20: openldap-ldapi-sasl.patch +# coverity - missin_unlock in servers/slapd/overlays/accesslog.c +Patch21: openldap-missing-unlock-in-accesslog-overlay.patch # upstreamed, ITS #7979 Patch22: openldap-support-tlsv1-and-later.patch +Patch23: openldap-module-passwd-sha2.patch # pending upstream inclusion, ITS #7744 Patch24: openldap-man-tls-reqcert.patch # already in upstream, see ITS #8105, incorporated by commits 25bbf11 and fb1bf1c @@ -63,10 +68,20 @@ Patch28: openldap-nss-ciphers-use-nss-defaults.patch Patch29: openldap-ITS8240-remove-obsolete-assert.patch # this is a temporary fix for #1294385, it should be solved properly, backported from #1144294 Patch30: openldap-temporary-ssl-thr-init-race.patch +# already in upstream (2.4.41), see ITS#8003 +Patch31: openldap-ITS8003-fix-off-by-one-in-LDIF-length.patch +# already in upstream, see ITS#8337 +Patch32: openldap-ITS8337-fix-missing-olcDbChecksum-config-attr.patch +# ITS#8329 +Patch33: openldap-ITS8329-back_sql-id_query.patch +Patch34: openldap-nss-protocol-version-new-api.patch +Patch35: openldap-ITS8428-init-sc_writewait.patch +Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch # check-password module specific patches Patch90: check-password-makefile.patch Patch91: check-password.patch +Patch92: check-password-loglevels.patch # Fedora specific patches Patch100: openldap-autoconf-pkgconfig-nss.patch @@ -167,11 +182,13 @@ ln -s %{_includedir}/nspr4 include/nspr AUTOMAKE=%{_bindir}/true autoreconf -fi %patch0 -p1 +%patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 @@ -185,7 +202,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch18 -p1 %patch19 -p1 %patch20 -p1 +%patch21 -p1 %patch22 -p1 +%patch23 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 @@ -193,12 +212,27 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch28 -p1 %patch29 -p1 %patch30 -p1 +%patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 +%patch35 -p1 +%patch36 -p1 %patch102 -p1 # build smbk5pwd with other overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd +# build allop with other overlays +ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays +mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop +mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5 +# build sha2 with other overlays +ln -s ../../../contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} \ + servers/slapd/overlays +ls servers/slapd/overlays +mv contrib/slapd-modules/passwd/sha2/README{,.sha2} mv servers/slapd/back-perl/README{,.back_perl} @@ -213,6 +247,7 @@ popd pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} %patch90 -p1 %patch91 -p1 +%patch92 -p1 popd %build @@ -368,7 +403,7 @@ chmod 0644 %{buildroot}%{_libdir}/lib*.*a mkdir -p %{buildroot}%{_datadir} install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif -install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d +install -m 0750 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif @@ -578,6 +613,7 @@ exit 0 %{_datadir}/openldap-servers/ %{_libdir}/openldap/accesslog* %{_libdir}/openldap/auditlog* +%{_libdir}/openldap/allop* %{_libdir}/openldap/back_dnssrv* %{_libdir}/openldap/back_ldap* %{_libdir}/openldap/back_meta* @@ -600,6 +636,7 @@ exit 0 %{_libdir}/openldap/retcode* %{_libdir}/openldap/rwm* %{_libdir}/openldap/seqmod* +%{_libdir}/openldap/pw-sha2* %{_libdir}/openldap/smbk5pwd* %{_libdir}/openldap/sssvlv* %{_libdir}/openldap/syncprov* @@ -636,6 +673,30 @@ exit 0 %{_mandir}/man3/* %changelog +* Wed Aug 17 2016 Matus Honek - 2.4.40-13 +- fix: Bad log levels in check_password module +- fix: We can't search expected entries from LDAP server +- fix: OpenLDAP ciphersuite parsing doesn't match OpenSSL ciphers man page + + Add TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 to list of ciphers + + Add DH cipher string parsing option + + Correct handling kECDH ciphers with aRSA or aECDSA + +* Fri Jul 1 2016 Matus Honek - 2.4.40-12 +- fix: slapd crash in do_search (#1316450) +- fix: Setting olcTLSProtocolMin does not change supported protocols (#1249093) + +* Mon May 30 2016 Matus Honek - 2.4.40-11 +- fix: correct inconsistent slapd.d directory permissions (#1255433) + +* Mon May 30 2016 Matus Honek - 2.4.40-10 +- fix: slapd fails to start on boot (#1315958) +- fix: id_query option is not available after rebasing openldap to 2.4.39 (#1311832) +- Include sha2 module (#1292568) +- Compile AllOp together with other overlays (#990893) +- Missing mutex unlock in accesslog overlay (#1261003) +- ITS#8337 fix missing olcDbChecksum config attr (#1292590) +- ITS#8003 fix off-by-one in LDIF length (#1292619) + * Mon Feb 22 2016 Matúš Honěk - 2.4.40-9 - fix: nslcd segfaults due to incorrect mutex initialization (#1294385)