diff --git a/SOURCES/0035-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch b/SOURCES/0035-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch new file mode 100644 index 0000000..93eec89 --- /dev/null +++ b/SOURCES/0035-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch @@ -0,0 +1,371 @@ +From c510a50bbbb05099159817f8d9da0088c5a0a5c0 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 21 Aug 2020 12:44:18 -0400 +Subject: [PATCH] Issue 51129 - SSL alert: The value of sslVersionMax "TLS1.3" + is higher than the supported version + + Bug Description: If you try and set the sslVersionMax higher than the + default range, but within the supported range, you + would still get an error and the server would reset + the max to "default" max value. + + Fix Description: Keep track of both the supported and default SSL ranges, + and correctly use each range for value validation. If + the value is outside the supported range, then use default + value, etc, but do not check the requested range against + the default range. We only use the default range if + there is no specified min or max in the config, or if + a invalid min or max value is set in the config. + + Also, refactored the range variable names to be more + accurate: + + enabledNSSVersions --> defaultNSSVersions + emin, emax --> dmin, dmax + + relates: https://pagure.io/389-ds-base/issue/51129 + + Reviewed by: firstyear(Thanks!) +--- + ldap/servers/slapd/ssl.c | 167 +++++++++++++++++++++------------------ + 1 file changed, 88 insertions(+), 79 deletions(-) + +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index 71f91f761..1a860b71e 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -48,12 +48,12 @@ + * sslVersionMax: max ssl version supported by NSS + ******************************************************************************/ + +-#define DEFVERSION "TLS1.0" +-#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_0 ++#define DEFVERSION "TLS1.2" + + extern char *slapd_SSL3ciphers; + extern symbol_t supported_ciphers[]; +-static SSLVersionRange enabledNSSVersions; ++static SSLVersionRange defaultNSSVersions; ++static SSLVersionRange supportedNSSVersions; + static SSLVersionRange slapdNSSVersions; + + +@@ -151,7 +151,7 @@ PRBool enableSSL2 = PR_FALSE; + PRBool enableSSL3 = PR_FALSE; + /* + * nsTLS1: on -- enable TLS1 by default. +- * Corresonding to SSL_LIBRARY_VERSION_TLS_1_0 and greater. ++ * Corresonding to SSL_LIBRARY_VERSION_TLS_1_2 and greater. + */ + PRBool enableTLS1 = PR_TRUE; + +@@ -934,15 +934,24 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr + int create_certdb = 0; + PRUint32 nssFlags = 0; + char *certdir; +- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; +- /* Get the range of the supported SSL version */ +- SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions); ++ char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH]; ++ char smin[VERSION_STR_LENGTH], smax[VERSION_STR_LENGTH]; + +- (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); +- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); ++ /* Get the range of the supported SSL version */ ++ SSL_VersionRangeGetSupported(ssl_variant_stream, &supportedNSSVersions); ++ (void)slapi_getSSLVersion_str(supportedNSSVersions.min, smin, sizeof(smin)); ++ (void)slapi_getSSLVersion_str(supportedNSSVersions.max, smax, sizeof(smax)); ++ ++ /* Get the enabled default range */ ++ SSL_VersionRangeGetDefault(ssl_variant_stream, &defaultNSSVersions); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin)); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax)); + slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization", + "slapd_nss_init - Supported range by NSS: min: %s, max: %s\n", +- emin, emax); ++ smin, smax); ++ slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization", ++ "slapd_nss_init - Enabled default range by NSS: min: %s, max: %s\n", ++ dmin, dmax); + + /* set in slapd_bootstrap_config, + thus certdir is available even if config_available is false */ +@@ -1262,21 +1271,21 @@ static int + set_NSS_version(char *val, PRUint16 *rval, int ismin) + { + char *vp; +- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; ++ char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH]; + + if (NULL == rval) { + return 1; + } +- (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); +- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin)); ++ (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax)); + + if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# NOT SUPPORTED */ + if (ismin) { +- slapd_SSL_warn("SSL3 is no longer supported. Using NSS default min value: %s\n", emin); +- (*rval) = enabledNSSVersions.min; ++ slapd_SSL_warn("SSL3 is no longer supported. Using NSS default min value: %s", dmin); ++ (*rval) = defaultNSSVersions.min; + } else { +- slapd_SSL_warn("SSL3 is no longer supported. Using NSS default max value: %s\n", emax); +- (*rval) = enabledNSSVersions.max; ++ slapd_SSL_warn("SSL3 is no longer supported. Using NSS default max value: %s", dmax); ++ (*rval) = defaultNSSVersions.max; + } + } else if (!strncasecmp(val, TLSSTR, TLSLEN)) { /* tls# */ + float tlsv; +@@ -1284,122 +1293,122 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) + sscanf(vp, "%4f", &tlsv); + if (tlsv < 1.1f) { /* TLS1.0 */ + if (ismin) { +- if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is lower than the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { +- (*rval) = CURRENT_DEFAULT_SSL_VERSION; ++ (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; + } + } else { +- if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) { + /* never happens */ + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is higher than the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } else { +- (*rval) = CURRENT_DEFAULT_SSL_VERSION; ++ (*rval) = SSL_LIBRARY_VERSION_TLS_1_0; + } + } + } else if (tlsv < 1.2f) { /* TLS1.1 */ + if (ismin) { +- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is lower than the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_1; + } + } else { +- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) { + /* never happens */ + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is higher than the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_1; + } + } + } else if (tlsv < 1.3f) { /* TLS1.2 */ + if (ismin) { +- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is lower than the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_2; + } + } else { +- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) { + /* never happens */ + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is higher than the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } else { + (*rval) = SSL_LIBRARY_VERSION_TLS_1_2; + } + } + } else if (tlsv < 1.4f) { /* TLS1.3 */ +- if (ismin) { +- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) { +- slapd_SSL_warn("The value of sslVersionMin " +- "\"%s\" is lower than the supported version; " +- "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; +- } else { +- (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; +- } +- } else { +- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) { +- /* never happens */ +- slapd_SSL_warn("The value of sslVersionMax " +- "\"%s\" is higher than the supported version; " +- "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; +- } else { +- (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; +- } +- } ++ if (ismin) { ++ if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) { ++ slapd_SSL_warn("The value of sslVersionMin " ++ "\"%s\" is lower than the supported version; " ++ "the default value \"%s\" is used.", ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; ++ } else { ++ (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; ++ } ++ } else { ++ if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) { ++ /* never happens */ ++ slapd_SSL_warn("The value of sslVersionMax " ++ "\"%s\" is higher than the supported version; " ++ "the default value \"%s\" is used.", ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; ++ } else { ++ (*rval) = SSL_LIBRARY_VERSION_TLS_1_3; ++ } ++ } + } else { /* Specified TLS is newer than supported */ + if (ismin) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is out of the range of the supported version; " + "the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is out of the range of the supported version; " + "the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } + } + } else { + if (ismin) { + slapd_SSL_warn("The value of sslVersionMin " + "\"%s\" is invalid; the default value \"%s\" is used.", +- val, emin); +- (*rval) = enabledNSSVersions.min; ++ val, dmin); ++ (*rval) = defaultNSSVersions.min; + } else { + slapd_SSL_warn("The value of sslVersionMax " + "\"%s\" is invalid; the default value \"%s\" is used.", +- val, emax); +- (*rval) = enabledNSSVersions.max; ++ val, dmax); ++ (*rval) = defaultNSSVersions.max; + } + } + return 0; +@@ -1429,10 +1438,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + char *tmpDir; + Slapi_Entry *e = NULL; + PRBool fipsMode = PR_FALSE; +- PRUint16 NSSVersionMin = enabledNSSVersions.min; +- PRUint16 NSSVersionMax = enabledNSSVersions.max; ++ PRUint16 NSSVersionMin = defaultNSSVersions.min; ++ PRUint16 NSSVersionMax = defaultNSSVersions.max; + char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; +- char newmax[VERSION_STR_LENGTH]; + int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER; + int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN; + +@@ -1780,7 +1788,11 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + } + val = slapi_entry_attr_get_ref(e, "sslVersionMin"); + if (val) { ++ /* Use the user defined minimum */ + (void)set_NSS_version((char *)val, &NSSVersionMin, 1); ++ } else { ++ /* Force our default minimum */ ++ (void)set_NSS_version(DEFVERSION, &NSSVersionMin, 1); + } + val = slapi_entry_attr_get_ref(e, "sslVersionMax"); + if (val) { +@@ -1789,12 +1801,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + if (NSSVersionMin > NSSVersionMax) { + (void)slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin)); + (void)slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax)); +- slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".", ++ slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\". Adjusting the max to match the miniumum.", + mymin, mymax); +- (void)slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax)); +- slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".", +- mymax, newmax); +- NSSVersionMax = enabledNSSVersions.max; ++ NSSVersionMax = NSSVersionMin; + } + } + +@@ -1810,7 +1819,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + if (sslStatus != SECSuccess) { + errorCode = PR_GetError(); + slapd_SSL_error("Security Initialization - " +- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n", ++ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)", + mymin, mymax, errorCode, slapd_pr_strerror(errorCode)); + } + /* +@@ -1840,13 +1849,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) + (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); + (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); + slapd_SSL_error("Security Initialization - " +- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n", ++ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)", + mymin, mymax, errorCode, slapd_pr_strerror(errorCode)); + } + } else { + errorCode = PR_GetError(); + slapd_SSL_error("Security Initialization - ", +- "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)\n", ++ "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)", + errorCode, slapd_pr_strerror(errorCode)); + } + +@@ -2173,7 +2182,7 @@ slapd_SSL_client_auth(LDAP *ld) + } + } else { + if (token == NULL) { +- slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found\n"); ++ slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found"); + } + rc = -1; + } +-- +2.26.2 + diff --git a/SOURCES/0036-Issue-49731-undo-db_home_dir-under-dev-shm-dirsrv-fo.patch b/SOURCES/0036-Issue-49731-undo-db_home_dir-under-dev-shm-dirsrv-fo.patch new file mode 100644 index 0000000..6395c28 --- /dev/null +++ b/SOURCES/0036-Issue-49731-undo-db_home_dir-under-dev-shm-dirsrv-fo.patch @@ -0,0 +1,76 @@ +From 9ab266c88350c3387a8521897cd599f80b0ec6be Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 21 Apr 2020 14:48:11 -0400 +Subject: [PATCH] Issue 49731 - undo db_home_dir under /dev/shm/dirsrv for now + +Bug Description: There are several issues with using /dec/shm/disrv/ + for the db home directory. Cantainers have issues, + and system reboots can cause issues too. + +Fix Description: Using just /dev/shm/slapd-INST solves all the permission + issues, but that requires a new selinux label, so + for now we will just set the db home directory to the + database directory (effectively disabling the change). + +relates: https://pagure.io/389-ds-base/issue/49731 + +Reviewed by: firstyear & tbordaz(Thanks!) +--- + ldap/admin/src/defaults.inf.in | 1 + + ldap/servers/slapd/util.c | 11 +++++++++++ + src/lib389/lib389/instance/setup.py | 5 +++-- + 3 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/ldap/admin/src/defaults.inf.in b/ldap/admin/src/defaults.inf.in +index f74929581..d60f24cda 100644 +--- a/ldap/admin/src/defaults.inf.in ++++ b/ldap/admin/src/defaults.inf.in +@@ -57,6 +57,7 @@ access_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/access + audit_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/audit + error_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/errors + db_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/db ++db_home_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/db + backup_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/bak + ldif_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/ldif + +diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c +index e1219c555..78ee68da9 100644 +--- a/ldap/servers/slapd/util.c ++++ b/ldap/servers/slapd/util.c +@@ -467,6 +467,17 @@ slapi_escape_filter_value(char *filter_str, int len) + } + } + ++/* replace c with c2 in str */ ++void ++replace_char(char *str, char c, char c2) ++{ ++ for (size_t i = 0; (str != NULL) && (str[i] != '\0'); i++) { ++ if (c == str[i]) { ++ str[i] = c2; ++ } ++ } ++} ++ + /* + ** This function takes a quoted attribute value of the form "abc", + ** and strips off the enclosing quotes. It also deals with quoted +diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py +index bb0ff32f5..887eae57c 100644 +--- a/src/lib389/lib389/instance/setup.py ++++ b/src/lib389/lib389/instance/setup.py +@@ -853,8 +853,9 @@ class SetupDs(object): + + # Do selinux fixups + if general['selinux']: +- selinux_paths = ('backup_dir', 'cert_dir', 'config_dir', 'db_dir', 'ldif_dir', +- 'lock_dir', 'log_dir', 'run_dir', 'schema_dir', 'tmp_dir') ++ selinux_paths = ('backup_dir', 'cert_dir', 'config_dir', 'db_dir', ++ 'ldif_dir', 'lock_dir', 'log_dir', ++ 'run_dir', 'schema_dir', 'tmp_dir') + for path in selinux_paths: + selinux_restorecon(slapd[path]) + +-- +2.26.2 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index d5ee368..39a2325 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -45,7 +45,7 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.4.2.4 -Release: %{?relprefix}8%{?prerel}%{?dist} +Release: %{?relprefix}10%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org Group: System Environment/Daemons @@ -118,8 +118,6 @@ BuildRequires: python%{python3_pkgversion}-libselinux # For cockpit BuildRequires: rsync -BuildRequires: npm -BuildRequires: nodejs Requires: %{name}-libs = %{version}-%{release} Requires: python%{python3_pkgversion}-lib389 = %{version}-%{release} @@ -211,6 +209,8 @@ Patch31: 0031-Issue-50886-Typo-in-the-replication-debug-message.patch Patch32: 0032-Issue-50882-Fix-healthcheck-errors-for-instances-tha.patch Patch33: 0033-Ticket-50490-objects-and-memory-leaks.patch Patch34: 0034-Issue-50780-Fix-UI-issues.patch +Patch35: 0035-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch +Patch36: 0036-Issue-49731-undo-db_home_dir-under-dev-shm-dirsrv-fo.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -309,7 +309,7 @@ Group: Development/Libraries Requires: openssl Requires: iproute Requires: platform-python -Requires: bash-completion +Recommends: bash-completion Requires: python%{python3_pkgversion}-ldap Requires: python%{python3_pkgversion}-six Requires: python%{python3_pkgversion}-pyasn1 @@ -808,6 +808,16 @@ exit 0 %doc README.md %changelog +* Mon Aug 24 2020 Mark Reynolds - 1.4.2.4-10 +- Bump version to 1.4.2.4-10 +- Resolves: Bug 1862170 - fix default.ini file + +* Fri Aug 21 2020 Mark Reynolds - 1.4.2.4-9 +- Bump version to 1.4.2.4-9 +- Resolves: Bug 1867097 - Memory leak in ACI using IP subject +- Resolves: Bug 1862170 - python3-lib389 pulls unnecessary bash-completion package +- Resolves: Bug 1867988 - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version + * Fri Mar 6 2020 Mark Reynolds - 1.4.2.4-8 - Bump version to 1.4.2.4-8 - Resolves: Bug 1807971 - dsctl healthcheck fails at checking replica when conflict entries are present