diff --git a/SOURCES/0087-Ticket-49509-Indexing-of-internationalized-matching-.patch b/SOURCES/0087-Ticket-49509-Indexing-of-internationalized-matching-.patch
new file mode 100644
index 0000000..e75f258
--- /dev/null
+++ b/SOURCES/0087-Ticket-49509-Indexing-of-internationalized-matching-.patch
@@ -0,0 +1,263 @@
+From 41a037c8310d204d21e9c3161d2015dd5177cff6 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Tue, 19 Dec 2017 11:53:13 +0100
+Subject: [PATCH] Ticket 49509 - Indexing of internationalized matching rules
+ is failing
+
+Bug Description:
+ Indexing of the internationalized matching rules tests if a
+ matching rule indexer handle or not a given OID.
+ A side effect of https://pagure.io/389-ds-base/issue/49097 is that
+ the returned indexing callbacks are lost.
+ Indeed, the indexing callbacks (and potentially others fields) were
+ stored in the temporary pblock that was memcpy to the provided
+ pblock in case of success
+
+Fix Description:
+ The fix basically restores the previous behavior but do not
+ memcpy pblock. It read/store the pblock fields that are
+ inputs/outputs of slapi_mr_indexer_create.
+
+https://pagure.io/389-ds-base/issue/49509
+
+Reviewed by: Ludwig Krispenz
+
+Platforms tested: F23
+
+Flag Day: no
+
+Doc impact: no
+---
+ ldap/servers/slapd/plugin_mr.c | 202 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 148 insertions(+), 54 deletions(-)
+
+diff --git a/ldap/servers/slapd/plugin_mr.c b/ldap/servers/slapd/plugin_mr.c
+index d216d12b9..b3cd4adf0 100644
+--- a/ldap/servers/slapd/plugin_mr.c
++++ b/ldap/servers/slapd/plugin_mr.c
+@@ -145,6 +145,82 @@ plugin_mr_bind (char* oid, struct slapdplugin* plugin)
+ slapi_log_err(SLAPI_LOG_FILTER, "plugin_mr_bind", "<=\n");
+ }
+
++void
++mr_indexer_init_pb(Slapi_PBlock* src_pb, Slapi_PBlock* dst_pb)
++{
++ char* oid;
++ char *type;
++ uint32_t usage;
++ void *object;
++ IFP destroyFn;
++ IFP indexFn, indexSvFn;
++
++ /* matching rule plugin arguments */
++ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_OID, &oid);
++ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_TYPE, &type);
++ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_USAGE, &usage);
++
++ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_OID, oid);
++ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_TYPE, type);
++ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_USAGE, &usage);
++
++ /* matching rule plugin functions */
++ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
++ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
++
++ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_FN, indexFn);
++ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, indexSvFn);
++
++ /* common */
++ slapi_pblock_get(src_pb, SLAPI_PLUGIN_OBJECT, &object);
++ slapi_pblock_get(src_pb, SLAPI_PLUGIN_DESTROY_FN, &destroyFn);
++
++ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_OBJECT, object);
++ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_DESTROY_FN, destroyFn);
++
++
++}
++
++/*
++ * Retrieves the matching rule plugin able to index/sort the provided OID/type
++ *
++ * The Matching rules able to index/sort a given OID are stored in a global list: global_mr_oids
++ *
++ * The retrieval is done in 3 phases:
++ * - It first searches (in global_mr_oids) for the already bound OID->MR
++ * - Else, look first in old style MR plugin
++ * for each registered 'syntax' and 'matchingrule' plugins having a
++ * SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, it binds (plugin_mr_bind) the first
++ * plugin that support the OID
++ * - Else, look in new style MR plugin
++ * for each registered 'syntax' and 'matchingrule' plugins, it binds (plugin_mr_bind) the first
++ * plugin that contains OID in its plg_mr_names
++ *
++ * Inputs:
++ * SLAPI_PLUGIN_MR_OID
++ * should contain the OID of the matching rule that you want used for indexing or sorting.
++ * SLAPI_PLUGIN_MR_TYPE
++ * should contain the attribute type that you want used for indexing or sorting.
++ * SLAPI_PLUGIN_MR_USAGE
++ * should specify if the indexer will be used for indexing (SLAPI_PLUGIN_MR_USAGE_INDEX)
++ * or for sorting (SLAPI_PLUGIN_MR_USAGE_SORT)
++ *
++ *
++ * Output:
++ *
++ * SLAPI_PLUGIN_MR_OID
++ * contain the OFFICIAL OID of the matching rule that you want used for indexing or sorting.
++ * SLAPI_PLUGIN_MR_INDEX_FN
++ * specifies the indexer function responsible for indexing or sorting of struct berval **
++ * SLAPI_PLUGIN_MR_INDEX_SV_FN
++ * specifies the indexer function responsible for indexing or sorting of Slapi_Value **
++ * SLAPI_PLUGIN_OBJECT
++ * contain any information that you want passed to the indexer function.
++ * SLAPI_PLUGIN_DESTROY_FN
++ * specifies the function responsible for freeing any memory allocated by this indexer factory function.
++ * For example, memory allocated for a structure that you pass to the indexer function using SLAPI_PLUGIN_OBJECT.
++ *
++ */
+ int /* an LDAP error code, hopefully LDAP_SUCCESS */
+ slapi_mr_indexer_create (Slapi_PBlock* opb)
+ {
+@@ -152,60 +228,73 @@ slapi_mr_indexer_create (Slapi_PBlock* opb)
+ char* oid;
+ if (!(rc = slapi_pblock_get (opb, SLAPI_PLUGIN_MR_OID, &oid)))
+ {
+- IFP createFn = NULL;
+- struct slapdplugin* mrp = plugin_mr_find_registered (oid);
+- if (mrp != NULL)
+- {
+- if (!(rc = slapi_pblock_set (opb, SLAPI_PLUGIN, mrp)) &&
+- !(rc = slapi_pblock_get (opb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) &&
+- createFn != NULL)
+- {
+- rc = createFn (opb);
+- }
+- }
+- else
+- {
+- /* call each plugin, until one is able to handle this request. */
+- rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
+- for (mrp = get_plugin_list(PLUGIN_LIST_MATCHINGRULE); mrp != NULL; mrp = mrp->plg_next)
+- {
+- IFP indexFn = NULL;
+- IFP indexSvFn = NULL;
+- Slapi_PBlock pb;
+- memcpy (&pb, opb, sizeof(Slapi_PBlock));
+- slapi_pblock_set(&pb, SLAPI_PLUGIN, mrp);
+- if (slapi_pblock_get(&pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) {
+- /* plugin not a matchingrule type */
+- continue;
+- }
+- if (createFn && !createFn(&pb)) {
+- slapi_pblock_get(&pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
+- slapi_pblock_get(&pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
+- if (indexFn || indexSvFn) {
+- /* Success: this plugin can handle it. */
+- memcpy(opb, &pb, sizeof (Slapi_PBlock));
+- plugin_mr_bind(oid, mrp); /* for future reference */
+- rc = 0; /* success */
+- break;
+- }
+-
+- }
+- }
+- if (rc != 0) {
+- /* look for a new syntax-style mr plugin */
+- struct slapdplugin *pi = plugin_mr_find(oid);
+- if (pi) {
+- Slapi_PBlock pb;
+- memcpy (&pb, opb, sizeof(Slapi_PBlock));
+- slapi_pblock_set(&pb, SLAPI_PLUGIN, pi);
+- rc = default_mr_indexer_create(&pb);
+- if (!rc) {
+- memcpy (opb, &pb, sizeof(Slapi_PBlock));
+- plugin_mr_bind (oid, pi); /* for future reference */
+- }
+- }
+- }
+- }
++ IFP createFn = NULL;
++ struct slapdplugin* mrp = plugin_mr_find_registered(oid);
++ if (mrp != NULL) {
++ /* Great the matching OID -> MR plugin was already found, just reuse it */
++ if (!(rc = slapi_pblock_set(opb, SLAPI_PLUGIN, mrp)) &&
++ !(rc = slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) &&
++ createFn != NULL) {
++ rc = createFn(opb);
++ }
++ } else {
++ /* We need to find in the MR plugins list, the MR plugin that will be able to handle OID
++ *
++ * It can be "old style" MR plugin (i.e. collation) that define indexer
++ *
++ * It can be "now style" MR plugin that contain OID string in 'plg_mr_names'
++ * (ie. ces, cis, bin...) where plg_mr_names is defined in 'mr_plugin_table' in each file
++ * ces.c, cis.c...
++ * New style MR plugin have NULL indexer create function but rather use a default indexer
++ */
++
++ /* Look for a old syntax-style mr plugin
++ * call each plugin, until one is able to handle this request.
++ */
++ rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
++
++ for (mrp = get_plugin_list(PLUGIN_LIST_MATCHINGRULE); mrp != NULL; mrp = mrp->plg_next) {
++
++ Slapi_PBlock *pb = slapi_pblock_new();
++ mr_indexer_init_pb(opb, pb);
++ slapi_pblock_set(pb, SLAPI_PLUGIN, mrp);
++ /* This is associated with the pb_plugin struct, so it comes with mrp */
++ if (slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) {
++ /* plugin not a matchingrule type */
++ slapi_pblock_destroy(pb);
++ continue;
++ }
++
++ if (createFn && !createFn(pb)) {
++ IFP indexFn = NULL;
++ IFP indexSvFn = NULL;
++ /* These however, are in the pblock direct, so we need to copy them. */
++ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
++ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
++ if (indexFn || indexSvFn) {
++ /* Success: this plugin can handle it. */
++ mr_indexer_init_pb(pb, opb);
++ plugin_mr_bind(oid, mrp); /* for future reference */
++ rc = 0; /* success */
++ slapi_pblock_destroy(pb);
++ break;
++ }
++ }
++ slapi_pblock_destroy(pb);
++ }
++ if (rc != 0) {
++ /* look for a new syntax-style mr plugin */
++ struct slapdplugin *pi = plugin_mr_find(oid);
++ if (pi) {
++ slapi_pblock_set(opb, SLAPI_PLUGIN, pi);
++ rc = default_mr_indexer_create(opb);
++ if (!rc) {
++ plugin_mr_bind(oid, pi); /* for future reference */
++ }
++ slapi_pblock_set(opb, SLAPI_PLUGIN, NULL);
++ }
++ }
++ }
+ }
+ return rc;
+ }
+@@ -683,6 +772,11 @@ default_mr_indexer_create(Slapi_PBlock* pb)
+ slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_FN, mr_wrap_mr_index_fn);
+ slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, mr_wrap_mr_index_sv_fn);
+ slapi_pblock_set(pb, SLAPI_PLUGIN_DESTROY_FN, default_mr_indexer_destroy);
++
++ /* Note the two following setting are in the slapdplugin struct SLAPI_PLUGIN
++ * so they are not really output of the function but will just
++ * be stored in the bound (OID <--> plugin) list (plugin_mr_find_registered/plugin_mr_bind)
++ */
+ slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, default_mr_indexer_create);
+ slapi_pblock_set(pb, SLAPI_PLUGIN_MR_FILTER_CREATE_FN, default_mr_filter_create);
+ rc = 0;
+--
+2.13.6
+
diff --git a/SOURCES/0088-Ticket-bz1525628-1.3.6-backport-invalid-password-mig.patch b/SOURCES/0088-Ticket-bz1525628-1.3.6-backport-invalid-password-mig.patch
new file mode 100644
index 0000000..b5b280c
--- /dev/null
+++ b/SOURCES/0088-Ticket-bz1525628-1.3.6-backport-invalid-password-mig.patch
@@ -0,0 +1,292 @@
+From 4219c54d9706f5597e8186d4f983b30587c2762e Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 13 Feb 2018 10:32:06 -0500
+Subject: [PATCH] Ticket bz1525628 1.3.6 backport - invalid password migration
+ causes unauth bind
+
+Bug Description: Slapi_ct_memcmp expects both inputs to be
+at LEAST size n. If they are not, we only compared UP to n.
+
+Invalid migrations of passwords (IE {CRYPT}XX) would create
+a pw which is just salt and no hash. ct_memcmp would then
+only verify the salt bits and would allow the authentication.
+
+This relies on an administrative mistake both of allowing
+password migration (nsslapd-allow-hashed-passwords) and then
+subsequently migrating an INVALID password to the server.
+
+Fix Description: slapi_ct_memcmp now access n1, n2 size
+and will FAIL if they are not the same, but will still compare
+n bytes, where n is the "longest" memory, to the first byte
+of the other to prevent length disclosure of the shorter
+value (generally the mis-migrated password)
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1525628
+
+Author: wibrown
+---
+ ldap/servers/plugins/pwdstorage/clear_pwd.c | 4 +-
+ ldap/servers/plugins/pwdstorage/crypt_pwd.c | 4 +-
+ ldap/servers/plugins/pwdstorage/md5_pwd.c | 14 +++----
+ ldap/servers/plugins/pwdstorage/sha_pwd.c | 18 +++++++--
+ ldap/servers/plugins/pwdstorage/smd5_pwd.c | 60 +++++++++++++++--------------
+ ldap/servers/slapd/ch_malloc.c | 37 +++++++++++++++---
+ ldap/servers/slapd/slapi-plugin.h | 2 +-
+ 7 files changed, 88 insertions(+), 51 deletions(-)
+
+diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
+index b9b362d34..050e60dd7 100644
+--- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
+@@ -39,7 +39,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd )
+ * However, even if the first part of userpw matches dbpwd, but len !=, we
+ * have already failed anyawy. This prevents substring matching.
+ */
+- if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
++ if (slapi_ct_memcmp(userpwd, dbpwd, len_user, len_dbp) != 0) {
+ result = 1;
+ }
+ } else {
+@@ -51,7 +51,7 @@ clear_pw_cmp( const char *userpwd, const char *dbpwd )
+ * dbpwd to itself. We have already got result == 1 if we are here, so we are
+ * just trying to take up time!
+ */
+- if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
++ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp, len_dbp)) {
+ /* Do nothing, we have the if to fix a coverity check. */
+ }
+ }
+diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+index dfd5af94b..ff8eabb07 100644
+--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+@@ -56,13 +56,13 @@ crypt_close(Slapi_PBlock *pb __attribute__((unused)))
+ int
+ crypt_pw_cmp( const char *userpwd, const char *dbpwd )
+ {
+- int rc;
++ int32_t rc;
+ char *cp;
+ PR_Lock(cryptlock);
+ /* we use salt (first 2 chars) of encoded password in call to crypt() */
+ cp = crypt( userpwd, dbpwd );
+ if (cp) {
+- rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd));
++ rc= slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd), strlen(cp));
+ } else {
+ rc = -1;
+ }
+diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
+index b27994667..88c11688b 100644
+--- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
+@@ -30,12 +30,12 @@
+ int
+ md5_pw_cmp( const char *userpwd, const char *dbpwd )
+ {
+- int rc=-1;
+- char * bver;
+- PK11Context *ctx=NULL;
++ int32_t rc=-1;
++ char *bver;
++ PK11Context *ctx = NULL;
+ unsigned int outLen;
+ unsigned char hash_out[MD5_HASH_LEN];
+- unsigned char b2a_out[MD5_HASH_LEN*2]; /* conservative */
++ unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
+ SECItem binary_item;
+
+ ctx = PK11_CreateDigestContext(SEC_OID_MD5);
+@@ -57,10 +57,10 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd )
+ bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
+ /* bver points to b2a_out upon success */
+ if (bver) {
+- rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd));
++ rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd), strlen(bver));
+ } else {
+- slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
+- "Could not base64 encode hashed value for password compare");
++ slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
++ "Could not base64 encode hashed value for password compare");
+ }
+ loser:
+ return rc;
+diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c
+index 5f41c5b93..c9db8964a 100644
+--- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
+@@ -49,7 +49,7 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
+ char userhash[MAX_SHA_HASH_SIZE];
+ char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3];
+ char *dbhash = quick_dbhash;
+- struct berval salt;
++ struct berval salt = {0};
+ PRUint32 hash_len;
+ unsigned int secOID;
+ char *schemeName;
+@@ -120,10 +120,20 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen )
+ }
+
+ /* the proof is in the comparison... */
+- if ( hash_len >= shaLen ) {
+- result = slapi_ct_memcmp( userhash, dbhash, shaLen );
++ if (hash_len >= shaLen) {
++ /*
++ * This say "if the hash has a salt IE >, OR if they are equal, check the hash component ONLY.
++ * This is why we repeat shaLen twice, even though it seems odd. If you have a dbhast of ssha
++ * it's len is 28, and the userpw is 20, but 0 - 20 is the sha, and 21-28 is the salt, which
++ * has already been processed into userhash.
++ * The case where dbpwd is truncated is handled above in "invalid base64" arm.
++ */
++ result = slapi_ct_memcmp(userhash, dbhash, shaLen, shaLen);
+ } else {
+- result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH );
++ /* This case is for if the salt is at the START, which only applies to DS40B1 case.
++ * May never be a valid check...
++ */
++ result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, shaLen, hash_len - OLD_SALT_LENGTH);
+ }
+
+ loser:
+diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
+index 2e9d195ea..f6b4bb4a0 100644
+--- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
++++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
+@@ -52,35 +52,37 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd )
+ /*
+ * Decode hash stored in database.
+ */
+- hash_len = pwdstorage_base64_decode_len(dbpwd, 0);
+- if ( hash_len >= sizeof(quick_dbhash) ) { /* get more space: */
+- dbhash = (char*) slapi_ch_calloc( hash_len + 1, sizeof(char) );
+- if ( dbhash == NULL ) goto loser;
+- } else {
+- memset( quick_dbhash, 0, sizeof(quick_dbhash) );
+- }
+-
+- hashresult = PL_Base64Decode( dbpwd, 0, dbhash );
+- if (NULL == hashresult) {
+- slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME,
+- "smd5_pw_cmp: userPassword \"%s\" is the wrong length "
+- "or is not properly encoded BASE64\n", dbpwd );
+- goto loser;
+- }
+-
+- salt.bv_val = (void*)(dbhash + MD5_LENGTH); /* salt starts after hash value */
+- salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */
+-
+- /* create the hash */
+- memset( userhash, 0, sizeof(userhash) );
+- PK11_DigestBegin(ctx);
+- PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
+- PK11_DigestOp(ctx, (unsigned char*)(salt.bv_val), salt.bv_len);
+- PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash);
+- PK11_DestroyContext(ctx, 1);
+-
+- /* Compare everything up to the salt. */
+- rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH );
++ hash_len = pwdstorage_base64_decode_len(dbpwd, 0);
++ if (hash_len >= sizeof(quick_dbhash)) { /* get more space: */
++ dbhash = (char *)slapi_ch_calloc(hash_len + 1, sizeof(char));
++ if (dbhash == NULL)
++ goto loser;
++ } else {
++ memset(quick_dbhash, 0, sizeof(quick_dbhash));
++ }
++
++ hashresult = PL_Base64Decode(dbpwd, 0, dbhash);
++ if (NULL == hashresult) {
++ slapi_log_err(SLAPI_LOG_PLUGIN, SALTED_MD5_SUBSYSTEM_NAME,
++ "smd5_pw_cmp: userPassword \"%s\" is the wrong length "
++ "or is not properly encoded BASE64\n",
++ dbpwd);
++ goto loser;
++ }
++
++ salt.bv_val = (void *)(dbhash + MD5_LENGTH); /* salt starts after hash value */
++ salt.bv_len = hash_len - MD5_LENGTH; /* remaining bytes must be salt */
++
++ /* create the hash */
++ memset(userhash, 0, sizeof(userhash));
++ PK11_DigestBegin(ctx);
++ PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
++ PK11_DigestOp(ctx, (unsigned char *)(salt.bv_val), salt.bv_len);
++ PK11_DigestFinal(ctx, userhash, &outLen, sizeof userhash);
++ PK11_DestroyContext(ctx, 1);
++
++ /* Compare everything up to the salt. */
++ rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH, MD5_LENGTH);
+
+ loser:
+ if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash );
+diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
+index 52ccb64e8..da0b5f6d8 100644
+--- a/ldap/servers/slapd/ch_malloc.c
++++ b/ldap/servers/slapd/ch_malloc.c
+@@ -343,8 +343,8 @@ slapi_ch_smprintf(const char *fmt, ...)
+
+ /* Constant time memcmp. Does not shortcircuit on failure! */
+ /* This relies on p1 and p2 both being size at least n! */
+-int
+-slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
++int32_t
++slapi_ct_memcmp( const void *p1, const void *p2, size_t n1, size_t n2)
+ {
+ int result = 0;
+ const unsigned char *_p1 = (const unsigned char *)p1;
+@@ -353,10 +353,35 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n)
+ if (_p1 == NULL || _p2 == NULL) {
+ return 2;
+ }
+-
+- for (size_t i = 0; i < n; i++) {
+- if (_p1[i] ^ _p2[i]) {
+- result = 1;
++ if (n1 == n2) {
++ for (size_t i = 0; i < n1; i++) {
++ if (_p1[i] ^ _p2[i]) {
++ result = 1;
++ }
++ }
++ } else {
++ const unsigned char *_pa;
++ const unsigned char *_pb;
++ size_t nl;
++ if (n2 > n1) {
++ _pa = _p2;
++ _pb = _p2;
++ nl = n2;
++ } else {
++ _pa = _p1;
++ _pb = _p1;
++ nl = n1;
++ }
++ /* We already fail as n1 != n2 */
++ result = 3;
++ for (size_t i = 0; i < nl; i++) {
++ if (_pa[i] ^ _pb[i]) {
++ /*
++ * If we don't mutate result here, dead code elimination
++ * we remove for loop.
++ */
++ result = 4;
++ }
+ }
+ }
+ return result;
+diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
+index 16aa1b711..8555be939 100644
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -5856,7 +5856,7 @@ char * slapi_ch_smprintf(const char *fmt, ...)
+ * \param n length in bytes of the content of p1 AND p2.
+ * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
+ */
+-int slapi_ct_memcmp( const void *p1, const void *p2, size_t n);
++int32_t slapi_ct_memcmp( const void *p1, const void *p2, size_t n1, size_t n2);
+
+ /*
+ * syntax plugin routines
+--
+2.13.6
+
diff --git a/SOURCES/0089-Ticket-49545-final-substring-extended-filter-search-.patch b/SOURCES/0089-Ticket-49545-final-substring-extended-filter-search-.patch
new file mode 100644
index 0000000..02cce65
--- /dev/null
+++ b/SOURCES/0089-Ticket-49545-final-substring-extended-filter-search-.patch
@@ -0,0 +1,66 @@
+From 73dd295434a03be28531cea40fde041ce7bd2d7e Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 13 Feb 2018 10:35:35 -0500
+Subject: [PATCH] Ticket 49545 - final substring extended filter search returns
+ invalid result
+
+Bug Description:
+ During a search (using extended filter with final substring), the server
+ checks the filter before returning the matching entries.
+ When checking the attribute value against the filter, it
+ uses the wrong value.
+
+Fix Description:
+ Make suree it uses the right portion of the attribute value, in order
+ to generate the keys to compare.
+
+https://pagure.io/389-ds-base/issue/49545
+
+Reviewed by: Ludwig Krispenz
+---
+ ldap/servers/plugins/collation/orfilter.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c
+index 866936afe..8f10f81b6 100644
+--- a/ldap/servers/plugins/collation/orfilter.c
++++ b/ldap/servers/plugins/collation/orfilter.c
+@@ -180,17 +180,33 @@ ss_filter_match (or_filter_t* or, struct berval** vals)
+ } else { /* final */
+ auto size_t attempts = MAX_CHAR_COMBINING;
+ auto char* limit = v.bv_val;
++ auto char *end;
+ auto struct berval** vkeys;
+ auto struct berval* vals[2];
+ auto struct berval key;
++
+ rc = -1;
+ vals[0] = &v;
+ vals[1] = NULL;
+ key.bv_val = (*k)->bv_val;
+ key.bv_len = (*k)->bv_len - 1;
+- v.bv_val = (*vals)->bv_val + (*vals)->bv_len;
++ /* In the following lines it will loop to find
++ * if the end of the attribute value matches the 'final' of the filter
++ * Short summary:
++ * vals contains the attribute value :for example "hello world"
++ * key contain the key generated from the indexing of final part of the filter.
++ * for example filter=(<attribut>=*ld), so key contains the indexing("ld").
++ *
++ * The loop will iterate over the attribute value (vals) from the end of string
++ * to the begining. So it will try to index('d'), index('ld'), index('rld'), index('orld')...
++ *
++ * At each iteration if the key generated from indexing the portion of vals, matches
++ * the key generate from the final part of the filter, then the loop stops => we are done
++ */
++ end = v.bv_val + v.bv_len - 1;
++ v.bv_val = end;
+ while(1) {
+- v.bv_len = (*vals)->bv_len - (v.bv_val - (*vals)->bv_val);
++ v.bv_len = end - v.bv_val + 1;
+ vkeys = ix->ix_index (ix, vals, NULL);
+ if (vkeys && vkeys[0]) {
+ auto const struct berval* vkey = vkeys[0];
+--
+2.13.6
+
diff --git a/SOURCES/0090-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch b/SOURCES/0090-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch
new file mode 100644
index 0000000..ca57d86
--- /dev/null
+++ b/SOURCES/0090-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch
@@ -0,0 +1,189 @@
+From 715bdd7fd707d4addf52c21051ec3ab90951a691 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Wed, 6 Dec 2017 15:14:57 +0100
+Subject: [PATCH] Ticket 49471 - heap-buffer-overflow in ss_unescape
+
+Bug Description:
+ Two problems here
+ - when searching for wildcard and escape char, ss_unescape assumes the string
+ is at least 3 chars longs. So memcmp can overflow a shorter string
+ - while splitting a string into substring pattern, it loops over
+ wildcard and can overpass the string end
+
+Fix Description:
+ For the first problem, it checks the string size is long enough to memcmp
+ a wildcard or an escape
+ For the second it exits from the loop as soon as the end of the string is reached
+
+https://pagure.io/389-ds-base/issue/49471
+
+Reviewed by: William Brown
+
+Platforms tested: F23
+
+Flag Day: no
+
+Doc impact: no
+
+(cherry picked from commit 5991388ce75fba8885579b769711d57acfd43cd3)
+(cherry picked from commit 3fb1c408cb4065de8d9c0c1de050d08969d51bb0)
+---
+ dirsrvtests/tests/tickets/ticket49471_test.py | 79 +++++++++++++++++++++++++++
+ ldap/servers/plugins/collation/orfilter.c | 48 +++++++++-------
+ 2 files changed, 106 insertions(+), 21 deletions(-)
+ create mode 100644 dirsrvtests/tests/tickets/ticket49471_test.py
+
+diff --git a/dirsrvtests/tests/tickets/ticket49471_test.py b/dirsrvtests/tests/tickets/ticket49471_test.py
+new file mode 100644
+index 000000000..0456a5182
+--- /dev/null
++++ b/dirsrvtests/tests/tickets/ticket49471_test.py
+@@ -0,0 +1,79 @@
++import logging
++import pytest
++import os
++import time
++import ldap
++from lib389._constants import *
++from lib389.topologies import topology_st as topo
++from lib389 import Entry
++
++DEBUGGING = os.getenv("DEBUGGING", default=False)
++if DEBUGGING:
++ logging.getLogger(__name__).setLevel(logging.DEBUG)
++else:
++ logging.getLogger(__name__).setLevel(logging.INFO)
++log = logging.getLogger(__name__)
++
++
++USER_CN='user_'
++def _user_get_dn(no):
++ cn = '%s%d' % (USER_CN, no)
++ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX)
++ return (cn, dn)
++
++def add_user(server, no, desc='dummy', sleep=True):
++ (cn, dn) = _user_get_dn(no)
++ log.fatal('Adding user (%s): ' % dn)
++ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser', 'userSecurityInformation'],
++ 'cn': [cn],
++ 'description': [desc],
++ 'sn': [cn],
++ 'description': ['add on that host']})))
++ if sleep:
++ time.sleep(2)
++
++def test_ticket49471(topo):
++ """Specify a test case purpose or name here
++
++ :id: 457ab172-9455-4eb2-89a0-150e3de5993f
++ :setup: Fill in set up configuration here
++ :steps:
++ 1. Fill in test case steps here
++ 2. And indent them like this (RST format requirement)
++ :expectedresults:
++ 1. Fill in the result that is expected
++ 2. For each test step
++ """
++
++ # If you need any test suite initialization,
++ # please, write additional fixture for that (including finalizer).
++ # Topology for suites are predefined in lib389/topologies.py.
++
++ # If you need host, port or any other data about instance,
++ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid)
++
++ S1 = topo.standalone
++ add_user(S1, 1)
++
++ Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=\*on\*)"
++ ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter)
++ assert len(ents) == 1
++
++ #
++ # The following is for the test 49491
++ # skipped here else it crashes in ASAN
++ #Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=\*host)"
++ #ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter)
++ #assert len(ents) == 1
++
++ if DEBUGGING:
++ # Add debugging steps(if any)...
++ pass
++
++
++if __name__ == '__main__':
++ # Run isolated
++ # -s for DEBUG mode
++ CURRENT_FILE = os.path.realpath(__file__)
++ pytest.main("-s %s" % CURRENT_FILE)
++
+diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c
+index 8f10f81b6..438efafef 100644
+--- a/ldap/servers/plugins/collation/orfilter.c
++++ b/ldap/servers/plugins/collation/orfilter.c
+@@ -317,19 +317,21 @@ ss_unescape (struct berval* val)
+ char* t = s;
+ char* limit = s + val->bv_len;
+ while (s < limit) {
+- if (!memcmp (s, "\\2a", 3) ||
+- !memcmp (s, "\\2A", 3)) {
+- *t++ = WILDCARD;
+- s += 3;
+- } else if (!memcmp (s, "\\5c", 3) ||
+- !memcmp (s, "\\5C", 3)) {
+- *t++ = '\\';
+- s += 3;
+- } else {
+- if (t == s) LDAP_UTF8INC (t);
+- else t += LDAP_UTF8COPY (t, s);
+- LDAP_UTF8INC (s);
+- }
++ if (((limit - s) >= 3) &&
++ (!memcmp(s, "\\2a", 3) || !memcmp(s, "\\2A", 3))) {
++ *t++ = WILDCARD;
++ s += 3;
++ } else if ((limit - s) >= 3 &&
++ (!memcmp(s, "\\5c", 3) || !memcmp(s, "\\5C", 3))) {
++ *t++ = '\\';
++ s += 3;
++ } else {
++ if (t == s)
++ LDAP_UTF8INC(t);
++ else
++ t += LDAP_UTF8COPY(t, s);
++ LDAP_UTF8INC(s);
++ }
+ }
+ val->bv_len = t - val->bv_val;
+ }
+@@ -405,14 +407,18 @@ ss_filter_values (struct berval* pattern, int* query_op)
+ n = 0;
+ s = pattern->bv_val;
+ for (p = s; p < plimit; LDAP_UTF8INC(p)) {
+- switch (*p) {
+- case WILDCARD:
+- result[n++] = ss_filter_value (s, p-s, &val);
+- while (++p != plimit && *p == WILDCARD);
+- s = p;
+- break;
+- default: break;
+- }
++ switch (*p) {
++ case WILDCARD:
++ result[n++] = ss_filter_value(s, p - s, &val);
++ while (p != plimit && *p == WILDCARD) p++;
++ s = p;
++ break;
++ default:
++ break;
++ }
++ if (p >= plimit) {
++ break;
++ }
+ }
+ if (p != s || s == plimit) {
+ result[n++] = ss_filter_value (s, p-s, &val);
+--
+2.13.6
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 61d84f7..fb486df 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -30,7 +30,7 @@
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.3.6.1
-Release: %{?relprefix}26%{?prerel}%{?dist}
+Release: %{?relprefix}28%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org/
Group: System Environment/Daemons
@@ -220,6 +220,10 @@ Patch83: 0083-Ticket-49410-opened-connection-can-remain-no-longer-.patc
Patch84: 0084-Ticket-48118-backport-changelog-can-be-erronously-re.patch
Patch85: 0085-Ticket-49495-Fix-memory-management-is-vattr.patch
Patch86: 0086-CVE-2017-15134-389-ds-base-Remote-DoS-via-search-fil.patch
+Patch87: 0087-Ticket-49509-Indexing-of-internationalized-matching-.patch
+Patch88: 0088-Ticket-bz1525628-1.3.6-backport-invalid-password-mig.patch
+Patch89: 0089-Ticket-49545-final-substring-extended-filter-search-.patch
+Patch90: 0090-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -376,6 +380,10 @@ cp %{SOURCE2} README.devel
%patch84 -p1
%patch85 -p1
%patch86 -p1
+%patch87 -p1
+%patch88 -p1
+%patch89 -p1
+%patch90 -p1
%build
@@ -608,8 +616,18 @@ fi
%{_sysconfdir}/%{pkgname}/dirsrvtests
%changelog
+* Mon Feb 26 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.6.1-28
+- Bump version to 1.3.6.1-28
+- Resolves: Bug 1540105 - CVE-2018-1054 - remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8
+
+* Tue Feb 13 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.6.1-27
+- Bump version to 1.3.6.1-27
+- Resolves: Bug 1536343 - Indexing of internationalized matching rules is failing
+- Resolves: Bug 1535539 - CVE-2017-15135 - Authentication bypass due to lack of size check in slapi_ct_memcmp function
+- Resolves: Bug 1540105 - CVE-2018-1054 - remote Denial of Service (DoS) via search filters in SetUnicodeStringFromUTF_8
+
* Tue Jan 16 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.6.1-26
-- Bump version to 1.3.6.1-25
+- Bump version to 1.3.6.1-26
- Resolves: Bug 1534430 - crash in slapi_filter_sprintf
* Mon Dec 18 2017 Mark Reynolds <mreynolds@redhat.com> - 1.3.6.1-25