Rebase to version 2.6.8

Avoid SSL context cleanup during library destruction

Resolves: RHEL-71052, RHEL-68424
This commit is contained in:
Simon Pichugin 2024-12-16 15:18:19 -08:00
parent 12ab8f2f02
commit 02ebaeb501
7 changed files with 102 additions and 129 deletions

1
.gitignore vendored
View File

@ -39,3 +39,4 @@
/openldap-2.6.5.tgz
/openldap-2.6.6.tgz
/openldap-2.6.7.tgz
/openldap-2.6.8.tgz

View File

@ -1,25 +0,0 @@
From 0b4098ca9080e78436cbd9f383047a9583888376 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 26 Sep 2022 11:55:27 +0100
Subject: [PATCH] ITS#9921 fix vlvResult comment
---
clients/tools/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/clients/tools/common.c b/clients/tools/common.c
index b88f219b36..3135034ca0 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -2210,7 +2210,7 @@ print_vlv( LDAP *ld, LDAPControl *ctrl )
ber_memfree( bv.bv_val );
tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
- ldif ? "vlvResult" : "vlvResult", buf, rc );
+ ldif ? "vlvResult: " : "vlvResult", buf, rc );
}
return rc;
--
GitLab

View File

@ -1,70 +0,0 @@
From fb9e6a81bbee880549e7ec18f0a74ddddbd2d1ab Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 6 Feb 2024 21:38:24 -0500
Subject: [PATCH] ITS#10171 - Explicitly cast private values
Fixes issues with -Werror=incompatible-pointer-types
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
---
servers/slapd/config.c | 2 +-
servers/slapd/overlays/constraint.c | 2 +-
servers/slapd/overlays/dyngroup.c | 2 +-
servers/slapd/overlays/valsort.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 80333f359c..987c862d91 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -151,7 +151,7 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) {
int rc, arg_user, arg_type, arg_syn, iarg;
unsigned uiarg;
long larg;
- size_t ularg;
+ unsigned long ularg;
ber_len_t barg;
if(Conf->arg_type == ARG_IGNORED) {
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
index f939b37762..0d6156af4d 100644
--- a/servers/slapd/overlays/constraint.c
+++ b/servers/slapd/overlays/constraint.c
@@ -557,7 +557,7 @@ done:;
a2->restrict_filter = ap.restrict_filter;
a2->restrict_val = ap.restrict_val;
- for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next )
+ for ( app = (constraint **)&on->on_bi.bi_private; *app; app = &(*app)->ap_next )
/* Get to the end */ ;
a2->ap_next = *app;
diff --git a/servers/slapd/overlays/dyngroup.c b/servers/slapd/overlays/dyngroup.c
index 5d890d6650..e0e70af2d9 100644
--- a/servers/slapd/overlays/dyngroup.c
+++ b/servers/slapd/overlays/dyngroup.c
@@ -111,7 +111,7 @@ static int dgroup_cf( ConfigArgs *c )
*/
a2 = ch_malloc( sizeof(adpair) );
- for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next )
+ for ( app = (adpair **)&on->on_bi.bi_private; *app; app = &(*app)->ap_next )
/* Get to the end */ ;
a2->ap_mem = ap.ap_mem;
diff --git a/servers/slapd/overlays/valsort.c b/servers/slapd/overlays/valsort.c
index 3d998e2fcb..e251500d0b 100644
--- a/servers/slapd/overlays/valsort.c
+++ b/servers/slapd/overlays/valsort.c
@@ -201,7 +201,7 @@ valsort_cf_func(ConfigArgs *c) {
return(1);
}
- for ( vip = &on->on_bi.bi_private; *vip; vip = &(*vip)->vi_next )
+ for ( vip = (valsort_info **)&on->on_bi.bi_private; *vip; vip = &(*vip)->vi_next )
/* Get to the end */ ;
vi = ch_malloc( sizeof(valsort_info) );
--
GitLab

View File

@ -0,0 +1,92 @@
From 5f4569f0605a73eb1a282ee5251ead073ed3b26e Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Tue, 26 Nov 2024 12:32:07 -0800
Subject: [PATCH] libldap: avoid SSL context cleanup during library destruction
Given that libldap can be pulled into random applications and applications
are allowed to call OPENSSL_cleanup() before exiting, the only sane thing
to do is to avoid trying to touch SSL context in ldap destructors, and just
let them leak if the application does not explicitly free the ldap context.
Add ldap_int_tls_destroy_safe() which skips SSL context cleanup while
maintaining all other cleanup operations, and use it in the library
destructor path.
Fixes: https://bugs.openldap.org/show_bug.cgi?id=9952
---
libraries/libldap/init.c | 2 +-
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/tls2.c | 25 +++++++++++++++++++++----
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 213276b4b5..aa017f4128 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -545,7 +545,7 @@ ldap_int_destroy_global_options(void)
}
#endif
#ifdef HAVE_TLS
- ldap_int_tls_destroy( gopts );
+ ldap_int_tls_destroy_safe( gopts );
#endif
}
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 7e754775e8..b73097ccc7 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -914,6 +914,7 @@ LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld,
LDAPConn *conn, LDAPURLDesc *srv ));
LDAP_F (void) ldap_int_tls_destroy LDAP_P(( struct ldapoptions *lo ));
+LDAP_F (void) ldap_int_tls_destroy_safe LDAP_P(( struct ldapoptions *lo ));
/*
* in getvalues.c
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 0841005a59..82f8573602 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -97,10 +97,14 @@ tls_ctx_ref( tls_ctx *ctx )
static ldap_pvt_thread_mutex_t tls_def_ctx_mutex;
#endif
-void
-ldap_int_tls_destroy( struct ldapoptions *lo )
-{
- if ( lo->ldo_tls_ctx ) {
+/*
+ * Implementation function that handles all cleanup.
+ * skip_ctx_cleanup: 1 when called from destructor, 0 for normal operation
+ */
+static void
+ldap_int_tls_destroy_impl( struct ldapoptions *lo, int skip_ctx_cleanup )
+ {
+ if ( lo->ldo_tls_ctx && !skip_ctx_cleanup ) {
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
}
@@ -147,6 +151,19 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
BER_BVZERO( &lo->ldo_tls_pin );
}
+
+void
+ldap_int_tls_destroy( struct ldapoptions *lo )
+{
+ ldap_int_tls_destroy_impl(lo, 0);
+}
+
+/* Safe version for destructor use */
+void ldap_int_tls_destroy_safe( struct ldapoptions *lo )
+{
+ ldap_int_tls_destroy_impl(lo, 1);
+}
+
/*
* Tear down the TLS subsystem. Should only be called once.
*/
--
2.47.0

View File

@ -1,23 +0,0 @@
From c7a4bd27f5dcf93806972aab236001f1d4801e80 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 31 Jan 2024 16:00:30 +0000
Subject: [PATCH] ITS#10166 slapi: fix plugin.c plugin_pblock_new() usage
Broken in 9142da8eaf691720f7d6288954250ef085bd3da0
---
servers/slapd/slapi/plugin.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/slapi/plugin.c b/servers/slapd/slapi/plugin.c
index ca5dbead59..bfa5c10344 100644
--- a/servers/slapd/slapi/plugin.c
+++ b/servers/slapd/slapi/plugin.c
@@ -694,7 +694,7 @@ slapi_int_read_config(
int rc;
Slapi_PBlock *pPlugin;
- pPlugin = plugin_pblock_new( iType, numPluginArgc, c->argv );
+ pPlugin = plugin_pblock_new( iType, numPluginArgc, c );
if (pPlugin == NULL) {
return 1;
}

View File

@ -16,8 +16,8 @@
%global __brp_remove_la_files %nil
Name: openldap
Version: 2.6.7
Release: 7%{?dist}
Version: 2.6.8
Release: 1%{?dist}
Summary: LDAP support libraries
License: OLDAP-2.8
URL: http://www.openldap.org/
@ -50,10 +50,7 @@ Patch6: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# System-wide default for CA certs
Patch7: openldap-openssl-manpage-defaultCA.patch
Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
Patch9: openldap-explicitly-cast-private-values.patch
# Needed for openldap-servers build
Patch10: openldap-slapi-fix-plugin-plugin_pblock_new-usage.patch
Patch11: openldap-ITS-9921-fix-vlvResult-comment.patch
Patch9: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
@ -176,10 +173,6 @@ pushd openldap-%{version}
%patch -P7 -p1
%patch -P8 -p1
%patch -P9 -p1
%if %{with servers}
%patch -P10 -p1
%endif
%patch -P11 -p1
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -497,6 +490,7 @@ exit 0
%{_libdir}/openldap/home*
%{_libdir}/openldap/lloadd*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/nestgroup*
%{_libdir}/openldap/otp*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
@ -566,6 +560,10 @@ exit 0
%endif
%changelog
* Mon Dec 16 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.8-1
- Rebase to version 2.6.8 (RHEL-71052)
- Avoid SSL context cleanup during library destruction (RHEL-68424)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.6.7-7
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018

View File

@ -1,2 +1,2 @@
SHA512 (openldap-ppolicy-check-password-1.1.tar.gz) = a92854d7438cb95fac361da80a49d084d502155e8ce0ad2ea679db9529bbe0182aa4354e6139793c775e496349375d8f017678941d23315ff1c20fefc9573cdc
SHA512 (openldap-2.6.7.tgz) = ea207b84fdb7bc6cdff2bc1201fcdde6a907f5766f9637589d956ca86ecf61d4e732ab7d80f33b18b691644e1f5fa39b00ff2c7f4084c9b85760ee693a7c451e
SHA512 (openldap-2.6.8.tgz) = c86bda8a0af2645e586d56a1494a5bd486ec5dd55c47859dbabcc2bb6ddc0a8307e23c6b58228d49ee3c8bc5e4d6ead305863442efdcee3dc2ab9953097b5a77