diff --git a/SOURCES/libexec-update-ppolicy-schema.sh b/SOURCES/libexec-update-ppolicy-schema.sh new file mode 100755 index 0000000..a853b27 --- /dev/null +++ b/SOURCES/libexec-update-ppolicy-schema.sh @@ -0,0 +1,142 @@ +#!/bin/bash +# This script serves one purpose, to add a possibly missing attribute +# to a ppolicy schema in a dynamic configuration of OpenLDAP. This +# attribute was introduced in openldap-2.4.43 and slapd will not +# start without it later on. +# +# The script tries to update in a directory given as first parameter, +# or in /etc/openldap/slapd.d implicitly. +# +# Author: Matus Honek +# Bugzilla: #1487857 + +function log { + echo "Update dynamic configuration: " $@ + true +} + +function iferr { + if [ $? -ne 0 ]; then + log "ERROR: " $@ + true + else + false + fi +} + +function update { + set -u + shopt -s extglob + + ORIGINAL="${1:-/etc/openldap/slapd.d}" + ORIGINAL="${ORIGINAL%*(/)}" + + ### check if necessary + grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null + [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0 + + ### prep + log "Prepare environment." + + TEMPDIR=$(mktemp -d) + iferr "Could not create a temporary directory. Quitting." && return 1 + DBDIR="${TEMPDIR}/db" + SUBDBDIR="${DBDIR}/cn=temporary" + + mkdir "${DBDIR}" + iferr "Could not create temporary configuration directory. Quitting." && return 1 + cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}" + iferr "Could not copy configuration. Quitting." && return 1 + + pushd "$TEMPDIR" >/dev/null + + cat > temp.conf </dev/null 2>&1 & + SLAPDPID="$!" + sleep 2 + + ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 </dev/null \ + | sed '/^$/d') + DN=$(printf "$RES" | grep '^dn:') + OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'") + NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }" + + test $(echo "$DN" | wc -l) = 1 + iferr "Received more than one DN. Cannot continue. Quitting." && return 1 + test "$NEWOC" != "$OC" + iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1 + + ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 </dev/null + + ### apply + log "Apply changes." + cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup" + iferr "Backing up old configuration failed. Quitting." && return 1 + cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL" + iferr "Applying new configuration failed. Quitting." && return 1 + + ### clean up + log "Clean up." + kill "$SLAPDPID" + SLAPDPID= + rm -rf "$TEMPDIR" + TEMPDIR= +} + +SLAPDPID= +TEMPDIR= +update "$1" +if [ $? -ne 0 ]; then + log "Clean up." + echo "$SLAPDPID" + echo "$TEMPDIR" + kill "$SLAPDPID" + rm -rf "$TEMPDIR" +fi +log "Finished." diff --git a/SOURCES/openldap-autoconf-pkgconfig-nss.patch b/SOURCES/openldap-autoconf-pkgconfig-nss.patch deleted file mode 100644 index 8b4bb19..0000000 --- a/SOURCES/openldap-autoconf-pkgconfig-nss.patch +++ /dev/null @@ -1,49 +0,0 @@ -Use pkg-config for Mozilla NSS library detection - -Author: Jan Vcelak - ---- - configure.in | 22 +++++----------------- - 1 file changed, 5 insertions(+), 17 deletions(-) - -diff --git a/configure.in b/configure.in -index ecffe30..2a9cfb4 100644 ---- a/configure.in -+++ b/configure.in -@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then - fi - fi - --dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3 --dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs --dnl are not in the default system location - if test $ol_link_tls = no ; then - if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then -- have_moznss=no -- AC_CHECK_HEADERS([nssutil.h]) -- if test "$ac_cv_header_nssutil_h" = yes ; then -- AC_CHECK_LIB([nss3], [NSS_Initialize], -- [ have_moznss=yes ], [ have_moznss=no ]) -- fi -+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no]) - -- if test "$have_moznss" = yes ; then -+ if test $have_moznss = yes ; then - ol_with_tls=moznss - ol_link_tls=yes -- AC_DEFINE(HAVE_MOZNSS, 1, -- [define if you have MozNSS]) -- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" -- else -- if test $ol_with_tls = moznss ; then -- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)]) -- fi -+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS]) -+ TLS_LIBS="$MOZNSS_LIBS" -+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS" - fi - fi - fi --- -1.7.11.7 - diff --git a/SOURCES/openldap-man-ldap-conf.patch b/SOURCES/openldap-man-ldap-conf.patch new file mode 100644 index 0000000..5dbf2fb --- /dev/null +++ b/SOURCES/openldap-man-ldap-conf.patch @@ -0,0 +1,25 @@ +This patch makes clear what is the actual behavior in RHEL due to bug #38402. + +Author: Matus Honek +Resolves: #1498841 + +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -25,7 +25,7 @@ in their home directory which will be used to override the system-wide + defaults file. + The file + .I ldaprc +-in the current working directory is also used. ++in the current working directory is \fBNOT\fP used (this differs from upstream). + .LP + .LP + Additional configuration files can be specified using +@@ -50,7 +50,7 @@ Thus the following files and variables are read, in order: + .nf + variable $LDAPNOINIT, and if that is not set: + system file ETCDIR/ldap.conf, +- user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, ++ user files $HOME/ldaprc, $HOME/.ldaprc, (\fBNOT\fP ./ldaprc, see above), + system file $LDAPCONF, + user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, + variables $LDAP. diff --git a/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch b/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch deleted file mode 100644 index d20e48a..0000000 --- a/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch +++ /dev/null @@ -1,86 +0,0 @@ -MozNSS: load certificates from certdb, fallback to PEM - -If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS -certificate database, the backend assumed that the certificate is always -located in the certificate database. This assumption might be wrong. - -This patch makes the library to try to load the certificate from NSS -database and fallback to PEM file if unsuccessfull. - -Author: Jan Vcelak -Upstream ITS: #7389 -Resolves: #857455 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 6847bea..8339391 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx ) - /* prefer unlocked key, then key from opened certdb, then any other */ - if ( unlocked_key ) - ctx->tc_private_key = unlocked_key; -- else if ( ctx->tc_certdb_slot ) -+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem ) - ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg ); - else - ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg ); -@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg ) - } - return -1; - } -- -- ctx->tc_using_pem = PR_TRUE; - } - - NSS_SetDomesticPolicy(); -@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg ) - - /* set up our cert and key, if any */ - if ( lt->lt_certfile ) { -- /* if using the PEM module, load the PEM file specified by lt_certfile */ -- /* otherwise, assume this is the name of a cert already in the db */ -- if ( ctx->tc_using_pem ) { -- /* this sets ctx->tc_certificate to the correct value */ -- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ); -- if ( rc ) { -- return rc; -- } -- } else { -+ -+ /* first search in certdb (lt_certfile is nickname) */ -+ if ( ctx->tc_certdb ) { - char *tmp_certname; - - if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) { -@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg ) - Debug( LDAP_DEBUG_ANY, - "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n", - lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ } -+ } -+ -+ /* fallback to PEM module (lt_certfile is filename) */ -+ if ( !ctx->tc_certificate ) { -+ if ( !pem_module && tlsm_init_pem_module() ) { -+ int pem_errcode = PORT_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n", -+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - return -1; - } -+ -+ /* this sets ctx->tc_certificate to the correct value */ -+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) { -+ ctx->tc_using_pem = PR_TRUE; -+ } -+ } -+ -+ if ( ctx->tc_certificate ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile, -+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0); -+ } else { -+ return -1; - } - } - diff --git a/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch b/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch deleted file mode 100644 index 896dd75..0000000 --- a/SOURCES/openldap-nss-ciphers-use-nss-defaults.patch +++ /dev/null @@ -1,26 +0,0 @@ -Use what NSS considers default for DEFAULT cipher string. - -Author: Matus Honek -Resolves: #1245279 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -645,7 +645,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - } - } else if (!strcmp(cipher, "DEFAULT")) { - for (i=0; i -Original-Author: Martin Poole -Resolves: #1231522 -Related: #1238322 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -215,7 +215,6 @@ typedef struct { - /* cipher attributes */ - #define SSL_kRSA 0x00000001L - #define SSL_aRSA 0x00000002L --#define SSL_RSA (SSL_kRSA|SSL_aRSA) - #define SSL_aDSA 0x00000004L - #define SSL_DSA SSL_aDSA - #define SSL_eNULL 0x00000008L -@@ -225,19 +224,27 @@ typedef struct { - #define SSL_RC2 0x00000080L - #define SSL_AES128 0x00000100L - #define SSL_AES256 0x00000200L --#define SSL_AES (SSL_AES128|SSL_AES256) - #define SSL_MD5 0x00000400L - #define SSL_SHA1 0x00000800L - #define SSL_kEDH 0x00001000L - #define SSL_CAMELLIA128 0x00002000L - #define SSL_CAMELLIA256 0x00004000L --#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) - #define SSL_SEED 0x00008000L - #define SSL_kECDH 0x00010000L - #define SSL_kECDHE 0x00020000L - #define SSL_aECDSA 0x00040000L - #define SSL_SHA256 0x00080000L - #define SSL_SHA384 0x00100000L -+#define SSL_kEECDH 0x00200000L -+#define SSL_AESGCM 0x00400000L -+#define SSL_AEAD 0x00800000L -+#define SSL_CHACHA20POLY1305 0x02000000L -+ -+/* cipher attributes non-unique - do not use for definitions */ -+#define SSL_RSA 0x00000001L -+#define SSL_AES 0x00000002L -+#define SSL_CAMELLIA 0x00000004L -+#define SSL_ECDH 0x00000008L - - /* cipher strength */ - #define SSL_NULL 0x00000001L -@@ -247,6 +253,9 @@ typedef struct { - #define SSL_MEDIUM 0x00000010L - #define SSL_HIGH 0x00000020L - -+/* cipher strengths non-unique - do not use for definitions */ -+#define SSL_EXPORT 0x00000001L -+ - #define SSL2 0x00000001L - #define SSL3 0x00000002L - /* OpenSSL treats SSL3 and TLSv1 the same */ -@@ -609,10 +618,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - while ((*cipher) && (isspace(*cipher))) - ++cipher; - -- action = 1; - switch(*cipher) { -- case '+': /* Add something */ -- action = 1; -+ case '+': /* Do nothig. NSS does not support ordering. */ -+ Debug( LDAP_DEBUG_ARGS, -+ "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n", -+ 0, 0, 0 ); -+ action = 2; - cipher++; - break; - case '-': /* Subtract something */ -@@ -623,8 +634,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - action = -1; - cipher++; - break; -- default: -- /* do nothing */ -+ default: /* Add something */ -+ action = 1; - break; - } - -@@ -654,7 +665,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - } - } else { - int mask = 0; -+ int multi_mask = 0; -+ int negative_mask = 0; - int strength = 0; -+ int multi_strength = 0; - int protocol = 0; - char *c; - -@@ -665,16 +678,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - *c++ = '\0'; - } - -- if (!strcmp(cipher, "RSA")) { -- mask |= SSL_RSA; -+ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) { -+ mask |= SSL_kRSA; -+ } else if (!strcmp(cipher, "aRSA")) { -+ mask |= SSL_aRSA; -+ negative_mask |= SSL_kECDH; - } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { - mask |= SSL_eNULL; - } else if (!strcmp(cipher, "AES128")) { - mask |= SSL_AES128; - } else if (!strcmp(cipher, "AES256")) { - mask |= SSL_AES256; -+ } else if (!strcmp(cipher, "AESGCM")) { -+ mask |= SSL_AESGCM; - } else if (!strcmp(cipher, "AES")) { -- mask |= SSL_AES; -+ multi_mask |= SSL_AES; - } else if (!strcmp(cipher, "3DES")) { - mask |= SSL_3DES; - } else if (!strcmp(cipher, "DES")) { -@@ -685,28 +705,45 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - mask |= SSL_RC2; - } else if (!strcmp(cipher, "MD5")) { - mask |= SSL_MD5; -- } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { -- mask |= SSL_SHA1; - } else if (!strcmp(cipher, "SHA256")) { - mask |= SSL_SHA256; -+ } else if (!strcmp(cipher, "SHA384")) { -+ mask |= SSL_SHA384; -+ } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { -+ mask |= SSL_SHA1; -- } else if (!strcmp(cipher, "EDH")) { -+ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) { - mask |= SSL_kEDH; -- } else if (!strcmp(cipher, "DSS")) { -+ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) { - mask |= SSL_aDSA; - } else if (!strcmp(cipher, "CAMELLIA128")) { - mask |= SSL_CAMELLIA128; - } else if (!strcmp(cipher, "CAMELLIA256")) { - mask |= SSL_CAMELLIA256; - } else if (!strcmp(cipher, "CAMELLIA")) { -- mask |= SSL_CAMELLIA; -+ multi_mask |= SSL_CAMELLIA; - } else if (!strcmp(cipher, "SEED")) { - mask |= SSL_SEED; -- } else if (!strcmp(cipher, "ECDH")) { -+ } else if (!strcmp(cipher, "kECDHe")) { -+ mask |= SSL_kECDH|SSL_aECDSA; -+ } else if (!strcmp(cipher, "kECDHr")) { -+ mask |= SSL_kECDH|SSL_aRSA; -+ } else if (!strcmp(cipher, "kECDH")) { -+ mask |= SSL_kECDH; -+ } else if (!strcmp(cipher, "aECDH")) { - mask |= SSL_kECDH; -+ } else if (!strcmp(cipher, "EECDH")) { -+ mask |= SSL_kECDHE; -+ } else if (!strcmp(cipher, "kEECDH")) { -+ mask |= SSL_kECDHE; - } else if (!strcmp(cipher, "ECDHE")) { - mask |= SSL_kECDHE; -- } else if (!strcmp(cipher, "ECDSA")) { -+ } else if (!strcmp(cipher, "ECDH")) { -+ multi_mask |= SSL_ECDH; -+ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) { - mask |= SSL_aECDSA; -+ negative_mask |= SSL_kECDH; -+ } else if (!strcmp(cipher, "CHACHA20POLY1305")) { -+ mask |= SSL_CHACHA20POLY1305; - } else if (!strcmp(cipher, "SSLv2")) { - protocol |= SSL2; - } else if (!strcmp(cipher, "SSLv3")) { -@@ -721,12 +756,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - strength |= SSL_MEDIUM; - } else if (!strcmp(cipher, "LOW")) { - strength |= SSL_LOW; -- } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) { -- strength |= SSL_EXPORT40|SSL_EXPORT56; - } else if (!strcmp(cipher, "EXPORT40")) { - strength |= SSL_EXPORT40; - } else if (!strcmp(cipher, "EXPORT56")) { - strength |= SSL_EXPORT56; -+ } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) { -+ multi_strength |= SSL_EXPORT; - } - - if (c) -@@ -734,23 +769,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - - } /* while */ - -+ /* NSS does not support ordering */ -+ if (action == 2) -+ continue; -+ - /* If we have a mask, apply it. If not then perhaps they provided - * a specific cipher to enable. -+ * if more than one mask is provided then AND logic applies (to match openssl) - */ -- if (mask || strength || protocol) { -+ if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) { - for (i=0; i -Upstream ITS: #7388 -Resolves: #857373 - ---- - libraries/libldap/tls_m.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 49a3f8f..5ee21a2 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) - { - char sep = PR_GetDirectorySeparator(); - char *ptr = NULL; -+ char *chkpath = NULL; - struct PRFileInfo prfi; - PRStatus prc; - -@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) - return; - } - -- prc = PR_GetFileInfo( certdir, &prfi ); -+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */ -+ chkpath = strchr( certdir, ':' ); -+ if ( chkpath != NULL ) { -+ chkpath += 1; -+ } else { -+ chkpath = certdir; -+ } -+ - /* if certdir exists (file or directory) then it cannot specify a prefix */ -+ prc = PR_GetFileInfo( chkpath, &prfi ); - if ( prc == PR_SUCCESS ) { - return; - } --- -1.7.11.7 - diff --git a/SOURCES/openldap-nss-pk11-freeslot.patch b/SOURCES/openldap-nss-pk11-freeslot.patch deleted file mode 100644 index b128253..0000000 --- a/SOURCES/openldap-nss-pk11-freeslot.patch +++ /dev/null @@ -1,23 +0,0 @@ -Resolves: #1040324 - -Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec -Author: Rich Megginson -Date: Thu, 28 Mar 2013 19:05:02 -0600 -Modified by: Jan Synacek - -This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39. - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 072d41d..c59d303 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -2151,6 +2151,8 @@ - "TLS: could not close certdb slot - error %d:%s.\n", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - } -+ PK11_FreeSlot( c->tc_certdb_slot ); -+ c->tc_certdb_slot = NULL; - } - if ( c->tc_pin_file ) { - PL_strfree( c->tc_pin_file ); - diff --git a/SOURCES/openldap-nss-protocol-version-new-api.patch b/SOURCES/openldap-nss-protocol-version-new-api.patch deleted file mode 100644 index b2de8f1..0000000 --- a/SOURCES/openldap-nss-protocol-version-new-api.patch +++ /dev/null @@ -1,88 +0,0 @@ -Implement new API for setting TLS protocol version. - -The code being deleted has been misplaced and it's effect has been -mangled by a code later on. This patch puts the code at the correct -place and introduces some more logging and error checking. - -Author: Matus Honek -RHBZ: #1249093 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg ) - } - } - -- /* -- * Set the SSL version range. MozNSS SSL versions are the same as openldap's: -- * -- * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* -- */ -- SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ -- range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; -- variant = ssl_variant_stream; -- SSL_VersionRangeSetDefault(variant, &range); -- - NSS_SetDomesticPolicy(); - - PK11_SetPasswordFunc( tlsm_pin_prompt ); -@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg ) - 0, 0, 0 ); - return -1; - } -+ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) { -+ SSLVersionRange supported_range, default_range, selected_range; -+ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n", -+ 0, 0, 0 ); -+ return -1; -+ } else { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n", -+ supported_range.min, supported_range.max, 0); -+ } -+ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n", -+ 0, 0, 0 ); -+ return -1; -+ } else { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n", -+ default_range.min, default_range.max, 0); -+ } -+ selected_range.min = lt->lt_protocol_min; -+ selected_range.max = supported_range.max; -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: info: TLS configured protocol minimal version is %#04x.\n", -+ selected_range.min, selected_range.max, 0); -+ if ( (selected_range.min > supported_range.max) || -+ (selected_range.max < supported_range.min) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: selected protocol version range out of NSS-supported version range.\n", -+ 0, 0, 0); -+ return -1; -+ } else { -+ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n", -+ 0, 0, 0); -+ return -1; -+ } -+ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n", -+ 0, 0, 0); -+ return -1; -+ } else { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n", -+ selected_range.min, selected_range.max, 0); -+ } -+ } -+ } - - if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) { - Debug( LDAP_DEBUG_ANY, diff --git a/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch b/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch deleted file mode 100644 index 03493db..0000000 --- a/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch +++ /dev/null @@ -1,91 +0,0 @@ -MozNSS: better file name matching for hashed CA certificate directory - -CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name -should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used -to differentiate between two certificates with the same subject name. - -Wit this patch, certificate file names are matched correctly (using regular expressions). - -Author: Jan Vcelak -Upstream ITS: #7374 -Resolves: #852786 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 5e49fc5..61d71d4 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - #include "ldap-int.h" - #include "ldap-tls.h" -@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods; - - #define PEM_LIBRARY "nsspem" - #define PEM_MODULE "PEM" --/* hash files for use with cacertdir have this file name suffix */ --#define PEM_CA_HASH_FILE_SUFFIX ".0" --#define PEM_CA_HASH_FILE_SUFFIX_LEN 2 -+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$" - - static SECMODModule *pem_module; - -@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - PRDir *dir; - PRDirEntry *entry; - PRStatus fistatus = PR_FAILURE; -+ regex_t hashfile_re; - - memset( &fi, 0, sizeof(fi) ); - fistatus = PR_GetFileInfo( cacertdir, &fi ); -@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - goto done; - } - -+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) { -+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 ); -+ goto done; -+ } -+ - do { - entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN ); - if ( ( NULL != entry ) && ( NULL != entry->name ) ) { - char *fullpath = NULL; -- char *ptr; -+ int match; - -- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX ); -- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) { -+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 ); -+ if ( match == REG_NOMATCH ) { - Debug( LDAP_DEBUG_TRACE, -- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate " -- "directory file with a properly hashed file name - skipping.\n", -- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 ); -+ "TLS: skipping '%s' - filename does not have expected format " -+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 ); -+ continue; -+ } else if ( match != 0 ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: cannot execute regex for CA hash file matching (%d).\n", -+ match, 0, 0 ); - continue; - } -+ - fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); - if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { - Debug( LDAP_DEBUG_TRACE, -@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir - PR_smprintf_free( fullpath ); - } - } while ( NULL != entry ); -+ regfree ( &hashfile_re ); - PR_CloseDir( dir ); - } - done: --- -1.7.11.4 - diff --git a/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch b/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch deleted file mode 100644 index 03b8611..0000000 --- a/SOURCES/openldap-nss-reregister-nss-shutdown-callback.patch +++ /dev/null @@ -1,50 +0,0 @@ -NSS: re-register NSS_Shutdown callback - -Original upstream comment: -""" -When there's a persistent daemon for auth and it sets LDAP_OPT_X_TLS_NEWCTX, it -fails to auth at third login. - -1. everything is good and destroyed after use but -tlsm_register_shutdown_callonce.initialized=1. -2. still good but because tlsm_register_shutdown_callonce.initialized==1, it -fails to register shutdown function. - so pem_module is not destroyed at the end. -3. pem_module is not NULL so it's not initialized again and not added to modules -list. And Login fails. -""" - -Sent-By: soohoon.lee@f5.com -Original-Name: soohoon-lee-160823.patch -Upstream-ITS: 8484 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index cdf7f8e..cf05914 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -1145,6 +1145,8 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, - return ret; - } - -+static PRCallOnceType tlsm_register_shutdown_callonce = {0,0}; -+ - static SECStatus - tlsm_nss_shutdown_cb( void *appData, void *nssData ) - { -@@ -1157,10 +1159,15 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData ) - SECMOD_DestroyModule( pem_module ); - pem_module = NULL; - } -+ -+ /* init callonce so it can be armed again for cases like persistent daemon with LDAP_OPT_X_TLS_NEWCTX */ -+ tlsm_register_shutdown_callonce.initialized = 0; -+ tlsm_register_shutdown_callonce.inProgress = 0; -+ tlsm_register_shutdown_callonce.status = 0; -+ - return rc; - } - --static PRCallOnceType tlsm_register_shutdown_callonce = {0,0}; - static PRStatus PR_CALLBACK - tlsm_register_nss_shutdown_cb( void ) - { diff --git a/SOURCES/openldap-nss-unregister-on-unload.patch b/SOURCES/openldap-nss-unregister-on-unload.patch deleted file mode 100644 index d815fc2..0000000 --- a/SOURCES/openldap-nss-unregister-on-unload.patch +++ /dev/null @@ -1,39 +0,0 @@ -fix: OpenLDAP crash in NSS shutdown handling - -Resolves: #1158005 -Related: #1231228 #1249977 -Author: Jan Synacek -Modified-By: Matus Honek - ---- a/libraries/libldap/init.c -+++ b/libraries/libldap/init.c -@@ -473,7 +473,7 @@ static void openldap_ldap_init_w_env( - * Sorry, don't know how to handle this for non-GCC environments. - */ - static void ldap_int_destroy_global_options(void) -- __attribute__ ((destructor)); -+ __attribute__ ((destructor (2))); - #endif - - static void ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -1931,6 +1931,18 @@ tlsm_clientauth_init( tlsm_ctx *ctx ) - return ( status == SECSuccess ? 0 : -1 ); - } - -+#if defined(__GNUC__) -+static void -+tlsm_destroy_on_unload(void) __attribute__ ((destructor (1))); -+ -+static void -+tlsm_destroy_on_unload(void) -+{ -+ if (NSS_IsInitialized()) -+ NSS_UnregisterShutdown(tlsm_nss_shutdown_cb, NULL); -+} -+#endif -+ - /* - * Tear down the TLS subsystem. Should only be called once. - */ diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch deleted file mode 100644 index 23f136b..0000000 --- a/SOURCES/openldap-nss-update-list-of-ciphers.patch +++ /dev/null @@ -1,267 +0,0 @@ -This patch updates MozNSS cipher suite definition in OpenLDAP. - -Author: Matus Honek -Related: #1245279 - -Combined two previous patches into one: -Author: Martin Poole -Author: Jan Vcelak -Related: #1231522 #1160467 -Upstream ITS: #7374 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -76,6 +76,11 @@ - #define HAVE_SECMOD_RESTARTMODULES 1 - #endif - -+/* NSS 3.20.0 and later have SHA384 ciphers */ -+#if NSS_VERSION_INT >= 0x03140000 -+#define HAVE_SHA384_CIPHERS 1 -+#endif -+ - /* InitContext does not currently work in server mode */ - /* #define INITCONTEXT_HACK 1 */ - -@@ -203,27 +208,36 @@ typedef struct { - int num; /* The cipher id */ - int attr; /* cipher attributes: algorithms, etc */ - int version; /* protocol version valid for this cipher */ -- int bits; /* bits of strength */ -- int alg_bits; /* bits of the algorithm */ - int strength; /* LOW, MEDIUM, HIGH */ - int enabled; /* Enabled by default? */ - } cipher_properties; - - /* cipher attributes */ --#define SSL_kRSA 0x00000001L --#define SSL_aRSA 0x00000002L --#define SSL_aDSS 0x00000004L --#define SSL_DSS SSL_aDSS --#define SSL_eNULL 0x00000008L --#define SSL_DES 0x00000010L --#define SSL_3DES 0x00000020L --#define SSL_RC4 0x00000040L --#define SSL_RC2 0x00000080L --#define SSL_AES 0x00000100L --#define SSL_MD5 0x00000200L --#define SSL_SHA1 0x00000400L --#define SSL_SHA SSL_SHA1 --#define SSL_RSA (SSL_kRSA|SSL_aRSA) -+#define SSL_kRSA 0x00000001L -+#define SSL_aRSA 0x00000002L -+#define SSL_RSA (SSL_kRSA|SSL_aRSA) -+#define SSL_aDSA 0x00000004L -+#define SSL_DSA SSL_aDSA -+#define SSL_eNULL 0x00000008L -+#define SSL_DES 0x00000010L -+#define SSL_3DES 0x00000020L -+#define SSL_RC4 0x00000040L -+#define SSL_RC2 0x00000080L -+#define SSL_AES128 0x00000100L -+#define SSL_AES256 0x00000200L -+#define SSL_AES (SSL_AES128|SSL_AES256) -+#define SSL_MD5 0x00000400L -+#define SSL_SHA1 0x00000800L -+#define SSL_kEDH 0x00001000L -+#define SSL_CAMELLIA128 0x00002000L -+#define SSL_CAMELLIA256 0x00004000L -+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) -+#define SSL_SEED 0x00008000L -+#define SSL_kECDH 0x00010000L -+#define SSL_kECDHE 0x00020000L -+#define SSL_aECDSA 0x00040000L -+#define SSL_SHA256 0x00080000L -+#define SSL_SHA384 0x00100000L - - /* cipher strength */ - #define SSL_NULL 0x00000001L -@@ -237,32 +251,120 @@ typedef struct { - #define SSL3 0x00000002L - /* OpenSSL treats SSL3 and TLSv1 the same */ - #define TLS1 SSL3 -+#define TLS1_2 0x00000004L - - /* Cipher translation */ - static cipher_properties ciphers_def[] = { -- /* SSL 2 ciphers */ -- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED}, -- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- -- /* SSL3 ciphers */ -- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED}, -- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED}, -- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED}, -- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, -- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, -+ -+ /* -+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2 -+ */ -+ -+ /* SSLv2 ciphers */ -+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW}, -+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH}, -+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM}, -+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM}, -+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40}, -+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40}, -+ -+ /* SSLv3 ciphers */ -+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL}, -+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL}, -+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, -+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, -+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM}, -+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM}, -+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40}, -+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40}, -+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, -+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, -+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, -+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, - - /* TLSv1 ciphers */ -- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, -- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, -- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, -- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, -+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56}, -+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56}, -+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM}, -+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, -+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, -+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, -+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, -+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, -+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, -+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, -+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL}, -+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM}, -+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH}, -+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH}, -+ -+/* conditional on one of the newer defs */ -+#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256 -+ /* TLSv1.2 ciphers */ -+ /* The following ciphers appear in the openssl sources as TLSv1.2 but currently have no NSS equivalent -+ -+ DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD -+ ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD -+ ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD -+ ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 -+ ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 -+ ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD -+ ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD -+ ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 -+ ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 -+ -+ */ -+ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL}, -+ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"AES256-GCM-SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ -+ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"DHE-RSA-AES256-GCM-SHA384", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ -+ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"DHE-DSS-AES256-GCM-SHA384", TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ -+ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH}, -+ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"ECDHE-ECDSA-AES256-GCM-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"ECDHE-RSA-AES256-GCM-SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH}, -+ {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH}, -+#endif -+ -+ {"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, -+ {"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH}, - }; - - #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) -@@ -574,6 +673,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - mask |= SSL_RSA; - } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { - mask |= SSL_eNULL; -+ } else if (!strcmp(cipher, "AES128")) { -+ mask |= SSL_AES128; -+ } else if (!strcmp(cipher, "AES256")) { -+ mask |= SSL_AES256; - } else if (!strcmp(cipher, "AES")) { - mask |= SSL_AES; - } else if (!strcmp(cipher, "3DES")) { -@@ -588,12 +691,34 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - mask |= SSL_MD5; - } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { - mask |= SSL_SHA1; -+ } else if (!strcmp(cipher, "SHA256")) { -+ mask |= SSL_SHA256; -+ } else if (!strcmp(cipher, "EDH")) { -+ mask |= SSL_kEDH; -+ } else if (!strcmp(cipher, "DSS")) { -+ mask |= SSL_aDSA; -+ } else if (!strcmp(cipher, "CAMELLIA128")) { -+ mask |= SSL_CAMELLIA128; -+ } else if (!strcmp(cipher, "CAMELLIA256")) { -+ mask |= SSL_CAMELLIA256; -+ } else if (!strcmp(cipher, "CAMELLIA")) { -+ mask |= SSL_CAMELLIA; -+ } else if (!strcmp(cipher, "SEED")) { -+ mask |= SSL_SEED; -+ } else if (!strcmp(cipher, "ECDH")) { -+ mask |= SSL_kECDH; -+ } else if (!strcmp(cipher, "ECDHE")) { -+ mask |= SSL_kECDHE; -+ } else if (!strcmp(cipher, "ECDSA")) { -+ mask |= SSL_aECDSA; - } else if (!strcmp(cipher, "SSLv2")) { - protocol |= SSL2; - } else if (!strcmp(cipher, "SSLv3")) { - protocol |= SSL3; - } else if (!strcmp(cipher, "TLSv1")) { - protocol |= TLS1; -+ } else if (!strcmp(cipher, "TLSv1.2")) { -+ protocol |= TLS1_2; - } else if (!strcmp(cipher, "HIGH")) { - strength |= SSL_HIGH; - } else if (!strcmp(cipher, "MEDIUM")) { diff --git a/SOURCES/openldap-ssl-deadlock-revert.patch b/SOURCES/openldap-ssl-deadlock-revert.patch deleted file mode 100644 index 89ebed0..0000000 --- a/SOURCES/openldap-ssl-deadlock-revert.patch +++ /dev/null @@ -1,54 +0,0 @@ -fix: deadlock during SSL_ForceHandshake when getting connection to replica - -Resolves: #1125152 -Author: Jan Synacek - ---- a/libraries/libldap/tls_m.c 2015-05-25 12:28:30.326645997 +0200 -+++ b/libraries/libldap/tls_m.c 2015-05-25 12:33:38.143399149 +0200 -@@ -141,7 +141,6 @@ static int tlsm_init( void ); - */ - static ldap_pvt_thread_mutex_t tlsm_ctx_count_mutex; - static ldap_pvt_thread_mutex_t tlsm_init_mutex; --static ldap_pvt_thread_mutex_t tlsm_pem_mutex; - static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; - - static PRStatus PR_CALLBACK -@@ -159,12 +158,6 @@ tlsm_thr_init_callonce( void ) - return PR_FAILURE; - } - -- if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) { -- Debug( LDAP_DEBUG_ANY, -- "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 ); -- return PR_FAILURE; -- } -- - return PR_SUCCESS; - } - -@@ -2037,7 +2030,6 @@ tlsm_destroy( void ) - #ifdef LDAP_R_COMPILE - ldap_pvt_thread_mutex_destroy( &tlsm_ctx_count_mutex ); - ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex ); -- ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex ); - #endif - } - -@@ -2672,16 +2664,9 @@ static int - tlsm_session_accept_or_connect( tls_session *session, int is_accept ) - { - tlsm_session *s = (tlsm_session *)session; -- int rc; -+ int rc = SSL_ForceHandshake( s ); - const char *op = is_accept ? "accept" : "connect"; - -- if ( pem_module ) { -- LDAP_MUTEX_LOCK( &tlsm_pem_mutex ); -- } -- rc = SSL_ForceHandshake( s ); -- if ( pem_module ) { -- LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex ); -- } - if ( rc ) { - PRErrorCode err = PR_GetError(); - rc = -1; diff --git a/SOURCES/openldap-support-tlsv1-and-later.patch b/SOURCES/openldap-support-tlsv1-and-later.patch deleted file mode 100644 index b8cc0f8..0000000 --- a/SOURCES/openldap-support-tlsv1-and-later.patch +++ /dev/null @@ -1,54 +0,0 @@ -Support TLSv1 and later. - -Author: Mark Reynolds -Backported-by: Jan Synacek -Upstream ITS: #7979 -Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00 - ---- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100 -+++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100 -@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD - case SSL_ERROR_BAD_CERT_DOMAIN: - break; - default: -- success = SECFailure; -+ success = SECFailure; - break; - } - -@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg ) - NSSInitContext *initctx = NULL; - PK11SlotInfo *certdb_slot = NULL; - #endif -+ SSLVersionRange range; -+ SSLProtocolVariant variant; - SECStatus rc; - int done = 0; - -@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg ) - } - } - -+ /* -+ * Set the SSL version range. MozNSS SSL versions are the same as openldap's: -+ * -+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* -+ */ -+ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ -+ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; -+ variant = ssl_variant_stream; -+ SSL_VersionRangeSetDefault(variant, &range); -+ - NSS_SetDomesticPolicy(); - - PK11_SetPasswordFunc( tlsm_pin_prompt ); ---- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200 -+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100 -@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) -+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) - - /* OpenLDAP SASL options */ - #define LDAP_OPT_X_SASL_MECH 0x6100 diff --git a/SOURCES/openldap-temporary-ssl-thr-init-race.patch b/SOURCES/openldap-temporary-ssl-thr-init-race.patch deleted file mode 100644 index 9fd896b..0000000 --- a/SOURCES/openldap-temporary-ssl-thr-init-race.patch +++ /dev/null @@ -1,42 +0,0 @@ -Temporary patch that fixes a thread initialization race condition when -using secure connection. - -This patch is *not* correct, as the problem only happens when using -NSS. Either the code in tls_m.c is broken, or the nspr library call -(PR_CallOnce) doesn't work as expected. - -Resolves: #1294385 -Backported-From: #1144294 - ---- a/libraries/libldap/tls2.c 2014-09-19 03:48:49.000000000 +0200 -+++ b/libraries/libldap/tls2.c 2015-05-21 09:32:21.034395985 +0200 -@@ -149,6 +149,9 @@ ldap_pvt_tls_destroy( void ) - tls_imp->ti_tls_destroy(); - } - -+#ifdef LDAP_R_COMPILE -+static pthread_once_t tlsm_initialized = PTHREAD_ONCE_INIT; -+#endif - /* - * Initialize a particular TLS implementation. - * Called once per implementation. -@@ -158,6 +161,10 @@ tls_init(tls_impl *impl ) - { - static int tls_initialized = 0; - -+#ifdef LDAP_R_COMPILE -+ (void)pthread_once(&tlsm_initialized, impl->ti_thr_init); -+#endif -+ - if ( !tls_initialized++ ) { - #ifdef LDAP_R_COMPILE - ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex ); -@@ -166,9 +173,6 @@ tls_init(tls_impl *impl ) - - if ( impl->ti_inited++ ) return 0; - --#ifdef LDAP_R_COMPILE -- impl->ti_thr_init(); --#endif - return impl->ti_tls_init(); - } diff --git a/SOURCES/openldap-tls-no-reuse-of-tls_session.patch b/SOURCES/openldap-tls-no-reuse-of-tls_session.patch deleted file mode 100644 index 5c397d1..0000000 --- a/SOURCES/openldap-tls-no-reuse-of-tls_session.patch +++ /dev/null @@ -1,92 +0,0 @@ -TLS: do not reuse tls_session if hostname check fails - -If multiple servers are specified, the connection to the first one succeeds, and the hostname verification fails, -*tls_session is not dropped, but reused when connecting to the second server. - -This is a problem with Mozilla NSS backend because another handshake cannot be performed on the same file descriptor. -From this reason, hostname checking was moved into ldap_int_tls_connect() before connection error handling. - -Author: Jan Vcelak -Upstream ITS: #7373 -Resolves: #852476 - -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index 10b993b..a3cd590 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -320,7 +320,7 @@ update_flags( Sockbuf *sb, tls_session * ssl, int rc ) - */ - - static int --ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) -+ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host ) - { - Sockbuf *sb = conn->lconn_sb; - int err; -@@ -365,6 +365,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) - errno = WSAGetLastError(); - #endif - -+ if ( err == 0 ) { -+ err = ldap_pvt_tls_check_hostname( ld, ssl, host ); -+ } -+ - if ( err < 0 ) - { - char buf[256], *msg; -@@ -495,7 +499,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in ) - { - tls_session *session = s; - -- return tls_imp->ti_session_chkhost( ld, session, name_in ); -+ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && -+ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { -+ ld->ld_errno = tls_imp->ti_session_chkhost( ld, session, name_in ); -+ if (ld->ld_errno != LDAP_SUCCESS) { -+ return ld->ld_errno; -+ } -+ } -+ -+ return LDAP_SUCCESS; - } - - int -@@ -857,7 +869,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - #endif /* LDAP_USE_NON_BLOCKING_TLS */ - - ld->ld_errno = LDAP_SUCCESS; -- ret = ldap_int_tls_connect( ld, conn ); -+ ret = ldap_int_tls_connect( ld, conn, host ); - - #ifdef LDAP_USE_NON_BLOCKING_TLS - while ( ret > 0 ) { /* this should only happen for non-blocking io */ -@@ -878,7 +890,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - } else { - /* ldap_int_poll called ldap_pvt_ndelay_off */ - ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); -- ret = ldap_int_tls_connect( ld, conn ); -+ ret = ldap_int_tls_connect( ld, conn, host ); - if ( ret > 0 ) { /* need to call tls_connect once more */ - struct timeval curr_time_tv, delta_tv; - -@@ -935,20 +947,6 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - return (ld->ld_errno); - } - -- ssl = ldap_pvt_tls_sb_ctx( sb ); -- assert( ssl != NULL ); -- -- /* -- * compare host with name(s) in certificate -- */ -- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && -- ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { -- ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); -- if (ld->ld_errno != LDAP_SUCCESS) { -- return ld->ld_errno; -- } -- } -- - return LDAP_SUCCESS; - } - diff --git a/SOURCES/openldap-tlsmc.patch b/SOURCES/openldap-tlsmc.patch new file mode 100644 index 0000000..b498a41 --- /dev/null +++ b/SOURCES/openldap-tlsmc.patch @@ -0,0 +1,1792 @@ +MozNSS Interception Code + +Author: Matus Honek +Date: Wed Jan 31 22:08:28 CET 2018 +diff --git a/configure.in b/configure.in +--- a/configure.in ++++ b/configure.in +@@ -237,6 +237,7 @@ dnl OL_ARG_ENABLE(referrals,[ --enable-referrals enable LDAPv2+ Referrals (ex + ol_enable_referrals=${ol_enable_referrals-no} + OL_ARG_ENABLE(ipv6,[ --enable-ipv6 enable IPv6 support], auto)dnl + OL_ARG_ENABLE(local,[ --enable-local enable AF_LOCAL (AF_UNIX) socket support], auto)dnl ++OL_ARG_ENABLE(moznss_compatibility,[ --enable-moznss-compatibility enable MozNSS compatibility], no)dnl + + dnl ---------------------------------------------------------------- + dnl General "with" options +@@ -1256,6 +1257,26 @@ if test $ol_link_tls = no ; then + fi + fi + ++if test $ol_enable_moznss_compatibility = yes ; then ++ if test $have_openssl = yes ; then ++ if test $ol_with_tls = openssl ; then ++ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss_libs=yes], [have_moznss_libs=no]) ++ if test $have_moznss_libs = yes ; then ++ AC_DEFINE(HAVE_MOZNSS_COMPATIBILITY, 1, ++ [define if you want to support MozNSS databases when compiled with OpenSSL]) ++ TLS_LIBS="$TLS_LIBS $MOZNSS_LIBS" ++ CFLAGS="$CFLAGS $MOZNSS_CFLAGS" ++ else ++ AC_MSG_ERROR([For MOZNSS_COMPATIBILITY you have to have MozNSS present.]) ++ fi ++ else ++ AC_MSG_ERROR([For MOZNSS_COMPATIBILITY you have to compile with OpenSSL for crypto. (see --with-tls flag)]) ++ fi ++ else ++ AC_MSG_ERROR([For MOZNSS_COMPATIBILITY you have to have OpenSSL devel available. (unable to build with OpenSSL)]) ++ fi ++fi ++ + WITH_TLS=no + if test $ol_link_tls = yes ; then + AC_DEFINE(HAVE_TLS, 1, [define if you have TLS]) +diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 +--- a/doc/man/man3/ldap_get_option.3 ++++ b/doc/man/man3/ldap_get_option.3 +@@ -772,6 +772,19 @@ must be + When using the OpenSSL library this is an SSL*. When using other + crypto libraries this is a pointer to an OpenLDAP private structure. + Applications generally should not use this option. ++.TP ++.B LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY ++Sets/gets the status of the MozNSS database compatibility layer for TLS options. This options is available only if OpenLDAP is compiled with OpenSSL. This has effect only before the TLS context is established. ++This option defaults to be on. ++.BR invalue ++should either be ++.BR LDAP_OPT_OFF ++or ++.BR LDAP_OPT_ON ; ++.BR outvalue ++must be ++.BR "int *" . ++When set, just before TLS context initialization the library will first check if TLS settings are MozNSS-specific and if so it will export certificates from a preconfigured database and set other TLS settings so that OpenSSL can continue without issues. + .SH ERRORS + On success, the functions return + .BR LDAP_OPT_SUCCESS , +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -483,6 +483,11 @@ Check the CRL for a whole certificate chain + Specifies the file containing a Certificate Revocation List to be used + to verify if the server certificates have not been revoked. This + parameter is only supported with GnuTLS and Mozilla NSS. ++.RE ++.TP ++.B TLS_MOZNSS_COMPATIBILITY ++Specifies whether the MozNSS database compatibility layer for TLS options should be enabled. This options is available only if OpenLDAP is compiled with OpenSSL. ++This option defaults to be on. + .SH "ENVIRONMENT VARIABLES" + .TP + LDAPNOINIT +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -1004,6 +1004,11 @@ Check the CRL for a whole certificate chain + Specifies a file containing a Certificate Revocation List to be used + for verifying that certificates have not been revoked. This parameter + is only valid when using GnuTLS or Mozilla NSS. ++.RE ++.TP ++.B olcTLSMozNSSCompatibility ++Specifies whether the MozNSS database compatibility layer for TLS options should be enabled. This options is available only if OpenLDAP is compiled with OpenSSL. ++This option defaults to be on. + .SH DYNAMIC MODULE OPTIONS + If + .B slapd +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -1235,6 +1235,11 @@ Check the CRL for a whole certificate chain + Specifies a file containing a Certificate Revocation List to be used + for verifying that certificates have not been revoked. This directive is + only valid when using GnuTLS and Mozilla NSS. ++.RE ++.TP ++.B TLSMozNSSCompatibility ++Specifies whether the MozNSS database compatibility layer for TLS options should be enabled. This options is available only if OpenLDAP is compiled with OpenSSL. ++This option defaults to be on. + .SH GENERAL BACKEND OPTIONS + Options in this section only apply to the configuration file section + for the specified backend. They are supported by every +diff --git a/include/ldap.h b/include/ldap.h +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -158,6 +158,10 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_NEWCTX 0x600f + #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ + #define LDAP_OPT_X_TLS_PACKAGE 0x6011 ++#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY 0x6050 ++ ++#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0 ++#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED 1 + + #define LDAP_OPT_X_TLS_NEVER 0 + #define LDAP_OPT_X_TLS_HARD 1 +diff --git a/libraries/libldap/Makefile.in b/libraries/libldap/Makefile.in +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -26,7 +26,7 @@ SRCS = bind.c open.c result.c error.c compare.c search.c \ + request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ +- tls2.c tls_o.c tls_g.c tls_m.c \ ++ tls2.c tls_o.c tls_g.c tls_m.c tls_mc.c tls_mc_ossl.c \ + turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ + assertion.c deref.c ldif.c fetch.c + +@@ -39,7 +39,7 @@ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ + request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ +- tls2.lo tls_o.lo tls_g.lo tls_m.lo \ ++ tls2.lo tls_o.lo tls_g.lo tls_m.lo tls_mc.lo tls_mc_ossl.lo \ + turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -137,7 +137,9 @@ static const struct ol_attribute { + #ifdef HAVE_GNUTLS + {0, ATTR_TLS, "TLS_CRLFILE", NULL, LDAP_OPT_X_TLS_CRLFILE}, + #endif +- ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ {0, ATTR_TLS, "TLS_MOZNSS_COMPATIBILITY", NULL, LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY}, ++#endif + #endif + + {0, ATTR_NONE, NULL, NULL, 0} +@@ -582,6 +584,9 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl + gopts->ldo_tls_connect_cb = NULL; + gopts->ldo_tls_connect_arg = NULL; + gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ gopts->ldo_tls_moznss_compatibility = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED; ++#endif + #endif + gopts->ldo_keepalive_probes = 0; + gopts->ldo_keepalive_interval = 0; +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -260,7 +260,8 @@ struct ldapoptions { + int ldo_tls_require_cert; + int ldo_tls_impl; + int ldo_tls_crlcheck; +-#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0 ++ int ldo_tls_moznss_compatibility; ++#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0,0 + #else + #define LDAP_LDO_TLS_NULLARG + #endif +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -37,6 +37,8 @@ + + #include "ldap-tls.h" + ++#include "tls_mc.h" ++ + static tls_impl *tls_imp = &ldap_int_tls_impl; + #define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \ + (void *)tls_imp->ti_sbio ) +@@ -96,6 +98,7 @@ tls_ctx_ref( tls_ctx *ctx ) + * an extra mutex for the default ctx. + */ + static ldap_pvt_thread_mutex_t tls_def_ctx_mutex; ++ldap_pvt_thread_mutex_t tlsmc_mutex; + #endif + + void +@@ -161,6 +164,7 @@ tls_init(tls_impl *impl ) + if ( !tls_initialized++ ) { + #ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex ); ++ ldap_pvt_thread_mutex_init( &tlsmc_mutex ); + #endif + } + +@@ -196,6 +200,27 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) + + tls_init( ti ); + ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ if ( LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED == lo->ldo_tls_moznss_compatibility ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLSMC: MozNSS compatibility interception begins.\n", ++ 0, 0, 0 ); ++ if ( 0 == tlsmc_intercept_initialization( lo, is_server ) ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "TLSMC: ERROR: MozNSS compatibility layer failed.\n", ++ 0, 0, 0 ); ++ } ++ lts = lo->ldo_tls_info; ++ Debug( LDAP_DEBUG_ANY, ++ "TLSMC: MozNSS compatibility interception ends.\n", ++ 0, 0, 0 ); ++ } else { ++ Debug( LDAP_DEBUG_TRACE, ++ "TLS: MozNSS compatibility layer disabled.\n", ++ 0, 0, 0 ); ++ } ++#endif ++ + if ( is_server && !lts.lt_certfile && !lts.lt_keyfile && + !lts.lt_cacertfile && !lts.lt_cacertdir ) { + /* minimum configuration not provided */ +@@ -572,6 +597,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg ) + return ldap_pvt_tls_set_option( ld, option, &i ); + } + return -1; ++#endif ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY: ++ i = -1; ++ if ( (strcasecmp( arg, "yes" ) == 0) || ++ (strcasecmp( arg, "true" ) == 0) || ++ (strcasecmp( arg, "on" ) == 0) ) { ++ i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED; ++ } ++ if ( (strcasecmp( arg, "no" ) == 0) || ++ (strcasecmp( arg, "false" ) == 0) || ++ (strcasecmp( arg, "off" ) == 0) ) { ++ i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED; ++ } ++ return ldap_pvt_tls_set_option( ld, option, &i ); + #endif + } + return -1; +@@ -675,6 +715,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + case LDAP_OPT_X_TLS_CONNECT_ARG: + *(void **)arg = lo->ldo_tls_connect_arg; + break; ++ case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY: ++ *(int *)arg = lo->ldo_tls_moznss_compatibility; ++ break; + default: + return -1; + } +@@ -802,6 +845,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); + lo->ldo_tls_ctx = NULL; + return ldap_int_tls_init_ctx( lo, *(int *)arg ); ++ case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY: ++ if ( !arg ) return -1; ++ lo->ldo_tls_moznss_compatibility = *(int *)arg; ++ break; + default: + return -1; + } +diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc.c +@@ -0,0 +1,1345 @@ ++#include "portable.h" ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include "ldap-int.h" ++#include "ldap-tls.h" ++#include "ldap_pvt_thread.h" ++ ++#include "tls_mc.h" ++#include "tls_mc_ossl.h" ++ ++#define TLSMC_CHECKSUM_LEN 32 ++ ++#define TLSMC_CACERTS_DIR_NAME "cacerts" ++#define TLSMC_CERT_FILE_NAME "cert.pem" ++#define TLSMC_KEY_FILE_NAME "key.pem" ++#define TLSMC_README_FILE_NAME "README" ++ ++#define TLSM_CERTDB_DESC "ldap" ++#define DEFAULT_TOKEN_NAME "default" ++ ++#define TLSMC_IS_INPLACE 1 ++#define TLSMC_IS_TEMPORARY 2 ++ ++#define DONOTEDIT \ ++ "This file is auto-generated by MOZNSS Compatibility Layer of OpenLDAP software.\n" \ ++ "This layer is not a part of upstream distributed OpenLDAP software.\n" \ ++ "Please, file any related bugs with your GNU/Linux distribution.\n" \ ++ "Do not edit directly. Rather, change your configuration to use OpenSSL-style TLS options, so that this does not need to be generated anymore.\n" \ ++ "Please, refer to man (5) of slapd.conf, slapd-config, and ldap.conf for more information." ++#define PEM_CERT_HEADER "-----BEGIN CERTIFICATE-----" ++#define PEM_CERT_FOOTER "-----END CERTIFICATE-----" ++#define PEM_KEY_HEADER "-----BEGIN PRIVATE KEY-----" ++#define PEM_KEY_FOOTER "-----END PRIVATE KEY-----" ++#define README_HEADER "Contents of this file are hashed and used as a part of a name of the parent directory.\n" ++ ++#ifdef LDAP_R_COMPILE ++ldap_pvt_thread_mutex_t tlsmc_mutex; ++#endif ++/*******************************************************************/ ++ ++ ++char * ++tlsmc_path2name( char *path ) ++{ ++ if ( NULL == path ) return NULL; ++ char *last_slash = strrchr( path, '/' ); ++ if ( NULL == last_slash ) ++ return path; ++ else ++ return last_slash + 1; ++} ++ ++ ++int ++tlsmc_write_file( char *filename, char *buf, mode_t final_mode ) ++{ ++ int rv = 0; ++ int fd = -1; ++ if ( 0 > ( fd = open( filename, O_WRONLY | O_CREAT | O_EXCL, S_IWUSR ) ) ) { ++ perror("IO ERROR: could not open file"); ++ goto bail; ++ } ++ if ( -1 >= write( fd, buf, strlen(buf) ) ) { ++ perror("IO ERROR: could not write file"); ++ goto bail; ++ } ++ if ( -1 >= fchmod( fd, final_mode ) ) { ++ perror("IO ERROR: could not set file mode"); ++ goto bail; ++ } ++ if ( -1 >= fsync( fd ) ) { ++ perror("IO ERROR: could not fsync the file"); ++ goto bail; ++ } ++ if ( 0 > close( fd ) ) { ++ perror("IO ERROR: could not close file"); ++ fd = -1; ++ goto bail; ++ } ++ fd = -1; ++ rv = 1; ++bail: ++ if ( fd > -1 ) close( fd ); ++ return rv; ++} ++ ++ ++static int ++tlsmc_remove_dir_recursively( const char *dir_name ) ++{ ++ int rv = 0; ++ DIR *dir = NULL; ++ struct dirent *entry = NULL; ++ char *full_path = NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `%s'.\n", ++ dir_name, 0, 0 ); ++ if ( NULL == ( dir = opendir( dir_name ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not open the directory (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail; ++ } ++ ++ while ( NULL != ( entry = readdir( dir ) ) ) { ++ struct stat info; ++ ++ full_path = NULL; ++ full_path = PR_smprintf( "%s/%s", dir_name, entry->d_name ); ++ ++ if ( 0 != strcmp( entry->d_name, "." ) && 0 != strcmp( entry->d_name, ".." ) ) { ++ if ( 0 == lstat( full_path, &info ) ) { ++ if ( S_ISDIR( info.st_mode ) ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: stepping into directory `%s'.\n", ++ entry->d_name, 0, 0 ); ++ if ( 0 == tlsmc_remove_dir_recursively( full_path ) ) { ++ goto bail_and_close_dir; ++ } ++ } else { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: removing file `%s'.\n", ++ entry->d_name, 0, 0 ); ++ if ( 0 != remove( full_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not remove the file (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail_and_close_dir; ++ } ++ } ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not stat `%s', (errno %d: %s).\n", ++ full_path, errno, strerror( errno ) ); ++ goto bail_and_close_dir; ++ } ++ } ++ ++ if ( full_path ) { ++ PR_smprintf_free( full_path ); ++ full_path = NULL; ++ } ++ ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: stepping out of the directory.\n", ++ 0, 0, 0 ); ++ if ( 0 != closedir( dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: WARN: could not close the directory (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: removing the directory itself.\n", ++ 0, 0, 0 ); ++ if ( 0 != remove( dir_name ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not remove the directory (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++ goto bail; ++bail_and_close_dir: ++ closedir( dir ); ++bail: ++ if ( full_path ) PR_smprintf_free( full_path ); ++ return rv; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++static void ++tlsmc_get_certdb_prefix( const char *certdir, char **nsscertdir, char **realcertdir, char **prefix ) ++{ ++ char sep = PR_GetDirectorySeparator(); ++ char *ptr = NULL; ++ char *chkpath = NULL; ++ struct PRFileInfo prfi; ++ PRStatus prc; ++ ++ *realcertdir = (char *)certdir; /* default is the one passed in */ ++ ++ /* if certdir is not given, just return */ ++ if ( !certdir ) return; ++ ++ *nsscertdir = certdir; ++ ++ /* ignore database type prefix (e.g. sql:, dbm:) if provided */ ++ if ( NULL != ( chkpath = strchr( certdir, ':' ) ) ) { ++ *realcertdir = chkpath + 1; ++ } ++ ++ /* if certdir exists (file or directory) then it cannot specify a prefix */ ++ prc = PR_GetFileInfo( *realcertdir, &prfi ); ++ if ( prc == PR_SUCCESS ) { ++ goto finish; ++ } ++ ++ /* if certdir was given, and there is a '/' in certdir, see if there ++ is anything after the last '/' - if so, assume it is the prefix */ ++ /* if ( ( ( ptr = strrchr( *realcertdir, sep ) ) ) && *(ptr + 1) ) { */ ++ /* *realcertdir = PL_strndup( *realcertdir, ptr - (*realcertdir) ); */ ++ /* *prefix = PL_strdup( ptr + 1 ); */ ++ /* } */ ++ ++ ++ if ( ptr = strrchr( *realcertdir, sep ) ) { ++ if ( *(ptr + 1) ) { ++ *ptr = '\0'; ++ *prefix = ptr + 1; ++ } else { ++ *prefix = *realcertdir + strlen( *realcertdir ); // empty string ++ } ++ } else { ++ *prefix = *realcertdir; ++ *realcertdir = *prefix + strlen( *prefix ); // empty string ++ } ++finish: ++ /* drop potential last '/' from realcertdir */ ++ do { ++ ptr = strrchr( *realcertdir, sep ); ++ if ( ptr && (! *(ptr+1) ) ) { ++ *ptr = '\0'; ++ } else { ++ break; ++ } ++ } while (1); ++ ++ return; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++static char * ++tlsmc_get_pin_from_file(const char *token_name, char *filename) ++{ ++ char *pwdstr = NULL; ++ char *contents = NULL; ++ char *lasts = NULL; ++ char *line = NULL; ++ char *candidate = NULL; ++ PRFileInfo file_info; ++ PRFileDesc *pwd_fileptr = NULL; ++ pwd_fileptr = PR_Open( filename, PR_RDONLY, 00400 ); ++ ++ /* open the password file */ ++ if ( !pwd_fileptr ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not open security pin file %s - error %d:%s.\n", ++ filename, errcode, ++ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* get the file size */ ++ if ( PR_SUCCESS != PR_GetFileInfo( filename, &file_info ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not get file info from pin file %s - error %d:%s.\n", ++ filename, errcode, ++ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* create a buffer to hold the file contents */ ++ if ( !( contents = PR_CALLOC( file_info.size + 1 ) ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not alloc a buffer for contents of pin file %s - error %d:%s.\n", ++ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* read file into the buffer */ ++ if( PR_Read( pwd_fileptr, contents, file_info.size ) <= 0 ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not read the file contents from pin file %s - error %d:%s.\n", ++ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* format is [tokenname:]password EOL [tokenname:]password EOL ... */ ++ /* if you want to use a password containing a colon character, use ++ the special tokenname "default" */ ++ for ( line = PL_strtok_r( contents, "\r\n", &lasts ); line; ++ line = PL_strtok_r( NULL, "\r\n", &lasts ) ) { ++ char *colon; ++ ++ if ( !*line ) { ++ continue; /* skip blank lines */ ++ } ++ colon = PL_strchr( line, ':' ); ++ if ( colon ) { ++ if ( *(colon + 1) && token_name && ++ !PL_strncmp( token_name, line, colon-line ) ) { ++ candidate = colon + 1; /* found a definite match */ ++ break; ++ } else if ( !PL_strncmp( DEFAULT_TOKEN_NAME, line, colon-line ) ) { ++ candidate = colon + 1; /* found possible match */ ++ } ++ } else { /* no token name */ ++ candidate = line; ++ } ++ } ++done: ++ if ( pwd_fileptr ) { ++ PR_Close( pwd_fileptr ); ++ } ++ if ( candidate ) { ++ pwdstr = PL_strdup( candidate ); ++ } ++ PL_strfree( contents ); ++ ++ return pwdstr; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++/* ++ * Turn the echoing off on a tty. ++ */ ++static void ++echoOff(int fd) ++{ ++ if ( isatty( fd ) ) { ++ struct termios tio; ++ tcgetattr( fd, &tio ); ++ tio.c_lflag &= ~ECHO; ++ tcsetattr( fd, TCSAFLUSH, &tio ); ++ } ++} ++ ++/* BORROWED FROM tls_m.c */ ++/* ++ * Turn the echoing on on a tty. ++ */ ++static void ++echoOn(int fd) ++{ ++ if ( isatty( fd ) ) { ++ struct termios tio; ++ tcgetattr( fd, &tio ); ++ tio.c_lflag |= ECHO; ++ tcsetattr( fd, TCSAFLUSH, &tio ); ++ tcsetattr( fd, TCSAFLUSH, &tio ); ++ } ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++char * ++tlsmc_get_pin( PK11SlotInfo *slot, PRBool retry, void * filename) ++{ ++ char *token_name = NULL; ++ char *pwdstr = NULL; ++ ++ token_name = PK11_GetTokenName( slot ); ++ /* Try to get the passwords from the password file if it exists. ++ * THIS IS UNSAFE and is provided for convenience only. Without this ++ * capability the server would have to be started in foreground mode ++ * if using an encrypted key. ++ */ ++ if ( filename ) { ++ fprintf( stderr, ++ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n"); ++ pwdstr = tlsmc_get_pin_from_file( token_name, (char *)filename ); ++ if ( retry && pwdstr != NULL ) ++ return NULL; ++ } ++ if ( !pwdstr ) { ++ int infd = PR_FileDesc2NativeHandle( PR_STDIN ); ++ int isTTY = isatty( infd ); ++ unsigned char phrase[200]; ++ /* Prompt for password */ ++ if ( isTTY ) { ++ fprintf( stderr, ++ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n"); ++ fprintf( stdout, ++ "Please enter pin, password, or pass phrase for security token '%s': ", ++ token_name ? token_name : DEFAULT_TOKEN_NAME ); ++ echoOff( infd ); ++ } ++ fgets( (char*)phrase, sizeof(phrase), stdin ); ++ if ( isTTY ) { ++ fprintf( stdout, "\n" ); ++ echoOn( infd ); ++ } ++ /* stomp on newline */ ++ phrase[strlen((char*)phrase)-1] = 0; ++ ++ pwdstr = PL_strdup( (char*)phrase ); ++ } ++ ++ return pwdstr; ++} ++ ++ ++int ++tlsmc_hash( char **dest, const char *src ) ++{ ++ int rv = 0; ++ unsigned char fp[SHA256_LENGTH]; ++ SECItem fpItem; ++ ++ if ( SECSuccess != ( rv = PK11_HashBuf( SEC_OID_SHA256, fp, src, strlen(src) ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_hash: could not hash a buffer", ++ NULL, NULL, NULL ); ++ goto bail; ++ } ++ fpItem.data = fp; ++ fpItem.len = SHA256_LENGTH; ++ if ( NULL == ( *dest = CERT_Hexify( &fpItem, 0 ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_hash: could not hexify the hash", ++ NULL, NULL, NULL ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ return rv; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++int ++tlsmc_open_nssdb( char *ld_cacertdir, NSSInitContext **out_initctx, char **out_nssdb_dir, char **out_nssdb_prefix ) ++{ ++#define SECURITYDIRS_COUNT 3 ++ int rc = 0; ++ PRErrorCode errcode = 1; ++ ++ /* restart secmod modules */ ++#ifdef HAVE_SECMOD_RESTARTMODULES ++ /* NSS enforces the pkcs11 requirement that modules should be unloaded after ++ a fork() - since there is no portable way to determine if NSS has been ++ already initialized in a parent process, we just call SECMOD_RestartModules ++ with force == FALSE - if the module has been unloaded due to a fork, it will ++ be reloaded, otherwise, it is a no-op */ ++ if ( 0 == ( rc = SECMOD_RestartModules(PR_FALSE /* do not force */) ) ) { ++ errcode = PORT_GetError(); ++ if ( errcode != SEC_ERROR_NOT_INITIALIZED ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_open_nssdb: WARN: could not restart the security modules: %d:%s.\n", ++ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); ++ } else { ++ errcode = 1; ++ } ++ } ++#endif ++ ++ ++ /* context and certdb */ ++ char *dir_moznss = PR_GetEnv( "MOZNSS_DIR" ); ++ char *dir_default_moznss = PR_GetEnv( "DEFAULT_MOZNSS_DIR" ); ++ const char *securitydirs[SECURITYDIRS_COUNT] = { dir_moznss, ld_cacertdir, dir_default_moznss }; ++ int done = 0; ++ int ii = 0; ++ for ( ii = 0; !done && ( ii < SECURITYDIRS_COUNT ); ++ii ) { ++ // get certdb prefix ++ const char *securitydir = securitydirs[ii]; ++ char *nsscertdir = NULL; ++ char *realcertdir = NULL; ++ const char *defprefix = ""; ++ char *prefix = (char *)defprefix; ++ if ( securitydir == NULL ) continue; ++ tlsmc_get_certdb_prefix( securitydir, &nsscertdir, &realcertdir, &prefix ); ++ *out_nssdb_dir = strdup( realcertdir ); ++ *out_nssdb_prefix = strdup( prefix ); ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `%s` prefix `%s`.\n", ++ nsscertdir, prefix, NULL); ++ ++ // init context ++ NSSInitContext *initctx = NULL; ++ NSSInitParameters initparams; ++ memset( &initparams, 0, sizeof( initparams ) ); ++ initparams.length = sizeof( initparams ); ++ ++ initctx = NSS_InitContext( nsscertdir, ++ prefix, ++ prefix, ++ SECMOD_DB, ++ &initparams, ++ NSS_INIT_READONLY // | NSS_INIT_NOCERTDB ++ ); ++ rc = initctx ? 1 : 0; ++ ++ *out_initctx = initctx; ++ ++ if ( rc != 1 ) { ++ errcode = PORT_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error %d.\n", ++ errcode, 0, 0 ); ++ } else { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_open_nssdb: INFO: initialized MozNSS context.\n", ++ 0, 0, 0 ); ++ errcode = 0; ++ done = 1; ++ } ++ } ++ ++ PR_Free( dir_moznss ); ++ PR_Free( dir_default_moznss ); ++ ++ PK11_SetPasswordFunc( tlsmc_get_pin ); ++ ++ if ( done && (errcode == 0) && out_initctx ) { ++ return 1; ++ } else { ++ return 0; ++ } ++} ++ ++ ++int ++tlsmc_filestamp( char **filestamp, char *path ) ++{ ++ int rv = 0; ++ struct stat attr; ++ char stime[20]; ++ ++ if ( 0 != stat( path, &attr ) ) { ++ rv = -1; ++ goto bail; ++ } ++ if ( 0 == strftime(stime, sizeof(stime), "%FT%T", localtime(&attr.st_mtime)) ) { ++ perror("IO ERROR: could not format mtime"); ++ goto bail; ++ } ++ ++ *filestamp = PR_smprintf("mtime %s.%d, size %lld", ++ stime, attr.st_mtim.tv_nsec, (long long) attr.st_size); ++ ++ rv = 1; ++bail: ++ return rv; ++} ++ ++ ++char * ++tlsmc_compute_checksum( char *nssdb_dir, char *nssdb_prefix, ++ char *ld_cacertdir, char *ld_cert, char *ld_key, ++ char **out_data) ++{ ++ int rv = 0; ++ char *data = NULL; ++ char *checksum = NULL; ++ ++ /* gather data */ ++ data = PR_sprintf_append( data, ++ DONOTEDIT "\n" ++ README_HEADER "\n" ++ "PARAMETERS:\n" ++ "nssdb_dir: %s\n" ++ "nssdb_prefix: %s\n" ++ "ld_cacertdir: %s\n" ++ "ld_cert: %s\n" ++ "ld_key: %s\n" ++ "euid: %d\n\n" ++ "FILES:\n", ++ nssdb_dir, nssdb_prefix, ld_cacertdir, ld_cert, ld_key, geteuid() ); ++ ++ char *files[] = { "cert8.db", "cert9.db", "key3.db", "key4.db", "secmod.db", NULL }; ++ char **filep = NULL; ++ for ( filep = files; NULL != *filep; filep++ ) { ++ char *filestamp = NULL; ++ char *path = NULL; ++ path = PR_smprintf( "%s/%s%s", nssdb_dir, nssdb_prefix, *filep ); ++ if ( 0 == tlsmc_filestamp( &filestamp, path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_compute_checksum: INFO: could not check file `%s'.\n", ++ path, 0, 0 ); ++ rv = -1; ++ } else { ++ data = PR_sprintf_append( data, "%s: %s\n", *filep, filestamp ); ++ } ++ if ( filestamp ) PR_smprintf_free( filestamp ); ++ if ( path ) PR_smprintf_free( path ); ++ if ( -1 == rv ) goto bail; ++ } ++ ++ /* compute data checksum */ ++ if ( 1 != tlsmc_hash( &checksum, (const char*) data ) ) { ++ checksum = NULL; ++ goto bail; ++ } ++ ++ /* possibly supply data */ ++ if ( out_data ) { ++ *out_data = strdup( data ); ++ } ++ ++ /* return checksum */ ++bail: ++ if ( data ) PR_smprintf_free( data ); ++ return checksum; ++} ++ ++ ++int ++tlsmc_prepare_dir( char *dir ) ++{ ++ int rv = 0; ++ char *cacerts_dir = NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_prepare_dir: INFO: preparing PEM directory `%s'.\n", ++ dir, 0, 0 ); ++ ++ if ( 0 != mkdir( dir, S_IRWXU /* u+rwx */ ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_prepare_dir: WARN: cound not create the PEM directory.\n", ++ 0, 0, 0 ); ++ perror( "tlsmc_prepare_dir: WARN: cound not create the PEM directory" ); ++ rv = 0; ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_prepare_dir: INFO: creating a subdirectory `%s'.\n", ++ TLSMC_CACERTS_DIR_NAME, 0, 0 ); ++ cacerts_dir = PR_smprintf( "%s/%s", dir, TLSMC_CACERTS_DIR_NAME ); ++ if ( 0 != mkdir( cacerts_dir, S_IRWXU /* u+rwx */ ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_prepare_dir: WARN: cound not create the subdirectory.\n", ++ 0, 0, 0 ); ++ perror( "tlsmc_prepare_dir: WARN: cound not create the subdirectory" ); ++ rv = 0; ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_prepare_dir: INFO: successfully created PEM directory structure.\n", ++ TLSMC_CACERTS_DIR_NAME, 0, 0 ); ++ rv = 1; ++ ++bail: ++ if ( cacerts_dir ) PR_smprintf_free( cacerts_dir ); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_cert_to_file(CERTCertDBHandle *certdb_handle, CERTCertificate *cert, char *file_path) ++{ ++ int rv = 0; ++ SECItem data; ++ char *b64 = NULL; ++ char *output = NULL; ++ ++ if ( ! cert ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_to_file: ERROR: cert empty.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ data.data = cert->derCert.data; ++ data.len = cert->derCert.len; ++ b64 = BTOA_DataToAscii(data.data, data.len); ++ if ( ! b64 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_to_file: ERROR: could not base64 encode.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ output = PR_smprintf( DONOTEDIT "\n\n" ++ "NSS nickname: %s\n" ++ "Issuer: %s\n" ++ "Subject: %s\n" ++ PEM_CERT_HEADER "\n" ++ "%s\n" ++ PEM_CERT_FOOTER "\n", ++ cert->nickname, ++ cert->issuerName, ++ cert->subjectName, ++ b64 ); ++ ++ if ( 0 == tlsmc_write_file( file_path, output, S_IRUSR ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_to_file: ERROR: could not write certificate.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ if ( output ) PR_smprintf_free( output ); ++ if ( b64 ) PORT_Free( b64 ); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_decrypt_key(SECKEYEncryptedPrivateKeyInfo *epki, ++ SECOidTag algTag, ++ SECItem *pwitem, ++ void *pin_arg, ++ SECItem *derPKI) ++{ ++ SECItem *cryptoParam = NULL; ++ PK11SymKey *symKey = NULL; ++ PK11Context *ctx = NULL; ++ int rv = 0; ++ ++ if (!pwitem) return rv; ++ ++ do { ++ SECAlgorithmID algid = epki->algorithm; ++ CK_MECHANISM_TYPE cryptoMechType; ++ CK_ATTRIBUTE_TYPE operation = CKA_DECRYPT; ++ PK11SlotInfo *slot = NULL; ++ ++ cryptoMechType = PK11_GetPBECryptoMechanism(&algid, &cryptoParam, pwitem); ++ if (cryptoMechType == CKM_INVALID_MECHANISM) { ++ goto bail; ++ } ++ ++ if ( NULL == ( slot = PK11_GetBestSlot(cryptoMechType, NULL) ) ) { ++ goto bail; ++ } ++ ++ if ( NULL == ( symKey = PK11_PBEKeyGen(slot, &algid, pwitem, PR_FALSE, pin_arg) ) ) { ++ rv = -1; ++ goto bail_one; ++ } ++ ++ if ( NULL == ( ctx = PK11_CreateContextBySymKey( ++ cryptoMechType, operation, symKey, cryptoParam) ) ) { ++ rv = -1; ++ goto bail_one; ++ } ++ ++ if ( SECSuccess != PK11_CipherOp(ctx, ++ derPKI->data, /* out */ ++ (int *)(&derPKI->len), /* out len */ ++ (int)epki->encryptedData.len, /* max out */ ++ epki->encryptedData.data, /* in */ ++ (int)epki->encryptedData.len /* in len */ ) ) { ++ rv = -1; ++ goto bail_one; ++ } ++ ++ if ( derPKI->len != epki->encryptedData.len ) goto bail_one; ++ if ( SECSuccess != PK11_Finalize(ctx) ) goto bail_one; ++ bail_one: ++ if (slot) PK11_FreeSlot(slot); ++ } while (0); ++ ++ rv = ((rv == 0) ? 1 : 0); ++bail: ++ if (symKey) PK11_FreeSymKey(symKey); ++ if (cryptoParam) { ++ SECITEM_ZfreeItem(cryptoParam, PR_TRUE); ++ cryptoParam = NULL; ++ } ++ if (ctx) PK11_DestroyContext(ctx, PR_TRUE); ++ ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_key_of_cert_to_file(CERTCertificate *cert, ++ char *pin_filename, ++ char *filename) ++{ ++ int rv = 0; ++ SECKEYPrivateKey *key = NULL; ++ SECItem pwitem; ++ SECKEYEncryptedPrivateKeyInfo *epki = NULL; ++ PLArenaPool *arenaForPKI = NULL; ++ SECItem clearKeyDER; ++ char *b64 = NULL; ++ char *output = NULL; ++ ++ // establish password ++ pwitem.data = "secretpw"; // FIXME use pin_filename ++ pwitem.len = strlen(pwitem.data); ++ pwitem.type = siBuffer; ++ ++ // get key ++ if ( NULL == ( key = PK11_FindKeyByAnyCert(cert, (void *)pin_filename) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: PK11_FindKeyByAnyCert failed.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // get key info ++ if ( NULL == ( epki = PK11_ExportEncryptedPrivKeyInfo( ++ NULL, SEC_OID_DES_EDE3_CBC, &pwitem, key, 1000, (void *)pin_filename) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: PK11_ExportEncryptedPrivKeyInfo returned NULL.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // get clear DER ++ if ( NULL == ( arenaForPKI = PORT_NewArena(2048) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: PORT_NewArena failed.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ clearKeyDER.data = PORT_ArenaAlloc(arenaForPKI, epki->encryptedData.len); ++ clearKeyDER.len = epki->encryptedData.len; ++ clearKeyDER.type = siBuffer; ++ ++ if ( 0 == tlsmc_decrypt_key(epki, SEC_OID_DES_EDE3_CBC, &pwitem, ++ (void *)pin_filename, &clearKeyDER) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: could not decrypt the key.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // base64 encode ++ if ( NULL == ( b64 = BTOA_ConvertItemToAscii(&clearKeyDER) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: could not base64 encode.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // print out ++ output = PR_smprintf( DONOTEDIT "\n" ++ PEM_KEY_HEADER "\n" ++ "%s\n" ++ PEM_KEY_FOOTER "\n", ++ b64 ); ++ ++ if ( 0 == tlsmc_write_file( filename, output, S_IRUSR ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: could not write PK.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++ ++bail: ++ if (b64) PORT_Free(b64); ++ if (arenaForPKI) PORT_FreeArena(arenaForPKI, PR_FALSE); ++ if (epki) SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE); ++ if (key) SECKEY_DestroyPrivateKey(key); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_cert_key_pair(char *nickname, char *pin_filename, char *dir_name) ++{ ++ int rv = 0; ++ CERTCertDBHandle *certHandle = NULL; ++ CERTCertificate *cert = NULL; ++ char *cert_file_path = NULL; ++ char *key_file_path = NULL; ++ char *file_realpath = NULL; ++ ++ ++ cert_file_path = PR_smprintf( "%s/cert.pem", dir_name ); ++ key_file_path = PR_smprintf( "%s/key.pem", dir_name ); ++ ++ if ( NULL == nickname ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: WARN: supplied nickname is empty (NULL).\n", ++ 0, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ if ( NULL == ( certHandle = CERT_GetDefaultCertDB() ) ) { ++ // FIXME see same in tlsmc_extract_cacerts() ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not get certificate handle.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( NULL != ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) { ++ /* extract cert/key from NSS db */ ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n", ++ nickname, cert_file_path, 0 ); ++ if ( 0 == tlsmc_extract_cert_to_file(certHandle, cert, cert_file_path) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not extract certificate.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n", ++ key_file_path, 0, 0 ); ++ if ( 0 == tlsmc_extract_key_of_cert_to_file( cert, pin_filename, key_file_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not extract PK.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ } else { ++ /* symlink PEM cert/key PEM files */ ++ ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: INFO: could not find certificate with nickname `%s', expecting a PEM file.\n", ++ nickname, 0, 0 ); ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: symlinking certificate file `%s' to file `%s'.\n", ++ nickname, cert_file_path, 0 ); ++ if ( NULL == ( file_realpath = realpath( nickname, NULL ) ) ) { ++ perror( "Could not get the realpath" ); ++ goto bail; ++ } ++ if ( -1 == symlink( file_realpath, cert_file_path ) ) { ++ perror( "Could not create a symlink" ); ++ goto bail; ++ } ++ if ( file_realpath ) free( file_realpath ); ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: symlinking PK file `%s' to file `%s'.\n", ++ pin_filename, key_file_path, 0 ); ++ if ( NULL == ( file_realpath = realpath( pin_filename, NULL ) ) ) { ++ perror( "Could not get the realpath" ); ++ goto bail; ++ } ++ if ( -1 == symlink( file_realpath, key_file_path ) ) { ++ perror( "Could not create a symlink" ); ++ goto bail; ++ } ++ } ++ ++ rv = 1; ++ ++bail: ++ if (file_realpath) free(file_realpath); ++ if (key_file_path) PR_smprintf_free(key_file_path); ++ if (cert_file_path) PR_smprintf_free(cert_file_path); ++ if (cert) CERT_DestroyCertificate(cert); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_cacerts( char *dir_name ) ++{ ++ int rv = 0; ++ CERTCertDBHandle *certHandle = NULL; ++ CERTCertListNode *node = NULL; ++ CERTCertList *list = NULL; ++ char *cacerts_dir = NULL; ++ int cert_cnt = 0; ++ ++ cacerts_dir = PR_smprintf( "%s/" TLSMC_CACERTS_DIR_NAME, dir_name ); ++ ++ certHandle = CERT_GetDefaultCertDB(); // FIXME maybe we should really use certdb_slot? ++ if ( ! certHandle ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: could not get certificate database handle.\n", ++ 0, 0, 0); ++ goto bail; ++ } ++ ++ list = PK11_ListCerts(PK11CertListAll, NULL); ++ if ( ! list ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: could not get list of certificates.\n", ++ 0, 0, 0); ++ goto bail; ++ } ++ for ( node = CERT_LIST_HEAD(list); ++ !CERT_LIST_END(node, list); ++ node = CERT_LIST_NEXT(node)) { ++ ++ CERTCertificate *cert = NULL; ++ CERTCertTrust trust; ++ char *cert_file_path = NULL; ++ int is_ca = 0; ++ ++ cert = node->cert; ++ if ( SECFailure == CERT_GetCertTrust( cert, &trust ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cacerts: ERROR: could not get trust flags of certificate nick=`%s'.\n", ++ cert->nickname, 0, 0); ++ goto bail; ++ } ++ if (trust.sslFlags & ++ (CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA)) { ++ is_ca = 1; ++ } ++ ++ Debug(LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: INFO: found cert nick=`%s'%s.\n", ++ cert->nickname, is_ca ? ", a trusted CA" : ", _not_ a trusted CA, skipping", 0); ++ if ( ! is_ca ) continue; ++ ++ cert_file_path = PR_smprintf( "%s/cert%d.pem", cacerts_dir, cert_cnt ); ++ cert_cnt++; ++ Debug(LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: INFO: extracting cert nick=`%s' to file `%s'.\n", ++ cert->nickname, cert_file_path, 0); ++ if ( 0 == tlsmc_extract_cert_to_file( certHandle, cert, cert_file_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cacerts: ERROR: could not extract the certificate.\n", ++ 0, 0, 0); ++ goto bail_one; ++ } ++ if ( 0 == tlsmc_cert_create_hash_symlink( cert_file_path, cacerts_dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cacerts: ERROR: could not rehash the certificate.\n", ++ 0, 0, 0); ++ goto bail_one; ++ } ++ if ( cert_file_path ) PR_smprintf_free( cert_file_path ); ++ continue; ++ bail_one: ++ if ( cert_file_path ) PR_smprintf_free( cert_file_path ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ if ( cacerts_dir ) PR_smprintf_free( cacerts_dir ); ++ if ( list ) CERT_DestroyCertList( list ); ++ return rv; ++} ++ ++ ++/* returns 1 if successfull; ++ returns -1 if only cert-key pair is NULL or could not be extracted; ++ returns 0 if any other error ++*/ ++int ++tlsmc_extract_nssdb( char *dir_name, char **ld_cacertdir, char **ld_cert, char **ld_key ) ++{ ++ int rv = 0; ++ ++ if ( ! dir_name ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_nssdb: FATAL: target dir name empty.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ if ( 0 == tlsmc_extract_cacerts( dir_name ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_nssdb: ERROR: could not export CA certificates.\n", ++ 0, 0, 0 ); ++ } ++ ++ if ( 0 == tlsmc_extract_cert_key_pair( *ld_cert, *ld_key, dir_name ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_nssdb: ERROR: could not export user cert and/or key.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ return rv; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++int ++tlsmc_close_nssdb(NSSInitContext **initctx) ++{ ++ if ( *initctx && NSS_ShutdownContext( *initctx ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_close_nssdb: ERROR: could not shutdown NSS - error %d:%s.\n", ++ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); ++ return 0; ++ } else { ++ return 1; ++ } ++} ++ ++ ++int ++tlsmc_convert( char **ld_cacertdir, char **ld_cert, char **ld_key ) ++{ ++ ++ int rv = 0; ++ ++ NSSInitContext *nss_ctx = NULL; ++ char *nssdb_dir_path = NULL; ++ char *nssdb_prefix = NULL; ++ char *pem_dir = NULL; ++ char *readme_path = NULL; ++ char *data = NULL; // data before checksum ++ char *checksum = NULL; // checksummed data ++ struct stat stat_buf; ++ ++#ifdef LDAP_R_COMPILE ++ ldap_pvt_thread_mutex_lock( &tlsmc_mutex ); ++#endif ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `%s'.\n", ++ *ld_cacertdir, 0, 0 ); ++ if ( NULL == ld_cacertdir || NULL == ld_cert || NULL == ld_key ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: cannot proceed, some of the arguments are NULL.\n", ++ 0, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ if ( 0 == tlsmc_open_nssdb( *ld_cacertdir, &nss_ctx, &nssdb_dir_path, &nssdb_prefix ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.\n", ++ 0, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ ++ if ( NULL == ( checksum = tlsmc_compute_checksum( nssdb_dir_path, nssdb_prefix, ++ *ld_cacertdir, *ld_cert, *ld_key, ++ &data ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: could not compute checksum.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ if ( NULL == ( pem_dir = PR_smprintf( "/tmp/openldap-tlsmc-%s-%s-%s", ++ tlsmc_path2name( nssdb_dir_path ), ++ nssdb_prefix, ++ checksum) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not allocate memory.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( NULL == ( readme_path = PR_smprintf( "%s/" TLSMC_README_FILE_NAME, pem_dir ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not allocate memory.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: INFO: trying with PEM dir = `%s'.\n", ++ pem_dir, 0, 0 ); ++ if ( 0 == stat( pem_dir, &stat_buf ) ) { ++ if ( S_ISDIR(stat_buf.st_mode) ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: INFO: using the existing PEM dir.\n", ++ 0, 0, 0 ); ++ if ( 0 == stat( readme_path, &stat_buf ) ) { ++ goto pem_dir_exists; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: the PEM dir found does not contain README file. Will remove the PEM dir and try to recreate it.\n", ++ 0, 0, 0 ); ++ if ( 0 == tlsmc_remove_dir_recursively( pem_dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not remove the PEM dir. Cannot properly set TLS.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ } ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: tried to stat the PEM dir but it is not a directory.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: WARN: will try to create PEM dir.\n", ++ 0, 0, 0 ); ++ if ( 0 == tlsmc_prepare_dir( pem_dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: cannot prepare the PEM dir.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( 0 == tlsmc_extract_nssdb( pem_dir, ld_cacertdir, ld_cert, ld_key ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not extract from the NSS DB.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( 0 == tlsmc_write_file( readme_path, data, S_IRUSR ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: could not create README file.\n", ++ 0, 0, 0 ); ++ } ++ ++pem_dir_exists: ++ if (*ld_cacertdir) free(*ld_cacertdir); ++ *ld_cacertdir = PR_smprintf( "%s/" TLSMC_CACERTS_DIR_NAME, pem_dir ); ++ if ( ! ( ( 0 == stat( *ld_cacertdir, &stat_buf ) ) ++ && S_ISDIR(stat_buf.st_mode) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: WARN: extracted cacerts dir is not present.\n", ++ 0, 0, 0 ); ++ *ld_cacertdir = NULL; ++ } ++ ++ if (*ld_cert) free(*ld_cert); ++ *ld_cert = PR_smprintf( "%s/" TLSMC_CERT_FILE_NAME, pem_dir ); ++ if ( ! ( ( 0 == stat( *ld_cert, &stat_buf ) ) ++ && ( S_ISREG(stat_buf.st_mode) ++ || S_ISLNK(stat_buf.st_mode) ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: WARN: extracted cert file is not present.\n", ++ 0, 0, 0 ); ++ *ld_cert = NULL; ++ } ++ ++ if (*ld_key) free(*ld_key); ++ *ld_key = PR_smprintf( "%s/" TLSMC_KEY_FILE_NAME, pem_dir ); ++ if ( ! ( ( 0 == stat( *ld_key, &stat_buf ) ) ++ && ( S_ISREG(stat_buf.st_mode) ++ || S_ISLNK(stat_buf.st_mode) ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: WARN: extracted key file is not present.\n", ++ 0, 0, 0 ); ++ *ld_key = NULL; ++ } ++ ++ rv = 1; ++ ++bail: ++ if ( pem_dir ) PR_smprintf_free( pem_dir ); ++ if ( data ) free( data ); ++ if ( nssdb_prefix ) free( nssdb_prefix ); ++ if ( nssdb_dir_path ) free( nssdb_dir_path ); ++ if ( nss_ctx ) tlsmc_close_nssdb( &nss_ctx ); ++ ++#ifdef LDAP_R_COMPILE ++ ldap_pvt_thread_mutex_unlock( &tlsmc_mutex ); ++#endif ++ ++ return rv; ++} ++ ++ ++// returns 0 when successful ++int ++tlsmc_intercept_initialization( struct ldapoptions *lo, int is_server ) ++{ ++ int rv = 0; ++ char *ld_cacertdir = NULL; ++ char *ld_cert = NULL; ++ char *ld_key = NULL; ++ ++ ld_cacertdir = lo->ldo_tls_cacertdir ? LDAP_STRDUP( (char *) lo->ldo_tls_cacertdir ) : NULL; ++ ld_cert = lo->ldo_tls_certfile ? LDAP_STRDUP( (char *) lo->ldo_tls_certfile ) : NULL; ++ ld_key = lo->ldo_tls_keyfile ? LDAP_STRDUP( (char *) lo->ldo_tls_keyfile ) : NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_intercept_initialization: INFO: entry options follow:\n" ++ "tlsmc_intercept_initialization: INFO: cacertdir = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: certfile = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: keyfile = `%s'\n", ++ lo->ldo_tls_cacertdir, lo->ldo_tls_certfile, lo->ldo_tls_keyfile ); ++ ++ if ( 0 == tlsmc_convert( &ld_cacertdir, &ld_cert, &ld_key ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_intercept_initialization: FATAL: could not intercept TLS initialization. TLS will not work!\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir ); ++ lo->ldo_tls_cacertdir = ld_cacertdir ? LDAP_STRDUP( (char *) ld_cacertdir ) : NULL; ++ ++ if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile ); ++ lo->ldo_tls_certfile = ld_cert ? LDAP_STRDUP( (char *) ld_cert ) : NULL; ++ ++ if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile ); ++ lo->ldo_tls_keyfile = ld_key ? LDAP_STRDUP( (char *) ld_key ) : NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_intercept_initialization: INFO: altered options follow:\n" ++ "tlsmc_intercept_initialization: INFO: cacertdir = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: certfile = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: keyfile = `%s'\n", ++ lo->ldo_tls_cacertdir, lo->ldo_tls_certfile, lo->ldo_tls_keyfile ); ++ ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.\n", ++ 0, 0, 0 ); ++ rv = 1; ++bail: ++ if ( ld_cacertdir ) LDAP_FREE( ld_cacertdir ); ++ if ( ld_cert ) LDAP_FREE( ld_cert ); ++ if ( ld_key ) LDAP_FREE( ld_key ); ++ return rv; ++} ++ ++ ++#endif /* HAVE_MOZNSS_COMPATIBILITY */ ++/* ++ emacs settings ++ Local Variables: ++ indent-tabs-mode: t ++ tab-width: 4 ++ End: ++*/ +diff --git a/libraries/libldap/tls_mc.h b/libraries/libldap/tls_mc.h +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc.h +@@ -0,0 +1,18 @@ ++#ifndef _LDAP_TLSMC_H ++#define _LDAP_TLSMC_H ++ ++#include "portable.h" ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++#include "ldap-int.h" ++ ++int ++tlsmc_convert( char **ld_cacertdir, char **ld_cert, char **ld_key ); ++ ++int ++tlsmc_intercept_initialization( struct ldapoptions *lo, int is_server ); ++ ++ ++#endif /* HAVE_MOZNSS_COMPATIBILITY */ ++#endif /* _LDAP_TLSMC_H */ +diff --git a/libraries/libldap/tls_mc_ossl.c b/libraries/libldap/tls_mc_ossl.c +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc_ossl.c +@@ -0,0 +1,95 @@ ++#include "portable.h" ++ ++/* This file contains functions that require OpenSSL headers due to some ++ conflicts with what MozNSS defines. ++*/ ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++#include ++#include ++#include "ldap-int.h" ++#include ++#include ++#include ++ ++ ++int ++tlsmc_cert_create_hash_symlink( char *cert_path, char *cacerts_dir ) ++{ ++ int rv = 0; ++ X509 *cert = NULL; ++ FILE *fp = NULL; ++ unsigned long hash = 0; ++ char *cert_filename_p = NULL; ++ char *last_slash_p = NULL; ++ char *symlink_path = NULL; ++ int cnt = 0; ++ ++ if ( NULL == ( fp = fopen( cert_path, "r" ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not open the cert file.\n", ++ 0, 0, 0 ); ++ perror( "tlsmc_cert_create_hash_symlink: ERROR: OS error" ); ++ goto bail; ++ } ++ if ( NULL == PEM_read_X509( fp, &cert, NULL, NULL ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not read PEM data.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( 0 == ( hash = X509_subject_name_hash( cert ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not hash subject.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ last_slash_p = strrchr( cert_path, '/' ); ++ cert_filename_p = last_slash_p ? last_slash_p + 1 : cert_path; ++ for ( cnt = 0; cnt < 10; cnt++ ) { ++ if ( NULL == ( symlink_path = PR_smprintf( "%s/%08lx.%d", cacerts_dir, hash, cnt ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: memory allocation error.\n", ++ 0, 0, 0 ); ++ continue; ++ } ++ if ( 0 != symlink( cert_filename_p, symlink_path ) ) { ++ if ( errno == EEXIST ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: INFO: symlink `%s' already exists.\n", ++ symlink_path, 0, 0 ); ++ if ( symlink_path ) PR_smprintf( symlink_path ); ++ continue; ++ } ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not create symlink.\n", ++ 0, 0, 0 ); ++ perror( "tlsmc_cert_create_hash_symlink: ERROR: OS error" ); ++ goto bail; ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_cert_create_hash_symlink: INFO: the cert is now symlinked to %s.\n", ++ symlink_path, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: INFO: could not create symlink (all possible file names taken).\n", ++ 0, 0, 0 ); ++bail: ++ if ( symlink_path ) PR_smprintf_free( symlink_path ); ++ if ( cert ) X509_free( cert ); ++ if ( fp ) fclose( fp ); ++ return rv; ++} ++ ++#endif /* HAVE_MOZNSS_COMPATIBILITY */ ++/* ++ emacs settings ++ Local Variables: ++ indent-tabs-mode: t ++ tab-width: 4 ++ End: ++*/ +diff --git a/libraries/libldap/tls_mc_ossl.h b/libraries/libldap/tls_mc_ossl.h +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc_ossl.h +@@ -0,0 +1,12 @@ ++#ifndef _LDAP_TLSMC_OSSL_H ++#define _LDAP_TLSMC_OSSL_H ++ ++#include "portable.h" ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++int ++tlsmc_cert_create_hash_symlink( char *cert_path, char *cacerts_dir ); ++ ++#endif ++#endif +diff --git a/libraries/libldap_r/Makefile.in b/libraries/libldap_r/Makefile.in +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -28,7 +28,7 @@ XXSRCS = apitest.c test.c \ + request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ +- tls2.c tls_o.c tls_g.c tls_m.c \ ++ tls2.c tls_o.c tls_g.c tls_m.c tls_mc.c tls_mc_ossl.c \ + turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ + assertion.c deref.c ldif.c fetch.c + SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \ +@@ -46,7 +46,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpool.lo rq.lo \ + request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ +- tls2.lo tls_o.lo tls_g.lo tls_m.lo \ ++ tls2.lo tls_o.lo tls_g.lo tls_m.lo tls_mc.lo tls_mc_ossl.lo \ + turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index d8dbcbf..2db42cc 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.44 -Release: 5%{?dist} +Release: 13%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -23,6 +23,7 @@ Source52: libexec-check-config.sh Source53: libexec-upgrade-db.sh Source54: libexec-create-certdb.sh Source55: libexec-generate-server-cert.sh +Source56: libexec-update-ppolicy-schema.sh # patches for 2.4 Patch0: openldap-manpages.patch @@ -36,14 +37,6 @@ Patch7: openldap-allop-overlay.patch Patch8: openldap-syncrepl-unset-tls-options.patch Patch9: openldap-man-sasl-nocanon.patch Patch10: openldap-ai-addrconfig.patch -Patch11: openldap-nss-update-list-of-ciphers.patch -Patch12: openldap-tls-no-reuse-of-tls_session.patch -Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch -Patch14: openldap-nss-ignore-certdb-type-prefix.patch -Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch -Patch16: openldap-nss-pk11-freeslot.patch -Patch17: openldap-nss-unregister-on-unload.patch -Patch18: openldap-ssl-deadlock-revert.patch # fix back_perl problems with lt_dlopen() # might cause crashes because of symbol collisions # the proper fix is to link all perl modules against libperl @@ -53,36 +46,26 @@ Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Patch20: openldap-ldapi-sasl.patch # coverity - missin_unlock in servers/slapd/overlays/accesslog.c Patch21: openldap-missing-unlock-in-accesslog-overlay.patch -# upstreamed, ITS #7979 -Patch22: openldap-support-tlsv1-and-later.patch Patch23: openldap-module-passwd-sha2.patch # pending upstream inclusion, ITS #7744 Patch24: openldap-man-tls-reqcert.patch -Patch27: openldap-nss-ciphersuite-handle-masks-correctly.patch -Patch28: openldap-nss-ciphers-use-nss-defaults.patch -# this is a temporary fix for #1294385, it should be solved properly, backported from #1144294 -Patch30: openldap-temporary-ssl-thr-init-race.patch -Patch34: openldap-nss-protocol-version-new-api.patch +Patch25: openldap-man-ldap-conf.patch Patch35: openldap-ITS8428-init-sc_writewait.patch Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch -# upstream ITS#8484 -Patch60: openldap-nss-reregister-nss-shutdown-callback.patch - # check-password module specific patches Patch90: check-password-makefile.patch Patch91: check-password.patch Patch92: check-password-loglevels.patch +# MozNSS compatibility layer +Patch101: openldap-tlsmc.patch # Fedora specific patches -Patch100: openldap-autoconf-pkgconfig-nss.patch Patch102: openldap-fedora-systemd.patch -BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel +BuildRequires: cyrus-sasl-devel, nss-devel, openssl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) -# smbk5pwd overlay: -BuildRequires: openssl-devel Requires: nss-tools Requires(post): rpm, coreutils, findutils @@ -164,8 +147,7 @@ programs needed for accessing and modifying OpenLDAP directories. pushd openldap-%{version} -# use pkg-config for Mozilla NSS library -%patch100 -p1 +%patch101 -p1 # alternative include paths for Mozilla NSS ln -s %{_includedir}/nss3 include/nss @@ -184,28 +166,15 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch8 -p1 %patch9 -p1 %patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 -%patch22 -p1 %patch23 -p1 %patch24 -p1 -%patch27 -p1 -%patch28 -p1 -%patch30 -p1 -%patch34 -p1 +%patch25 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 -%patch60 -p1 %patch102 -p1 @@ -285,11 +254,12 @@ pushd openldap-%{version} --disable-static \ --enable-shared \ \ + --enable-moznss-compatibility=yes \ + \ --with-cyrus-sasl \ --without-fetch \ --with-threads \ --with-pic \ - --with-tls=moznss \ --with-gnu-ld \ \ --libexecdir=%{_libdir} @@ -366,6 +336,7 @@ install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh +install -m 0755 %SOURCE56 %{buildroot}%{_libexecdir}/openldap/update-ppolicy-schema.sh # install mdb_* tools mv %{buildroot}/usr/local/bin/mdb_{copy,dump,load,stat} %{buildroot}%{_libexecdir}/openldap/ @@ -490,28 +461,36 @@ if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap fi +# ensure ppolicy schema updated (bug #1487857) +if [ $1 -eq 2 ]; then + if [ -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then + %{_libexecdir}/openldap/update-ppolicy-schema.sh &>/dev/null + fi +fi + # conversion from /etc/sysconfig/ldap to /etc/sysconfig/slapd if [ $1 -eq 2 ]; then # we expect that 'ldap' will be renamed to 'ldap.rpmsave' after removing the old package - [ -r %{_sysconfdir}/sysconfig/ldap ] || exit 0 - source %{_sysconfdir}/sysconfig/ldap &>/dev/null - - new_urls= - [ "$SLAPD_LDAP" != "no" ] && new_urls="$new_urls ldap:///" - [ "$SLAPD_LDAPI" != "no" ] && new_urls="$new_urls ldapi:///" - [ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///" - [ -n "$SLAPD_URLS" ] && new_urls="$new_urls $SLAPD_URLS" - - failure=0 - cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert - sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 - [ -n "$SLAPD_OPTIONS" ] && \ - sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 - - if [ $failure -eq 0 ]; then - mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd - else - rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert + if [ -r %{_sysconfdir}/sysconfig/ldap ]; then + source %{_sysconfdir}/sysconfig/ldap &>/dev/null + + new_urls= + [ "$SLAPD_LDAP" != "no" ] && new_urls="$new_urls ldap:///" + [ "$SLAPD_LDAPI" != "no" ] && new_urls="$new_urls ldapi:///" + [ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///" + [ -n "$SLAPD_URLS" ] && new_urls="$new_urls $SLAPD_URLS" + + failure=0 + cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert + sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 + [ -n "$SLAPD_OPTIONS" ] && \ + sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 + + if [ $failure -eq 0 ]; then + mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd + else + rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert + fi fi fi @@ -654,6 +633,7 @@ exit 0 %{_libexecdir}/openldap/check-config.sh %{_libexecdir}/openldap/upgrade-db.sh %{_libexecdir}/openldap/generate-server-cert.sh +%{_libexecdir}/openldap/update-ppolicy-schema.sh %{_libexecdir}/openldap/mdb_* %{_libexecdir}/openldap/man/man1/mdb_* %{_sbindir}/sl* @@ -680,6 +660,40 @@ exit 0 %{_mandir}/man3/* %changelog +* Wed Jan 31 2018 Matus Honek - 2.4.44-13 +- MozNSS Compat. Layer: fix recursive directory deletion (#1516409) +- MozNSS Compat. Layer: fix PIN disclaimer not always shown (#1516409) +- MozNSS Compat. Layer: fix incorrect parsing of CACertDir (#1533955) + +* Thu Jan 11 2018 Matus Honek - 2.4.44-12 +- MozNSS Compat. Layer: Ensure consistency of a PEM dir before usage (#1516409) + + Warn just before use of a PIN about key file extraction + +* Wed Jan 10 2018 Matus Honek - 2.4.44-11 +- MozNSS Compat. Layer: Enable usage of NSS DB with PEM cert/key (#1525485) + + Fix a possible invalid dereference (covscan) + +* Tue Nov 28 2017 Matus Honek - 2.4.44-10 +- Drop update-ppolicy-schema.sh scriptlet's output (#1487857) +- Fix issues in MozNSS compatibility layer (#1400578) + + Force write file with fsync to avoid race conditions + + Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix + + Allow missing cert and key which is a valid usecase + + Create extraction folder only in /tmp to simplify selinux rules + + Fix Covscan issues + +* Fri Nov 3 2017 Matus Honek - 2.4.44-9 +- Build with OpenSSL and MozNSS compatibility layer instead of MozNSS (#1400578) + +* Thu Nov 2 2017 Matus Honek - 2.4.44-8 +- fix: Upgrading to OpenLDAP >= 2.4.43 breaks server due to ppolicy changes (#1487857) + +* Thu Nov 2 2017 Matus Honek - 2.4.44-7 +- fix: Manpage incorrectly states ./ldaprc config file is used (#1498841) + +* Thu Nov 2 2017 Matus Honek - 2.4.44-6 +- fix: Upgrading openldap-servers does not restart slapd when rebasing (#1479309) + * Tue Jun 6 2017 Matus Honek - 2.4.44-5 - fix CVE-2017-9287 openldap: Double free vulnerability in servers/slapd/back-mdb/search.c (#1458210)