Auto sync2gitlab import of openldap-2.4.46-18.el8.src.rpm
This commit is contained in:
		
							parent
							
								
									3643690a4f
								
							
						
					
					
						commit
						04698e993a
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,2 @@ | |||||||
|  | /ltb-project-openldap-ppolicy-check-password-1.1.tar.gz | ||||||
|  | /openldap-2.4.46.tgz | ||||||
							
								
								
									
										41
									
								
								check-password-makefile.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								check-password-makefile.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,41 @@ | |||||||
|  | --- a/Makefile	2009-10-31 18:59:06.000000000 +0100
 | ||||||
|  | +++ b/Makefile	2014-12-17 09:42:37.586079225 +0100
 | ||||||
|  | @@ -13,22 +13,11 @@
 | ||||||
|  |  # | ||||||
|  |  CONFIG=/etc/openldap/check_password.conf | ||||||
|  |   | ||||||
|  | -OPT=-g -O2 -Wall -fpic 						\
 | ||||||
|  | -	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""	\
 | ||||||
|  | -	-DCONFIG_FILE="\"$(CONFIG)\""					\
 | ||||||
|  | +CFLAGS+=-fpic                                                  \
 | ||||||
|  | +	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
 | ||||||
|  | +	-DCONFIG_FILE="\"$(CONFIG)\""                          \
 | ||||||
|  |  	-DDEBUG | ||||||
|  |   | ||||||
|  | -# Where to find the OpenLDAP headers.
 | ||||||
|  | -#
 | ||||||
|  | -LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
 | ||||||
|  | -	 -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
 | ||||||
|  | -
 | ||||||
|  | -# Where to find the CrackLib headers.
 | ||||||
|  | -#
 | ||||||
|  | -CRACK_INC=
 | ||||||
|  | -
 | ||||||
|  | -INCS=$(LDAP_INC) $(CRACK_INC)
 | ||||||
|  | -
 | ||||||
|  |  LDAP_LIB=-lldap_r -llber | ||||||
|  |   | ||||||
|  |  # Comment out this line if you do NOT want to use the cracklib. | ||||||
|  | @@ -45,10 +34,10 @@
 | ||||||
|  |  all: 	check_password | ||||||
|  |   | ||||||
|  |  check_password.o: | ||||||
|  | -	$(CC) $(OPT) -c $(INCS) check_password.c
 | ||||||
|  | +	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
 | ||||||
|  |   | ||||||
|  |  check_password: clean check_password.o | ||||||
|  | -	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
 | ||||||
|  | +	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
 | ||||||
|  |   | ||||||
|  |  install: check_password | ||||||
|  |  	cp -f check_password.so ../../../usr/lib/openldap/modules/ | ||||||
							
								
								
									
										321
									
								
								check-password.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										321
									
								
								check-password.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,321 @@ | |||||||
|  | --- a/check_password.c	2009-10-31 18:59:06.000000000 +0100
 | ||||||
|  | +++ b/check_password.c	2014-12-17 12:25:00.148900907 +0100
 | ||||||
|  | @@ -10,7 +10,7 @@
 | ||||||
|  |  #include <slap.h> | ||||||
|  |   | ||||||
|  |  #ifdef HAVE_CRACKLIB | ||||||
|  | -#include "crack.h"
 | ||||||
|  | +#include <crack.h>
 | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  |  #if defined(DEBUG) | ||||||
|  | @@ -34,18 +34,77 @@
 | ||||||
|  |  #define PASSWORD_TOO_SHORT_SZ \ | ||||||
|  |  	"Password for dn=\"%s\" is too short (%d/6)" | ||||||
|  |  #define PASSWORD_QUALITY_SZ \ | ||||||
|  | -	"Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
 | ||||||
|  | +	"Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
 | ||||||
|  |  #define BAD_PASSWORD_SZ \ | ||||||
|  |  	"Bad password for dn=\"%s\" because %s" | ||||||
|  | +#define UNKNOWN_ERROR_SZ \
 | ||||||
|  | +	"An unknown error occurred, please see your systems administrator"
 | ||||||
|  |   | ||||||
|  |  typedef int (*validator) (char*); | ||||||
|  | -static int read_config_file (char *);
 | ||||||
|  | +static int read_config_file ();
 | ||||||
|  |  static validator valid_word (char *); | ||||||
|  |  static int set_quality (char *); | ||||||
|  |  static int set_cracklib (char *); | ||||||
|  |   | ||||||
|  |  int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); | ||||||
|  |   | ||||||
|  | +struct config_entry {
 | ||||||
|  | +	char* key;
 | ||||||
|  | +	char* value;
 | ||||||
|  | +	char* def_value;
 | ||||||
|  | +} config_entries[] = { { "minPoints", NULL, "3"},
 | ||||||
|  | +		       { "useCracklib", NULL, "1"},
 | ||||||
|  | +		       { "minUpper", NULL, "0"},
 | ||||||
|  | +		       { "minLower", NULL, "0"},
 | ||||||
|  | +		       { "minDigit", NULL, "0"},
 | ||||||
|  | +		       { "minPunct", NULL, "0"},
 | ||||||
|  | +		       { NULL, NULL, NULL }};
 | ||||||
|  | +
 | ||||||
|  | +int get_config_entry_int(char* entry) {
 | ||||||
|  | +	struct config_entry* centry = config_entries;
 | ||||||
|  | +
 | ||||||
|  | +	int i = 0;
 | ||||||
|  | +	char* key = centry[i].key;
 | ||||||
|  | +	while (key != NULL) {
 | ||||||
|  | +		if ( strncmp(key, entry, strlen(key)) == 0 ) {
 | ||||||
|  | +			if ( centry[i].value == NULL ) {
 | ||||||
|  | +				return atoi(centry[i].def_value);
 | ||||||
|  | +			}
 | ||||||
|  | +			else {
 | ||||||
|  | +				return atoi(centry[i].value);
 | ||||||
|  | +			}
 | ||||||
|  | +		}
 | ||||||
|  | +		i++;
 | ||||||
|  | +		key = centry[i].key;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	return -1;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +void dealloc_config_entries() {
 | ||||||
|  | +	struct config_entry* centry = config_entries;
 | ||||||
|  | +
 | ||||||
|  | +	int i = 0;
 | ||||||
|  | +	while (centry[i].key != NULL) {
 | ||||||
|  | +		if ( centry[i].value != NULL ) {
 | ||||||
|  | +			ber_memfree(centry[i].value);
 | ||||||
|  | +		}
 | ||||||
|  | +		i++;
 | ||||||
|  | +	}
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +char* chomp(char *s)
 | ||||||
|  | +{
 | ||||||
|  | +	char* t = ber_memalloc(strlen(s)+1);
 | ||||||
|  | +	strncpy (t,s,strlen(s)+1);
 | ||||||
|  | +
 | ||||||
|  | +	if ( t[strlen(t)-1] == '\n' ) {
 | ||||||
|  | +		t[strlen(t)-1] = '\0';
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	return t;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  static int set_quality (char *value) | ||||||
|  |  { | ||||||
|  |  #if defined(DEBUG) | ||||||
|  | @@ -84,12 +143,12 @@
 | ||||||
|  |  		char * parameter; | ||||||
|  |  		validator dealer; | ||||||
|  |  	} list[] = { { "minPoints", set_quality }, | ||||||
|  | -		{ "useCracklib", set_cracklib },
 | ||||||
|  | -		{ "minUpper", set_digit },
 | ||||||
|  | -		{ "minLower", set_digit },
 | ||||||
|  | -		{ "minDigit", set_digit },
 | ||||||
|  | -		{ "minPunct", set_digit },
 | ||||||
|  | -		{ NULL, NULL } };
 | ||||||
|  | +		     { "useCracklib", set_cracklib },
 | ||||||
|  | +		     { "minUpper", set_digit },
 | ||||||
|  | +		     { "minLower", set_digit },
 | ||||||
|  | +		     { "minDigit", set_digit },
 | ||||||
|  | +		     { "minPunct", set_digit },
 | ||||||
|  | +		     { NULL, NULL } };
 | ||||||
|  |  	int index = 0; | ||||||
|  |   | ||||||
|  |  #if defined(DEBUG) | ||||||
|  | @@ -98,7 +157,7 @@
 | ||||||
|  |   | ||||||
|  |  	while (list[index].parameter != NULL) { | ||||||
|  |  		if (strlen(word) == strlen(list[index].parameter) && | ||||||
|  | -				strcmp(list[index].parameter, word) == 0) {
 | ||||||
|  | +		    strcmp(list[index].parameter, word) == 0) {
 | ||||||
|  |  #if defined(DEBUG) | ||||||
|  |  			syslog(LOG_NOTICE, "check_password: Parameter accepted."); | ||||||
|  |  #endif | ||||||
|  | @@ -114,13 +173,15 @@
 | ||||||
|  |  	return NULL; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -static int read_config_file (char *keyWord)
 | ||||||
|  | +static int read_config_file ()
 | ||||||
|  |  { | ||||||
|  |  	FILE * config; | ||||||
|  |  	char * line; | ||||||
|  |  	int returnValue =  -1; | ||||||
|  |   | ||||||
|  | -	if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
 | ||||||
|  | +	line = ber_memcalloc(260, sizeof(char));
 | ||||||
|  | +
 | ||||||
|  | +	if ( line == NULL ) {
 | ||||||
|  |  		return returnValue; | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | @@ -133,6 +194,8 @@
 | ||||||
|  |  		return returnValue; | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | +	returnValue = 0;
 | ||||||
|  | +
 | ||||||
|  |  	while (fgets(line, 256, config) != NULL) { | ||||||
|  |  		char *start = line; | ||||||
|  |  		char *word, *value; | ||||||
|  | @@ -145,23 +208,40 @@
 | ||||||
|  |   | ||||||
|  |  		while (isspace(*start) && isascii(*start)) start++; | ||||||
|  |   | ||||||
|  | -		if (! isascii(*start))
 | ||||||
|  | +		/* If we've got punctuation, just skip the line. */
 | ||||||
|  | +		if ( ispunct(*start)) {
 | ||||||
|  | +#if defined(DEBUG)
 | ||||||
|  | +			/* Debug traces to syslog. */
 | ||||||
|  | +			syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
 | ||||||
|  | +#endif
 | ||||||
|  |  			continue; | ||||||
|  | +		}
 | ||||||
|  |   | ||||||
|  | -		if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
 | ||||||
|  | -			if ((value = strtok(NULL, " \t")) == NULL)
 | ||||||
|  | -				continue;
 | ||||||
|  | +		if( isascii(*start)) {
 | ||||||
|  | +
 | ||||||
|  | +			struct config_entry* centry = config_entries;
 | ||||||
|  | +			int i = 0;
 | ||||||
|  | +			char* keyWord = centry[i].key;
 | ||||||
|  | +			if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
 | ||||||
|  | +				while ( keyWord != NULL ) {
 | ||||||
|  | +					if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
 | ||||||
|  |   | ||||||
|  |  #if defined(DEBUG) | ||||||
|  | -			syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
 | ||||||
|  | +						syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
 | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | -			returnValue = (*dealer)(value);
 | ||||||
|  | +						centry[i].value = chomp(value);
 | ||||||
|  | +						break;
 | ||||||
|  | +					}
 | ||||||
|  | +					i++;
 | ||||||
|  | +					keyWord = centry[i].key;
 | ||||||
|  | +				}
 | ||||||
|  | +			}
 | ||||||
|  |  		} | ||||||
|  |  	} | ||||||
|  | -
 | ||||||
|  |  	fclose(config); | ||||||
|  |  	ber_memfree(line); | ||||||
|  | +
 | ||||||
|  |  	return returnValue; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | @@ -170,7 +250,7 @@
 | ||||||
|  |  	if (curlen < nextlen + MEMORY_MARGIN) { | ||||||
|  |  #if defined(DEBUG) | ||||||
|  |  		syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", | ||||||
|  | -				curlen, nextlen + MEMORY_MARGIN);
 | ||||||
|  | +		       curlen, nextlen + MEMORY_MARGIN);
 | ||||||
|  |  #endif | ||||||
|  |  		ber_memfree(*target); | ||||||
|  |  		curlen = nextlen + MEMORY_MARGIN; | ||||||
|  | @@ -180,7 +260,7 @@
 | ||||||
|  |  	return curlen; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -	int
 | ||||||
|  | +int
 | ||||||
|  |  check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) | ||||||
|  |  { | ||||||
|  |   | ||||||
|  | @@ -210,20 +290,22 @@
 | ||||||
|  |  	nLen = strlen (pPasswd); | ||||||
|  |  	if ( nLen < 6) { | ||||||
|  |  		mem_len = realloc_error_message(&szErrStr, mem_len, | ||||||
|  | -				strlen(PASSWORD_TOO_SHORT_SZ) +
 | ||||||
|  | -				strlen(pEntry->e_name.bv_val) + 1);
 | ||||||
|  | +						strlen(PASSWORD_TOO_SHORT_SZ) +
 | ||||||
|  | +						strlen(pEntry->e_name.bv_val) + 1);
 | ||||||
|  |  		sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); | ||||||
|  |  		goto fail; | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | -	/* Read config file */
 | ||||||
|  | -	minQuality = read_config_file("minPoints");
 | ||||||
|  | +	if (read_config_file() == -1) {
 | ||||||
|  | +		syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
 | ||||||
|  | +	}
 | ||||||
|  |   | ||||||
|  | -	useCracklib = read_config_file("useCracklib");
 | ||||||
|  | -	minUpper = read_config_file("minUpper");
 | ||||||
|  | -	minLower = read_config_file("minLower");
 | ||||||
|  | -	minDigit = read_config_file("minDigit");
 | ||||||
|  | -	minPunct = read_config_file("minPunct");
 | ||||||
|  | +	minQuality = get_config_entry_int("minPoints");
 | ||||||
|  | +	useCracklib = get_config_entry_int("useCracklib");
 | ||||||
|  | +	minUpper = get_config_entry_int("minUpper");
 | ||||||
|  | +	minLower = get_config_entry_int("minLower");
 | ||||||
|  | +	minDigit = get_config_entry_int("minDigit");
 | ||||||
|  | +	minPunct = get_config_entry_int("minPunct");
 | ||||||
|  |   | ||||||
|  |  	/** The password must have at least minQuality strength points with one | ||||||
|  |  	 * point for the first occurrance of a lower, upper, digit and | ||||||
|  | @@ -232,8 +314,6 @@
 | ||||||
|  |   | ||||||
|  |  	for ( i = 0; i < nLen; i++ ) { | ||||||
|  |   | ||||||
|  | -		if ( nQuality >= minQuality ) break;
 | ||||||
|  | -
 | ||||||
|  |  		if ( islower (pPasswd[i]) ) { | ||||||
|  |  			minLower--; | ||||||
|  |  			if ( !nLower && (minLower < 1)) { | ||||||
|  | @@ -279,12 +359,23 @@
 | ||||||
|  |  		} | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | -	if ( nQuality < minQuality ) {
 | ||||||
|  | +	/*
 | ||||||
|  | +	 * If you have a required field, then it should be required in the strength
 | ||||||
|  | +	 * checks.
 | ||||||
|  | +	 */
 | ||||||
|  | +
 | ||||||
|  | +	if (
 | ||||||
|  | +		(minLower > 0 ) ||
 | ||||||
|  | +		(minUpper > 0 ) ||
 | ||||||
|  | +		(minDigit > 0 ) ||
 | ||||||
|  | +		(minPunct > 0 ) ||
 | ||||||
|  | +		(nQuality < minQuality)
 | ||||||
|  | +		) {
 | ||||||
|  |  		mem_len = realloc_error_message(&szErrStr, mem_len, | ||||||
|  | -				strlen(PASSWORD_QUALITY_SZ) +
 | ||||||
|  | -				strlen(pEntry->e_name.bv_val) + 2);
 | ||||||
|  | +						strlen(PASSWORD_QUALITY_SZ) +
 | ||||||
|  | +						strlen(pEntry->e_name.bv_val) + 2);
 | ||||||
|  |  		sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, | ||||||
|  | -				nQuality, minQuality);
 | ||||||
|  | +			 nQuality, minQuality);
 | ||||||
|  |  		goto fail; | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | @@ -306,7 +397,7 @@
 | ||||||
|  |  		for ( j = 0; j < 3; j++ ) { | ||||||
|  |   | ||||||
|  |  			snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ | ||||||
|  | -					CRACKLIB_DICTPATH, ext[j]);
 | ||||||
|  | +				  CRACKLIB_DICTPATH, ext[j]);
 | ||||||
|  |   | ||||||
|  |  			if (( fp = fopen ( filename, "r")) == NULL ) { | ||||||
|  |   | ||||||
|  | @@ -326,9 +417,9 @@
 | ||||||
|  |  			r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); | ||||||
|  |  			if ( r != NULL ) { | ||||||
|  |  				mem_len = realloc_error_message(&szErrStr, mem_len, | ||||||
|  | -						strlen(BAD_PASSWORD_SZ) +
 | ||||||
|  | -						strlen(pEntry->e_name.bv_val) +
 | ||||||
|  | -						strlen(r));
 | ||||||
|  | +								strlen(BAD_PASSWORD_SZ) +
 | ||||||
|  | +								strlen(pEntry->e_name.bv_val) +
 | ||||||
|  | +								strlen(r));
 | ||||||
|  |  				sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); | ||||||
|  |  				goto fail; | ||||||
|  |  			} | ||||||
|  | @@ -342,15 +433,15 @@
 | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  |  #endif | ||||||
|  | -
 | ||||||
|  | +	dealloc_config_entries();
 | ||||||
|  |  	*ppErrStr = strdup (""); | ||||||
|  |  	ber_memfree(szErrStr); | ||||||
|  |  	return (LDAP_SUCCESS); | ||||||
|  |   | ||||||
|  |  fail: | ||||||
|  | +	dealloc_config_entries();
 | ||||||
|  |  	*ppErrStr = strdup (szErrStr); | ||||||
|  |  	ber_memfree(szErrStr); | ||||||
|  |  	return (EXIT_FAILURE); | ||||||
|  |   | ||||||
|  |  } | ||||||
|  | -
 | ||||||
							
								
								
									
										28
									
								
								ldap.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								ldap.conf
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,28 @@ | |||||||
|  | # | ||||||
|  | # LDAP Defaults | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | # See ldap.conf(5) for details | ||||||
|  | # This file should be world readable but not world writable. | ||||||
|  | 
 | ||||||
|  | #BASE	dc=example,dc=com | ||||||
|  | #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666 | ||||||
|  | 
 | ||||||
|  | #SIZELIMIT	12 | ||||||
|  | #TIMELIMIT	15 | ||||||
|  | #DEREF		never | ||||||
|  | 
 | ||||||
|  | # When no CA certificates are specified the Shared System Certificates | ||||||
|  | # are in use. In order to have these available along with the ones specified | ||||||
|  | # by TLS_CACERTDIR one has to include them explicitly: | ||||||
|  | #TLS_CACERT	/etc/pki/tls/cert.pem | ||||||
|  | 
 | ||||||
|  | # System-wide Crypto Policies provide up to date cipher suite which should | ||||||
|  | # be used unless one needs a finer grinded selection of ciphers. Hence, the | ||||||
|  | # PROFILE=SYSTEM value represents the default behavior which is in place | ||||||
|  | # when no explicit setting is used. (see openssl-ciphers(1) for more info) | ||||||
|  | #TLS_CIPHER_SUITE PROFILE=SYSTEM | ||||||
|  | 
 | ||||||
|  | # Turning this off breaks GSSAPI used with krb5 when rdns = false | ||||||
|  | SASL_NOCANON	on | ||||||
|  | 
 | ||||||
							
								
								
									
										91
									
								
								libexec-check-config.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										91
									
								
								libexec-check-config.sh
									
									
									
									
									
										Executable file
									
								
							| @ -0,0 +1,91 @@ | |||||||
|  | #!/bin/sh | ||||||
|  | # Author: Jan Vcelak <jvcelak@redhat.com> | ||||||
|  | 
 | ||||||
|  | . /usr/libexec/openldap/functions | ||||||
|  | 
 | ||||||
|  | function check_config_syntax() | ||||||
|  | { | ||||||
|  | 	retcode=0 | ||||||
|  | 	tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` | ||||||
|  | 	run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest | ||||||
|  | 	if [ $? -ne 0 ]; then | ||||||
|  | 		error "Checking configuration file failed:" | ||||||
|  | 		cat $tmp_slaptest >&2 | ||||||
|  | 		retcode=1 | ||||||
|  | 	fi | ||||||
|  | 	rm $tmp_slaptest | ||||||
|  | 	return $retcode | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function check_certs_perms() | ||||||
|  | { | ||||||
|  | 	retcode=0 | ||||||
|  | 	for cert in `certificates`; do | ||||||
|  | 		run_as_ldap "/usr/bin/test -e \"$cert\"" | ||||||
|  | 		if [ $? -ne 0 ]; then | ||||||
|  | 			error "TLS certificate/key/DB '%s' was not found." "$cert" | ||||||
|  | 			retcoder=1 | ||||||
|  | 			continue | ||||||
|  | 		fi | ||||||
|  | 		run_as_ldap "/usr/bin/test -r \"$cert\"" | ||||||
|  | 		if [ $? -ne 0 ]; then | ||||||
|  | 			error "TLS certificate/key/DB '%s' is not readable." "$cert" | ||||||
|  | 			retcode=1 | ||||||
|  | 		fi | ||||||
|  | 	done | ||||||
|  | 	return $retcode | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function check_db_perms() | ||||||
|  | { | ||||||
|  | 	retcode=0 | ||||||
|  | 	for dbdir in `databases`; do | ||||||
|  | 		[ -d "$dbdir" ] || continue | ||||||
|  | 		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do | ||||||
|  | 			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" | ||||||
|  | 			if [ $? -ne 0 ]; then | ||||||
|  | 				error "Read/write permissions for DB file '%s' are required." "$dbfile" | ||||||
|  | 				retcode=1 | ||||||
|  | 			fi | ||||||
|  | 		done | ||||||
|  | 	done | ||||||
|  | 	return $retcode | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function check_everything() | ||||||
|  | { | ||||||
|  | 	retcode=0 | ||||||
|  | 	check_config_syntax || retcode=1 | ||||||
|  | 	# TODO: need support for Mozilla NSS, disabling temporarily | ||||||
|  | 	#check_certs_perms || retcode=1 | ||||||
|  | 	check_db_perms || retcode=1 | ||||||
|  | 	return $retcode | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | if [ `id -u` -ne 0 ]; then | ||||||
|  | 	error "You have to be root to run this script." | ||||||
|  | 	exit 4 | ||||||
|  | fi | ||||||
|  | 
 | ||||||
|  | load_sysconfig | ||||||
|  | 
 | ||||||
|  | if [ -n "$SLAPD_CONFIG_DIR" ]; then | ||||||
|  | 	if [ ! -d "$SLAPD_CONFIG_DIR" ]; then | ||||||
|  | 		error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" | ||||||
|  | 	else | ||||||
|  | 		check_everything | ||||||
|  | 		exit $? | ||||||
|  | 	fi | ||||||
|  | fi | ||||||
|  | 
 | ||||||
|  | if [ -n "$SLAPD_CONFIG_FILE" ]; then | ||||||
|  | 	if [ ! -f "$SLAPD_CONFIG_FILE" ]; then | ||||||
|  | 		error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" | ||||||
|  | 	else | ||||||
|  | 		error "Warning: Usage of a configuration file is obsolete!" | ||||||
|  | 		check_everything | ||||||
|  | 		exit $? | ||||||
|  | 	fi | ||||||
|  | fi | ||||||
|  | 
 | ||||||
|  | exit 1 | ||||||
							
								
								
									
										134
									
								
								libexec-functions
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										134
									
								
								libexec-functions
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,134 @@ | |||||||
|  | # Author: Jan Vcelak <jvcelak@redhat.com> | ||||||
|  | 
 | ||||||
|  | SLAPD_USER= | ||||||
|  | SLAPD_CONFIG_FILE= | ||||||
|  | SLAPD_CONFIG_DIR= | ||||||
|  | SLAPD_CONFIG_CUSTOM= | ||||||
|  | SLAPD_GLOBAL_OPTIONS= | ||||||
|  | SLAPD_SYSCONFIG_FILE= | ||||||
|  | 
 | ||||||
|  | function default_config() | ||||||
|  | { | ||||||
|  | 	SLAPD_USER=ldap | ||||||
|  | 	SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf | ||||||
|  | 	SLAPD_CONFIG_DIR=/etc/openldap/slapd.d | ||||||
|  | 	SLAPD_CONFIG_CUSTOM= | ||||||
|  | 	SLAPD_GLOBAL_OPTIONS= | ||||||
|  | 	SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function parse_config_options() | ||||||
|  | { | ||||||
|  | 	user= | ||||||
|  | 	config_file= | ||||||
|  | 	config_dir= | ||||||
|  | 	while getopts :u:f:F: opt; do | ||||||
|  | 		case "$opt" in | ||||||
|  | 		u) | ||||||
|  | 			user="$OPTARG" | ||||||
|  | 			;; | ||||||
|  | 		f) | ||||||
|  | 			config_file="$OPTARG" | ||||||
|  | 			;; | ||||||
|  | 		F) | ||||||
|  | 			config_dir="$OPTARG" | ||||||
|  | 			;; | ||||||
|  | 		esac | ||||||
|  | 	done | ||||||
|  | 
 | ||||||
|  | 	if [ -n "$user" ]; then | ||||||
|  | 		SLAPD_USER="$user" | ||||||
|  | 	fi | ||||||
|  | 
 | ||||||
|  | 	if [ -n "$config_dir" ]; then | ||||||
|  | 		SLAPD_CONFIG_DIR="$config_dir" | ||||||
|  | 		SLAPD_CONFIG_FILE= | ||||||
|  | 		SLAPD_CONFIG_CUSTOM=1 | ||||||
|  | 		SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" | ||||||
|  | 	elif [ -n "$config_file" ]; then | ||||||
|  | 		SLAPD_CONFIG_DIR= | ||||||
|  | 		SLAPD_CONFIG_FILE="$config_file" | ||||||
|  | 		SLAPD_CONFIG_CUSTOM=1 | ||||||
|  | 		SLAPD_GLOBAL_OPTIONS="-f '$config_file'" | ||||||
|  | 	fi | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function uses_new_config() | ||||||
|  | { | ||||||
|  | 	[ -n "$SLAPD_CONFIG_DIR" ] | ||||||
|  | 	return $? | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function run_as_ldap() | ||||||
|  | { | ||||||
|  | 	/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" | ||||||
|  | 	return $? | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function ldif_unbreak() | ||||||
|  | { | ||||||
|  | 	sed ':a;N;s/\n //;ta;P;D' | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function ldif_value() | ||||||
|  | { | ||||||
|  | 	sed 's/^[^:]*: //' | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function databases_new() | ||||||
|  | { | ||||||
|  | 	slapcat $SLAPD_GLOBAL_OPTIONS -c \ | ||||||
|  | 	-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ | ||||||
|  | 		ldif_unbreak | \ | ||||||
|  | 		grep '^olcDbDirectory: ' | \ | ||||||
|  | 		ldif_value | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function databases_old() | ||||||
|  | { | ||||||
|  | 	awk	'begin { database="" } | ||||||
|  | 		$1 == "database" { database=$2 } | ||||||
|  | 		$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ | ||||||
|  | 		"$SLAPD_CONFIG_FILE" | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function certificates_new() | ||||||
|  | { | ||||||
|  | 	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ | ||||||
|  | 		ldif_unbreak | \ | ||||||
|  | 		grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ | ||||||
|  | 		ldif_value | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function certificates_old() | ||||||
|  | { | ||||||
|  | 	awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ | ||||||
|  | 		"$SLAPD_CONFIG_FILE" | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function certificates() | ||||||
|  | { | ||||||
|  | 	uses_new_config && certificates_new || certificates_old | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function databases() | ||||||
|  | { | ||||||
|  | 	uses_new_config && databases_new || databases_old | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | function error() | ||||||
|  | { | ||||||
|  | 	format="$1\n"; shift | ||||||
|  | 	printf "$format" $@ >&2 | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | function load_sysconfig() | ||||||
|  | { | ||||||
|  | 	[ -r "$SLAPD_SYSCONFIG_FILE" ] || return | ||||||
|  | 
 | ||||||
|  | 	. "$SLAPD_SYSCONFIG_FILE" | ||||||
|  | 	[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | default_config | ||||||
							
								
								
									
										40
									
								
								libexec-upgrade-db.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										40
									
								
								libexec-upgrade-db.sh
									
									
									
									
									
										Executable file
									
								
							| @ -0,0 +1,40 @@ | |||||||
|  | #!/bin/sh | ||||||
|  | # Author: Jan Vcelak <jvcelak@redhat.com> | ||||||
|  | 
 | ||||||
|  | . /usr/libexec/openldap/functions | ||||||
|  | 
 | ||||||
|  | if [ `id -u` -ne 0 ]; then | ||||||
|  | 	error "You have to be root to run this command." | ||||||
|  | 	exit 4 | ||||||
|  | fi | ||||||
|  | 
 | ||||||
|  | load_sysconfig | ||||||
|  | retcode=0 | ||||||
|  | 
 | ||||||
|  | for dbdir in `databases`; do | ||||||
|  | 	upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" | ||||||
|  | 	bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` | ||||||
|  | 
 | ||||||
|  | 	# skip uninitialized database | ||||||
|  | 	[ -z "$bdb_files"]  || continue | ||||||
|  | 
 | ||||||
|  | 	printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" | ||||||
|  | 
 | ||||||
|  | 	# perform the update | ||||||
|  | 	for command in \ | ||||||
|  | 		"/usr/bin/db_recover -v -h \"$dbdir\"" \ | ||||||
|  | 		"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ | ||||||
|  | 		"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ | ||||||
|  | 	; do | ||||||
|  | 		printf "Executing: %s\n" "$command" &>>$upgrade_log | ||||||
|  | 		run_as_ldap "$command" &>>$upgrade_log | ||||||
|  | 		result=$? | ||||||
|  | 		printf "Exit code: %d\n" $result >>"$upgrade_log" | ||||||
|  | 		if [ $result -ne 0 ]; then | ||||||
|  | 			printf "Upgrade failed: %d\n" $result | ||||||
|  | 			retcode=1 | ||||||
|  | 		fi | ||||||
|  | 	done | ||||||
|  | done | ||||||
|  | 
 | ||||||
|  | exit $retcode | ||||||
							
								
								
									
										339
									
								
								openldap-add-TLS_REQSAN-option.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										339
									
								
								openldap-add-TLS_REQSAN-option.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,339 @@ | |||||||
|  | From c8050d1e6eb0f4f3deb187224945ddcfc3baa4d6 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Howard Chu <hyc@openldap.org> | ||||||
|  | Date: Fri, 21 Aug 2020 09:15:15 +0100 | ||||||
|  | Subject: [PATCH] ITS#9318 add TLS_REQSAN option | ||||||
|  | 
 | ||||||
|  | Add an option to specify how subjectAlternativeNames should be | ||||||
|  | handled when validating the names in a server certificate. | ||||||
|  | ---
 | ||||||
|  |  doc/man/man3/ldap_get_option.3 |  9 +++++++ | ||||||
|  |  doc/man/man5/ldap.conf.5       | 31 +++++++++++++++++++++++ | ||||||
|  |  include/ldap.h                 |  1 + | ||||||
|  |  libraries/libldap/init.c       |  2 ++ | ||||||
|  |  libraries/libldap/ldap-int.h   |  1 + | ||||||
|  |  libraries/libldap/tls2.c       | 16 ++++++++++++ | ||||||
|  |  libraries/libldap/tls_g.c      | 46 ++++++++++++++++++++++++++++++++-- | ||||||
|  |  libraries/libldap/tls_o.c      | 44 ++++++++++++++++++++++++++++++-- | ||||||
|  |  8 files changed, 146 insertions(+), 4 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
 | ||||||
|  | index d229ce6e3..7d760136f 100644
 | ||||||
|  | --- a/doc/man/man3/ldap_get_option.3
 | ||||||
|  | +++ b/doc/man/man3/ldap_get_option.3
 | ||||||
|  | @@ -788,6 +788,15 @@ one of
 | ||||||
|  |  .BR LDAP_OPT_X_TLS_ALLOW , | ||||||
|  |  .BR LDAP_OPT_X_TLS_TRY . | ||||||
|  |  .TP | ||||||
|  | +.B LDAP_OPT_X_TLS_REQUIRE_SAN
 | ||||||
|  | +Sets/gets the peer certificate subjectAlternativeName checking strategy,
 | ||||||
|  | +one of
 | ||||||
|  | +.BR LDAP_OPT_X_TLS_NEVER ,
 | ||||||
|  | +.BR LDAP_OPT_X_TLS_HARD ,
 | ||||||
|  | +.BR LDAP_OPT_X_TLS_DEMAND ,
 | ||||||
|  | +.BR LDAP_OPT_X_TLS_ALLOW ,
 | ||||||
|  | +.BR LDAP_OPT_X_TLS_TRY .
 | ||||||
|  | +.TP
 | ||||||
|  |  .B LDAP_OPT_X_TLS_SSL_CTX | ||||||
|  |  Gets the TLS session context associated with this handle. | ||||||
|  |  .BR outvalue | ||||||
|  | diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
 | ||||||
|  | index 2f1ee886d..cde2c875f 100644
 | ||||||
|  | --- a/doc/man/man5/ldap.conf.5
 | ||||||
|  | +++ b/doc/man/man5/ldap.conf.5
 | ||||||
|  | @@ -464,6 +464,37 @@ certificate is provided, or a bad certificate is provided, the session
 | ||||||
|  |  is immediately terminated. This is the default setting. | ||||||
|  |  .RE | ||||||
|  |  .TP | ||||||
|  | +.B TLS_REQSAN <level>
 | ||||||
|  | +Specifies what checks to perform on the subjectAlternativeName
 | ||||||
|  | +(SAN) extensions in a server certificate when validating the certificate
 | ||||||
|  | +name against the specified hostname of the server. The
 | ||||||
|  | +.B <level>
 | ||||||
|  | +can be specified as one of the following keywords:
 | ||||||
|  | +.RS
 | ||||||
|  | +.TP
 | ||||||
|  | +.B never
 | ||||||
|  | +The client will not check any SAN in the certificate.
 | ||||||
|  | +.TP
 | ||||||
|  | +.B allow
 | ||||||
|  | +The SAN is checked against the specified hostname. If a SAN is
 | ||||||
|  | +present but none match the specified hostname, the SANs are ignored
 | ||||||
|  | +and the usual check against the certificate DN is used.
 | ||||||
|  | +This is the default setting.
 | ||||||
|  | +.TP
 | ||||||
|  | +.B try
 | ||||||
|  | +The SAN is checked against the specified hostname. If no SAN is present
 | ||||||
|  | +in the server certificate, the usual check against the certificate DN
 | ||||||
|  | +is used. If a SAN is present but doesn't match the specified hostname,
 | ||||||
|  | +the session is immediately terminated. This setting may be preferred
 | ||||||
|  | +when a mix of certs with and without SANs are in use.
 | ||||||
|  | +.TP
 | ||||||
|  | +.B demand | hard
 | ||||||
|  | +These keywords are equivalent. The SAN is checked against the specified
 | ||||||
|  | +hostname. If no SAN is present in the server certificate, or no SANs
 | ||||||
|  | +match, the session is immediately terminated. This setting should be
 | ||||||
|  | +used when only certificates with SANs are in use.
 | ||||||
|  | +.RE
 | ||||||
|  | +.TP
 | ||||||
|  |  .B TLS_CRLCHECK <level> | ||||||
|  |  Specifies if the Certificate Revocation List (CRL) of the CA should be  | ||||||
|  |  used to verify if the server certificates have not been revoked. This | ||||||
|  | diff --git a/include/ldap.h b/include/ldap.h
 | ||||||
|  | index 4b81a6841..4877de24a 100644
 | ||||||
|  | --- a/include/ldap.h
 | ||||||
|  | +++ b/include/ldap.h
 | ||||||
|  | @@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
 | ||||||
|  |  #define LDAP_OPT_X_TLS_PACKAGE		0x6011 | ||||||
|  |  #define LDAP_OPT_X_TLS_ECNAME		0x6012 | ||||||
|  |  #define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */ | ||||||
|  | +#define LDAP_OPT_X_TLS_REQUIRE_SAN	0x601a
 | ||||||
|  |   | ||||||
|  |  #define LDAP_OPT_X_TLS_NEVER	0 | ||||||
|  |  #define LDAP_OPT_X_TLS_HARD		1 | ||||||
|  | diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
 | ||||||
|  | index d503019aa..0d91808ec 100644
 | ||||||
|  | --- a/libraries/libldap/init.c
 | ||||||
|  | +++ b/libraries/libldap/init.c
 | ||||||
|  | @@ -128,6 +128,7 @@ static const struct ol_attribute {
 | ||||||
|  |    	{0, ATTR_TLS,	"TLS_CACERT",		NULL,	LDAP_OPT_X_TLS_CACERTFILE}, | ||||||
|  |    	{0, ATTR_TLS,	"TLS_CACERTDIR",	NULL,	LDAP_OPT_X_TLS_CACERTDIR}, | ||||||
|  |    	{0, ATTR_TLS,	"TLS_REQCERT",		NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT}, | ||||||
|  | +	{0, ATTR_TLS,	"TLS_REQSAN",		NULL,	LDAP_OPT_X_TLS_REQUIRE_SAN},
 | ||||||
|  |  	{0, ATTR_TLS,	"TLS_RANDFILE",		NULL,	LDAP_OPT_X_TLS_RANDOM_FILE}, | ||||||
|  |  	{0, ATTR_TLS,	"TLS_CIPHER_SUITE",	NULL,	LDAP_OPT_X_TLS_CIPHER_SUITE}, | ||||||
|  |  	{0, ATTR_TLS,	"TLS_PROTOCOL_MIN",	NULL,	LDAP_OPT_X_TLS_PROTOCOL_MIN}, | ||||||
|  | @@ -624,6 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
 | ||||||
|  |  	gopts->ldo_tls_connect_cb = NULL; | ||||||
|  |  	gopts->ldo_tls_connect_arg = NULL; | ||||||
|  |  	gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; | ||||||
|  | +	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
 | ||||||
|  |  #endif | ||||||
|  |  	gopts->ldo_keepalive_probes = 0; | ||||||
|  |  	gopts->ldo_keepalive_interval = 0; | ||||||
|  | diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
 | ||||||
|  | index 753014ad0..2bf5d4ff6 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-int.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-int.h
 | ||||||
|  | @@ -262,6 +262,7 @@ struct ldapoptions {
 | ||||||
|  |     	int			ldo_tls_require_cert; | ||||||
|  |  	int			ldo_tls_impl; | ||||||
|  |     	int			ldo_tls_crlcheck; | ||||||
|  | +	int			ldo_tls_require_san;
 | ||||||
|  |  #define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0 | ||||||
|  |  #else | ||||||
|  |  #define LDAP_LDO_TLS_NULLARG | ||||||
|  | diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 | ||||||
|  | index 6a2113255..670292c22 100644
 | ||||||
|  | --- a/libraries/libldap/tls2.c
 | ||||||
|  | +++ b/libraries/libldap/tls2.c
 | ||||||
|  | @@ -539,6 +539,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 | ||||||
|  |  		return ldap_pvt_tls_set_option( ld, option, (void *) arg ); | ||||||
|  |   | ||||||
|  |  	case LDAP_OPT_X_TLS_REQUIRE_CERT: | ||||||
|  | +	case LDAP_OPT_X_TLS_REQUIRE_SAN:
 | ||||||
|  |  	case LDAP_OPT_X_TLS: | ||||||
|  |  		i = -1; | ||||||
|  |  		if ( strcasecmp( arg, "never" ) == 0 ) { | ||||||
|  | @@ -669,6 +670,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 | ||||||
|  |  	case LDAP_OPT_X_TLS_REQUIRE_CERT: | ||||||
|  |  		*(int *)arg = lo->ldo_tls_require_cert; | ||||||
|  |  		break; | ||||||
|  | +	case LDAP_OPT_X_TLS_REQUIRE_SAN:
 | ||||||
|  | +		*(int *)arg = lo->ldo_tls_require_san;
 | ||||||
|  | +		break;
 | ||||||
|  |  #ifdef HAVE_OPENSSL_CRL | ||||||
|  |  	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */ | ||||||
|  |  		*(int *)arg = lo->ldo_tls_crlcheck; | ||||||
|  | @@ -818,6 +822,18 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 | ||||||
|  |  			return 0; | ||||||
|  |  		} | ||||||
|  |  		return -1; | ||||||
|  | +	case LDAP_OPT_X_TLS_REQUIRE_SAN:
 | ||||||
|  | +		if ( !arg ) return -1;
 | ||||||
|  | +		switch( *(int *) arg ) {
 | ||||||
|  | +		case LDAP_OPT_X_TLS_NEVER:
 | ||||||
|  | +		case LDAP_OPT_X_TLS_DEMAND:
 | ||||||
|  | +		case LDAP_OPT_X_TLS_ALLOW:
 | ||||||
|  | +		case LDAP_OPT_X_TLS_TRY:
 | ||||||
|  | +		case LDAP_OPT_X_TLS_HARD:
 | ||||||
|  | +			lo->ldo_tls_require_san = * (int *) arg;
 | ||||||
|  | +			return 0;
 | ||||||
|  | +		}
 | ||||||
|  | +		return -1;
 | ||||||
|  |  #ifdef HAVE_OPENSSL_CRL | ||||||
|  |  	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */ | ||||||
|  |  		if ( !arg ) return -1; | ||||||
|  | diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
 | ||||||
|  | index 15ce0bbb8..e3486c9b4 100644
 | ||||||
|  | --- a/libraries/libldap/tls_g.c
 | ||||||
|  | +++ b/libraries/libldap/tls_g.c
 | ||||||
|  | @@ -496,6 +496,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 | ||||||
|  |  { | ||||||
|  |  	tlsg_session *s = (tlsg_session *)session; | ||||||
|  |  	int i, ret; | ||||||
|  | +	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
 | ||||||
|  |  	const gnutls_datum_t *peer_cert_list; | ||||||
|  |  	unsigned int list_size; | ||||||
|  |  	char altname[NI_MAXHOST]; | ||||||
|  | @@ -558,12 +559,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 | ||||||
|  |  		} | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | +	if (chkSAN) {
 | ||||||
|  |  	for ( i=0, ret=0; ret >= 0; i++ ) { | ||||||
|  |  		altnamesize = sizeof(altname); | ||||||
|  |  		ret = gnutls_x509_crt_get_subject_alt_name( cert, i,  | ||||||
|  |  			altname, &altnamesize, NULL ); | ||||||
|  |  		if ( ret < 0 ) break; | ||||||
|  |   | ||||||
|  | +		gotSAN = 1;
 | ||||||
|  |  		/* ignore empty */ | ||||||
|  |  		if ( altnamesize == 0 ) continue; | ||||||
|  |   | ||||||
|  | @@ -599,7 +602,45 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 | ||||||
|  |  	} | ||||||
|  |  	if ( ret >= 0 ) { | ||||||
|  |  		ret = LDAP_SUCCESS; | ||||||
|  | -	} else {
 | ||||||
|  | +	}
 | ||||||
|  | +	}
 | ||||||
|  | +	if (ret != LDAP_SUCCESS && chkSAN) {
 | ||||||
|  | +		switch(chkSAN) {
 | ||||||
|  | +		case LDAP_OPT_X_TLS_DEMAND:
 | ||||||
|  | +		case LDAP_OPT_X_TLS_HARD:
 | ||||||
|  | +			if (!gotSAN) {
 | ||||||
|  | +				Debug( LDAP_DEBUG_ANY,
 | ||||||
|  | +					"TLS: unable to get subjectAltName from peer certificate.\n",
 | ||||||
|  | +					0, 0, 0 );
 | ||||||
|  | +				ret = LDAP_CONNECT_ERROR;
 | ||||||
|  | +				if ( ld->ld_error ) {
 | ||||||
|  | +					LDAP_FREE( ld->ld_error );
 | ||||||
|  | +				}
 | ||||||
|  | +				ld->ld_error = LDAP_STRDUP(
 | ||||||
|  | +					_("TLS: unable to get subjectAltName from peer certificate"));
 | ||||||
|  | +				goto done;
 | ||||||
|  | +			}
 | ||||||
|  | +			/* FALLTHRU */
 | ||||||
|  | +		case LDAP_OPT_X_TLS_TRY:
 | ||||||
|  | +			if (gotSAN) {
 | ||||||
|  | +				Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
 | ||||||
|  | +					"subjectAltName in certificate.\n",
 | ||||||
|  | +					name, 0, 0 );
 | ||||||
|  | +				ret = LDAP_CONNECT_ERROR;
 | ||||||
|  | +				if ( ld->ld_error ) {
 | ||||||
|  | +					LDAP_FREE( ld->ld_error );
 | ||||||
|  | +				}
 | ||||||
|  | +				ld->ld_error = LDAP_STRDUP(
 | ||||||
|  | +					_("TLS: hostname does not match subjectAltName in peer certificate"));
 | ||||||
|  | +				goto done;
 | ||||||
|  | +			}
 | ||||||
|  | +			break;
 | ||||||
|  | +		case LDAP_OPT_X_TLS_ALLOW:
 | ||||||
|  | +			break;
 | ||||||
|  | +		}
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	if ( ret != LDAP_SUCCESS ){
 | ||||||
|  |  		/* find the last CN */ | ||||||
|  |  		i=0; | ||||||
|  |  		do { | ||||||
|  | @@ -654,9 +695,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 | ||||||
|  |  				LDAP_FREE( ld->ld_error ); | ||||||
|  |  			} | ||||||
|  |  			ld->ld_error = LDAP_STRDUP( | ||||||
|  | -				_("TLS: hostname does not match CN in peer certificate"));
 | ||||||
|  | +				_("TLS: hostname does not match name in peer certificate"));
 | ||||||
|  |  		} | ||||||
|  |  	} | ||||||
|  | +done:
 | ||||||
|  |  	gnutls_x509_crt_deinit( cert ); | ||||||
|  |  	return ret; | ||||||
|  |  } | ||||||
|  | diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 | ||||||
|  | index 4006f7a4f..6f27168e9 100644
 | ||||||
|  | --- a/libraries/libldap/tls_o.c
 | ||||||
|  | +++ b/libraries/libldap/tls_o.c
 | ||||||
|  | @@ -600,6 +600,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 | ||||||
|  |  { | ||||||
|  |  	tlso_session *s = (tlso_session *)sess; | ||||||
|  |  	int i, ret = LDAP_LOCAL_ERROR; | ||||||
|  | +	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
 | ||||||
|  |  	X509 *x; | ||||||
|  |  	const char *name; | ||||||
|  |  	char *ptr; | ||||||
|  | @@ -638,7 +639,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 | ||||||
|  |  	if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) { | ||||||
|  |  		if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4; | ||||||
|  |  	} | ||||||
|  | -	
 | ||||||
|  | +
 | ||||||
|  | +	if (chkSAN) {
 | ||||||
|  |  	i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); | ||||||
|  |  	if (i >= 0) { | ||||||
|  |  		X509_EXTENSION *ex; | ||||||
|  | @@ -651,6 +653,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 | ||||||
|  |  			char *domain = NULL; | ||||||
|  |  			GENERAL_NAME *gn; | ||||||
|  |   | ||||||
|  | +			gotSAN = 1;
 | ||||||
|  |  			if (ntype == IS_DNS) { | ||||||
|  |  				domain = strchr(name, '.'); | ||||||
|  |  				if (domain) { | ||||||
|  | @@ -709,6 +712,42 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 | ||||||
|  |  			} | ||||||
|  |  		} | ||||||
|  |  	} | ||||||
|  | +	}
 | ||||||
|  | +	if (ret != LDAP_SUCCESS && chkSAN) {
 | ||||||
|  | +		switch(chkSAN) {
 | ||||||
|  | +		case LDAP_OPT_X_TLS_DEMAND:
 | ||||||
|  | +		case LDAP_OPT_X_TLS_HARD:
 | ||||||
|  | +			if (!gotSAN) {
 | ||||||
|  | +				Debug( LDAP_DEBUG_ANY,
 | ||||||
|  | +					"TLS: unable to get subjectAltName from peer certificate.\n",
 | ||||||
|  | +					0, 0, 0 );
 | ||||||
|  | +				ret = LDAP_CONNECT_ERROR;
 | ||||||
|  | +				if ( ld->ld_error ) {
 | ||||||
|  | +					LDAP_FREE( ld->ld_error );
 | ||||||
|  | +				}
 | ||||||
|  | +				ld->ld_error = LDAP_STRDUP(
 | ||||||
|  | +					_("TLS: unable to get subjectAltName from peer certificate"));
 | ||||||
|  | +				goto done;
 | ||||||
|  | +			}
 | ||||||
|  | +			/* FALLTHRU */
 | ||||||
|  | +		case LDAP_OPT_X_TLS_TRY:
 | ||||||
|  | +			if (gotSAN) {
 | ||||||
|  | +				Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
 | ||||||
|  | +					"subjectAltName in certificate.\n",
 | ||||||
|  | +					name, 0, 0 );
 | ||||||
|  | +				ret = LDAP_CONNECT_ERROR;
 | ||||||
|  | +				if ( ld->ld_error ) {
 | ||||||
|  | +					LDAP_FREE( ld->ld_error );
 | ||||||
|  | +				}
 | ||||||
|  | +				ld->ld_error = LDAP_STRDUP(
 | ||||||
|  | +					_("TLS: hostname does not match subjectAltName in peer certificate"));
 | ||||||
|  | +				goto done;
 | ||||||
|  | +			}
 | ||||||
|  | +			break;
 | ||||||
|  | +		case LDAP_OPT_X_TLS_ALLOW:
 | ||||||
|  | +			break;
 | ||||||
|  | +		}
 | ||||||
|  | +	}
 | ||||||
|  |   | ||||||
|  |  	if (ret != LDAP_SUCCESS) { | ||||||
|  |  		X509_NAME *xn; | ||||||
|  | @@ -772,9 +811,10 @@ no_cn:
 | ||||||
|  |  				LDAP_FREE( ld->ld_error ); | ||||||
|  |  			} | ||||||
|  |  			ld->ld_error = LDAP_STRDUP( | ||||||
|  | -				_("TLS: hostname does not match CN in peer certificate"));
 | ||||||
|  | +				_("TLS: hostname does not match name in peer certificate"));
 | ||||||
|  |  		} | ||||||
|  |  	} | ||||||
|  | +done:
 | ||||||
|  |  	X509_free(x); | ||||||
|  |  	return ret; | ||||||
|  |  } | ||||||
|  | -- 
 | ||||||
|  | 2.31.1 | ||||||
|  | 
 | ||||||
							
								
								
									
										20
									
								
								openldap-ai-addrconfig.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								openldap-ai-addrconfig.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,20 @@ | |||||||
|  | use AI_ADDRCONFIG if defined in the environment | ||||||
|  | 
 | ||||||
|  | Author: Jan Vcelak <jvcelak@redhat.com> | ||||||
|  | Upstream ITS: #7326 | ||||||
|  | Resolves: #835013 | ||||||
|  | 
 | ||||||
|  | diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
 | ||||||
|  | index b31e05d..fa361ab 100644
 | ||||||
|  | --- a/libraries/libldap/os-ip.c
 | ||||||
|  | +++ b/libraries/libldap/os-ip.c
 | ||||||
|  | @@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
 | ||||||
|  |   | ||||||
|  |  #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) | ||||||
|  |  	memset( &hints, '\0', sizeof(hints) ); | ||||||
|  | -#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
 | ||||||
|  | -	/* Use AI_ADDRCONFIG only on systems where its known to be needed. */
 | ||||||
|  | +#ifdef AI_ADDRCONFIG
 | ||||||
|  |  	hints.ai_flags = AI_ADDRCONFIG; | ||||||
|  |  #endif | ||||||
|  |  	hints.ai_family = ldap_int_inet4or6; | ||||||
							
								
								
									
										40
									
								
								openldap-allop-overlay.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								openldap-allop-overlay.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,40 @@ | |||||||
|  | Compile AllOp together with other overlays. | ||||||
|  | 
 | ||||||
|  | Author: Matus Honek <mhonek@redhat.com> | ||||||
|  | Resolves: #1319782 | ||||||
|  | 
 | ||||||
|  | diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
 | ||||||
|  | --- a/servers/slapd/overlays/Makefile.in
 | ||||||
|  | +++ b/servers/slapd/overlays/Makefile.in
 | ||||||
|  | @@ -33,7 +33,8 @@ SRCS = overlays.c \
 | ||||||
|  |  	translucent.c \ | ||||||
|  |  	unique.c \ | ||||||
|  |  	valsort.c \ | ||||||
|  | -	smbk5pwd.c
 | ||||||
|  | +	smbk5pwd.c \
 | ||||||
|  | +	allop.c
 | ||||||
|  |  OBJS = statover.o \ | ||||||
|  |  	@SLAPD_STATIC_OVERLAYS@ \ | ||||||
|  |  	overlays.o | ||||||
|  | @@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
 | ||||||
|  |  UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) | ||||||
|  |   | ||||||
|  |  LIBRARY = ../liboverlays.a | ||||||
|  | -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
 | ||||||
|  | +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
 | ||||||
|  |   | ||||||
|  |  XINCPATH = -I.. -I$(srcdir)/.. | ||||||
|  |  XDEFS = $(MODULES_CPPFLAGS) | ||||||
|  | @@ -125,6 +126,12 @@ unique.la : unique.lo
 | ||||||
|  |  smbk5pwd.la : smbk5pwd.lo | ||||||
|  |  	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) | ||||||
|  |   | ||||||
|  | +allop.lo : allop.c
 | ||||||
|  | +	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
 | ||||||
|  | +
 | ||||||
|  | +allop.la : allop.lo
 | ||||||
|  | +	$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
 | ||||||
|  | +
 | ||||||
|  |  install-local:	$(PROGRAMS) | ||||||
|  |  	@if test -n "$?" ; then \ | ||||||
|  |  		$(MKDIR) $(DESTDIR)$(moduledir); \ | ||||||
							
								
								
									
										291
									
								
								openldap-cbinding-Add-channel-binding-support.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										291
									
								
								openldap-cbinding-Add-channel-binding-support.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,291 @@ | |||||||
|  | From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Howard Chu <hyc@openldap.org> | ||||||
|  | Date: Mon, 26 Aug 2013 23:31:48 -0700 | ||||||
|  | Subject: [PATCH] Add channel binding support | ||||||
|  | 
 | ||||||
|  | Currently only implemented for OpenSSL. | ||||||
|  | Needs an option to set the criticality flag. | ||||||
|  | ---
 | ||||||
|  |  include/ldap_pvt.h           |  1 + | ||||||
|  |  libraries/libldap/cyrus.c    | 22 ++++++++++++++++++++++ | ||||||
|  |  libraries/libldap/ldap-int.h |  1 + | ||||||
|  |  libraries/libldap/ldap-tls.h |  2 ++ | ||||||
|  |  libraries/libldap/tls2.c     |  7 +++++++ | ||||||
|  |  libraries/libldap/tls_g.c    |  7 +++++++ | ||||||
|  |  libraries/libldap/tls_m.c    |  7 +++++++ | ||||||
|  |  libraries/libldap/tls_o.c    | 16 ++++++++++++++++ | ||||||
|  |  servers/slapd/connection.c   |  8 ++++++++ | ||||||
|  |  servers/slapd/sasl.c         | 18 ++++++++++++++++++ | ||||||
|  |  servers/slapd/slap.h         |  1 + | ||||||
|  |  11 files changed, 90 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
 | ||||||
|  | index 871e7c180..fdc9d2de3 100644
 | ||||||
|  | --- a/include/ldap_pvt.h
 | ||||||
|  | +++ b/include/ldap_pvt.h
 | ||||||
|  | @@ -430,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
 | ||||||
|  |  LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn, | ||||||
|  |  	LDAPDN_rewrite_dummy *func, unsigned flags )); | ||||||
|  |  LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); | ||||||
|  | +LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
 | ||||||
|  |   | ||||||
|  |  LDAP_END_DECL | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
 | ||||||
|  | index 28c241b0b..a57292800 100644
 | ||||||
|  | --- a/libraries/libldap/cyrus.c
 | ||||||
|  | +++ b/libraries/libldap/cyrus.c
 | ||||||
|  | @@ -369,6 +369,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
 | ||||||
|  |  		lc->lconn_sasl_sockctx = NULL; | ||||||
|  |  		lc->lconn_sasl_authctx = NULL; | ||||||
|  |  	} | ||||||
|  | +	if( lc->lconn_sasl_cbind ) {
 | ||||||
|  | +		ldap_memfree( lc->lconn_sasl_cbind );
 | ||||||
|  | +		lc->lconn_sasl_cbind = NULL;
 | ||||||
|  | +	}
 | ||||||
|  |   | ||||||
|  |  	return LDAP_SUCCESS; | ||||||
|  |  } | ||||||
|  | @@ -482,6 +486,24 @@ ldap_int_sasl_bind(
 | ||||||
|  |   | ||||||
|  |  			(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); | ||||||
|  |  			LDAP_FREE( authid.bv_val ); | ||||||
|  | +#ifdef SASL_CHANNEL_BINDING	/* 2.1.25+ */
 | ||||||
|  | +			{
 | ||||||
|  | +				char cbinding[64];
 | ||||||
|  | +				struct berval cbv = { sizeof(cbinding), cbinding };
 | ||||||
|  | +				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
 | ||||||
|  | +					sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
 | ||||||
|  | +						cbv.bv_len);
 | ||||||
|  | +					cb->name = "ldap";
 | ||||||
|  | +					cb->critical = 0;
 | ||||||
|  | +					cb->data = (char *)(cb+1);
 | ||||||
|  | +					cb->len = cbv.bv_len;
 | ||||||
|  | +					memcpy( cb->data, cbv.bv_val, cbv.bv_len );
 | ||||||
|  | +					sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
 | ||||||
|  | +						SASL_CHANNEL_BINDING, cb );
 | ||||||
|  | +					ld->ld_defconn->lconn_sasl_cbind = cb;
 | ||||||
|  | +				}
 | ||||||
|  | +			}
 | ||||||
|  | +#endif
 | ||||||
|  |  		} | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
 | ||||||
|  | index 37c342e26..1915ecab4 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-int.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-int.h
 | ||||||
|  | @@ -305,6 +305,7 @@ typedef struct ldap_conn {
 | ||||||
|  |  #ifdef HAVE_CYRUS_SASL | ||||||
|  |  	void		*lconn_sasl_authctx;	/* context for bind */ | ||||||
|  |  	void		*lconn_sasl_sockctx;	/* for security layer */ | ||||||
|  | +	void		*lconn_sasl_cbind;		/* for channel binding */
 | ||||||
|  |  #endif | ||||||
|  |  #ifdef HAVE_GSSAPI | ||||||
|  |  	void		*lconn_gss_ctx;		/* gss_ctx_id_t */ | ||||||
|  | diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
 | ||||||
|  | index 75661c005..1eb5ae47e 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-tls.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-tls.h
 | ||||||
|  | @@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
 | ||||||
|  |  typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); | ||||||
|  |  typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); | ||||||
|  |  typedef int (TI_session_strength)(tls_session *sess); | ||||||
|  | +typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
 | ||||||
|  |   | ||||||
|  |  typedef void (TI_thr_init)(void); | ||||||
|  |   | ||||||
|  | @@ -64,6 +65,7 @@ typedef struct tls_impl {
 | ||||||
|  |  	TI_session_dn *ti_session_peer_dn; | ||||||
|  |  	TI_session_chkhost *ti_session_chkhost; | ||||||
|  |  	TI_session_strength *ti_session_strength; | ||||||
|  | +	TI_session_unique *ti_session_unique;
 | ||||||
|  |   | ||||||
|  |  	Sockbuf_IO *ti_sbio; | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 | ||||||
|  | index e11d1a8a3..957e73c03 100644
 | ||||||
|  | --- a/libraries/libldap/tls2.c
 | ||||||
|  | +++ b/libraries/libldap/tls2.c
 | ||||||
|  | @@ -981,6 +981,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
 | ||||||
|  |  		rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags ); | ||||||
|  |  	return rc; | ||||||
|  |  } | ||||||
|  | +
 | ||||||
|  | +int
 | ||||||
|  | +ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
 | ||||||
|  | +{
 | ||||||
|  | +	tls_session *session = s;
 | ||||||
|  | +	return tls_imp->ti_session_unique( session, buf, is_server );
 | ||||||
|  | +}
 | ||||||
|  |  #endif /* HAVE_TLS */ | ||||||
|  |   | ||||||
|  |  int | ||||||
|  | diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
 | ||||||
|  | index ed1f8f1cb..dfdc35da4 100644
 | ||||||
|  | --- a/libraries/libldap/tls_g.c
 | ||||||
|  | +++ b/libraries/libldap/tls_g.c
 | ||||||
|  | @@ -780,6 +780,12 @@ tlsg_session_strength( tls_session *session )
 | ||||||
|  |  	return gnutls_cipher_get_key_size( c ) * 8; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  | +{
 | ||||||
|  | +	return 0;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  /* suites is a string of colon-separated cipher suite names. */ | ||||||
|  |  static int | ||||||
|  |  tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) | ||||||
|  | @@ -1110,6 +1116,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlsg_session_peer_dn, | ||||||
|  |  	tlsg_session_chkhost, | ||||||
|  |  	tlsg_session_strength, | ||||||
|  | +	tlsg_session_unique,
 | ||||||
|  |   | ||||||
|  |  	&tlsg_sbio, | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 | ||||||
|  | index 072d41d56..240bd9ff6 100644
 | ||||||
|  | --- a/libraries/libldap/tls_m.c
 | ||||||
|  | +++ b/libraries/libldap/tls_m.c
 | ||||||
|  | @@ -2838,6 +2838,12 @@ tlsm_session_strength( tls_session *session )
 | ||||||
|  |  	return rc ? 0 : keySize; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  | +{
 | ||||||
|  | +	return 0;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * TLS support for LBER Sockbufs | ||||||
|  |   */ | ||||||
|  | @@ -3266,6 +3272,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlsm_session_peer_dn, | ||||||
|  |  	tlsm_session_chkhost, | ||||||
|  |  	tlsm_session_strength, | ||||||
|  | +	tlsm_session_unique,
 | ||||||
|  |   | ||||||
|  |  	&tlsm_sbio, | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 | ||||||
|  | index 3c077f895..2ecee465b 100644
 | ||||||
|  | --- a/libraries/libldap/tls_o.c
 | ||||||
|  | +++ b/libraries/libldap/tls_o.c
 | ||||||
|  | @@ -676,6 +676,21 @@ tlso_session_strength( tls_session *sess )
 | ||||||
|  |  	return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL); | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  | +{
 | ||||||
|  | +	tlso_session *s = (tlso_session *)sess;
 | ||||||
|  | +
 | ||||||
|  | +	/* Usually the client sends the finished msg. But if the
 | ||||||
|  | +	 * session was resumed, the server sent the msg.
 | ||||||
|  | +	 */
 | ||||||
|  | +	if (SSL_session_reused(s) ^ !is_server)
 | ||||||
|  | +		buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);
 | ||||||
|  | +	else
 | ||||||
|  | +		buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);
 | ||||||
|  | +	return buf->bv_len;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * TLS support for LBER Sockbufs | ||||||
|  |   */ | ||||||
|  | @@ -1283,6 +1298,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlso_session_peer_dn, | ||||||
|  |  	tlso_session_chkhost, | ||||||
|  |  	tlso_session_strength, | ||||||
|  | +	tlso_session_unique,
 | ||||||
|  |   | ||||||
|  |  	&tlso_sbio, | ||||||
|  |   | ||||||
|  | diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
 | ||||||
|  | index e34703cb3..bc2b8a4d0 100644
 | ||||||
|  | --- a/servers/slapd/connection.c
 | ||||||
|  | +++ b/servers/slapd/connection.c
 | ||||||
|  | @@ -406,6 +406,7 @@ Connection * connection_init(
 | ||||||
|  |  		c->c_sasl_sockctx = NULL; | ||||||
|  |  		c->c_sasl_extra = NULL; | ||||||
|  |  		c->c_sasl_bindop = NULL; | ||||||
|  | +		c->c_sasl_cbind = NULL;
 | ||||||
|  |   | ||||||
|  |  		c->c_sb = ber_sockbuf_alloc( ); | ||||||
|  |   | ||||||
|  | @@ -451,6 +452,7 @@ Connection * connection_init(
 | ||||||
|  |  	assert( c->c_sasl_sockctx == NULL ); | ||||||
|  |  	assert( c->c_sasl_extra == NULL ); | ||||||
|  |  	assert( c->c_sasl_bindop == NULL ); | ||||||
|  | +	assert( c->c_sasl_cbind == NULL );
 | ||||||
|  |  	assert( c->c_currentber == NULL ); | ||||||
|  |  	assert( c->c_writewaiter == 0); | ||||||
|  |  	assert( c->c_writers == 0); | ||||||
|  | @@ -1408,6 +1410,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
 | ||||||
|  |  			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); | ||||||
|  |  			slap_sasl_external( c, c->c_tls_ssf, &authid ); | ||||||
|  |  			if ( authid.bv_val ) free( authid.bv_val ); | ||||||
|  | +			{
 | ||||||
|  | +				char cbinding[64];
 | ||||||
|  | +				struct berval cbv = { sizeof(cbinding), cbinding };
 | ||||||
|  | +				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
 | ||||||
|  | +					slap_sasl_cbinding( c, &cbv );
 | ||||||
|  | +			}
 | ||||||
|  |  		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb, | ||||||
|  |  			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */ | ||||||
|  |  			slapd_set_write( s, 1 ); | ||||||
|  | diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
 | ||||||
|  | index 0bd6259be..57907d79b 100644
 | ||||||
|  | --- a/servers/slapd/sasl.c
 | ||||||
|  | +++ b/servers/slapd/sasl.c
 | ||||||
|  | @@ -1503,6 +1503,21 @@ int slap_sasl_external(
 | ||||||
|  |  	return LDAP_SUCCESS; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
 | ||||||
|  | +{
 | ||||||
|  | +#ifdef SASL_CHANNEL_BINDING
 | ||||||
|  | +	sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
 | ||||||
|  | +	cb->name = "ldap";
 | ||||||
|  | +	cb->critical = 0;
 | ||||||
|  | +	cb->data = (char *)(cb+1);
 | ||||||
|  | +	cb->len = cbv->bv_len;
 | ||||||
|  | +	memcpy( cb->data, cbv->bv_val, cbv->bv_len );
 | ||||||
|  | +	sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
 | ||||||
|  | +	conn->c_sasl_cbind = cb;
 | ||||||
|  | +#endif
 | ||||||
|  | +	return LDAP_SUCCESS;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  int slap_sasl_reset( Connection *conn ) | ||||||
|  |  { | ||||||
|  |  	return LDAP_SUCCESS; | ||||||
|  | @@ -1568,6 +1583,9 @@ int slap_sasl_close( Connection *conn )
 | ||||||
|  |  	free( conn->c_sasl_extra ); | ||||||
|  |  	conn->c_sasl_extra = NULL; | ||||||
|  |   | ||||||
|  | +	free( conn->c_sasl_cbind );
 | ||||||
|  | +	conn->c_sasl_cbind = NULL;
 | ||||||
|  | +
 | ||||||
|  |  #elif defined(SLAP_BUILTIN_SASL) | ||||||
|  |  	SASL_CTX *ctx = conn->c_sasl_authctx; | ||||||
|  |  	if( ctx ) { | ||||||
|  | diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
 | ||||||
|  | index 09c1854f8..4b3bbd12e 100644
 | ||||||
|  | --- a/servers/slapd/slap.h
 | ||||||
|  | +++ b/servers/slapd/slap.h
 | ||||||
|  | @@ -2910,6 +2910,7 @@ struct Connection {
 | ||||||
|  |  	void	*c_sasl_authctx;	/* SASL authentication context */ | ||||||
|  |  	void	*c_sasl_sockctx;	/* SASL security layer context */ | ||||||
|  |  	void	*c_sasl_extra;		/* SASL session extra stuff */ | ||||||
|  | +	void	*c_sasl_cbind;		/* SASL channel binding */
 | ||||||
|  |  	Operation	*c_sasl_bindop;	/* set to current op if it's a bind */ | ||||||
|  |   | ||||||
|  |  #ifdef LDAP_X_TXN | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										167
									
								
								openldap-cbinding-Convert-test077-to-LDIF-config.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										167
									
								
								openldap-cbinding-Convert-test077-to-LDIF-config.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,167 @@ | |||||||
|  | From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Ryan Tandy <ryan@nardis.ca> | ||||||
|  | Date: Mon, 27 Apr 2020 23:24:16 -0700 | ||||||
|  | Subject: [PATCH] Convert test077 to LDIF config | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  tests/data/slapd-sasl-gssapi.conf | 68 ------------------------------- | ||||||
|  |  tests/scripts/defines.sh          |  1 - | ||||||
|  |  tests/scripts/test077-sasl-gssapi | 35 +++++++++++++--- | ||||||
|  |  3 files changed, 30 insertions(+), 74 deletions(-) | ||||||
|  |  delete mode 100644 tests/data/slapd-sasl-gssapi.conf | ||||||
|  | 
 | ||||||
|  | diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
 | ||||||
|  | deleted file mode 100644 | ||||||
|  | index 29ab6040b..000000000
 | ||||||
|  | --- a/tests/data/slapd-sasl-gssapi.conf
 | ||||||
|  | +++ /dev/null
 | ||||||
|  | @@ -1,68 +0,0 @@
 | ||||||
|  | -# stand-alone slapd config -- for testing (with indexing)
 | ||||||
|  | -# $OpenLDAP$
 | ||||||
|  | -## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 | ||||||
|  | -##
 | ||||||
|  | -## Copyright 1998-2020 The OpenLDAP Foundation.
 | ||||||
|  | -## All rights reserved.
 | ||||||
|  | -##
 | ||||||
|  | -## Redistribution and use in source and binary forms, with or without
 | ||||||
|  | -## modification, are permitted only as authorized by the OpenLDAP
 | ||||||
|  | -## Public License.
 | ||||||
|  | -##
 | ||||||
|  | -## A copy of this license is available in the file LICENSE in the
 | ||||||
|  | -## top-level directory of the distribution or, alternatively, at
 | ||||||
|  | -## <http://www.OpenLDAP.org/license.html>.
 | ||||||
|  | -
 | ||||||
|  | -#
 | ||||||
|  | -include		@SCHEMADIR@/core.schema
 | ||||||
|  | -include		@SCHEMADIR@/cosine.schema
 | ||||||
|  | -#
 | ||||||
|  | -include		@SCHEMADIR@/corba.schema
 | ||||||
|  | -include		@SCHEMADIR@/java.schema
 | ||||||
|  | -include		@SCHEMADIR@/inetorgperson.schema
 | ||||||
|  | -include		@SCHEMADIR@/misc.schema
 | ||||||
|  | -include		@SCHEMADIR@/nis.schema
 | ||||||
|  | -include		@SCHEMADIR@/openldap.schema
 | ||||||
|  | -#
 | ||||||
|  | -include		@SCHEMADIR@/duaconf.schema
 | ||||||
|  | -include		@SCHEMADIR@/dyngroup.schema
 | ||||||
|  | -
 | ||||||
|  | -#
 | ||||||
|  | -pidfile		@TESTDIR@/slapd.1.pid
 | ||||||
|  | -argsfile	@TESTDIR@/slapd.1.args
 | ||||||
|  | -
 | ||||||
|  | -# SSL configuration
 | ||||||
|  | -TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
 | ||||||
|  | -TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
 | ||||||
|  | -TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
 | ||||||
|  | -
 | ||||||
|  | -#
 | ||||||
|  | -rootdse 	@DATADIR@/rootdse.ldif
 | ||||||
|  | -
 | ||||||
|  | -#mod#modulepath	../servers/slapd/back-@BACKEND@/
 | ||||||
|  | -#mod#moduleload	back_@BACKEND@.la
 | ||||||
|  | -#monitormod#modulepath ../servers/slapd/back-monitor/
 | ||||||
|  | -#monitormod#moduleload back_monitor.la
 | ||||||
|  | -
 | ||||||
|  | -
 | ||||||
|  | -#######################################################################
 | ||||||
|  | -# database definitions
 | ||||||
|  | -#######################################################################
 | ||||||
|  | -
 | ||||||
|  | -database	@BACKEND@
 | ||||||
|  | -suffix          "dc=example,dc=com"
 | ||||||
|  | -rootdn          "cn=Manager,dc=example,dc=com"
 | ||||||
|  | -rootpw          secret
 | ||||||
|  | -#~null~#directory	@TESTDIR@/db.1.a
 | ||||||
|  | -#indexdb#index		objectClass eq
 | ||||||
|  | -#indexdb#index		mail eq
 | ||||||
|  | -#ndb#dbname db_1_a
 | ||||||
|  | -#ndb#include @DATADIR@/ndb.conf
 | ||||||
|  | -
 | ||||||
|  | -#monitor#database	monitor
 | ||||||
|  | -
 | ||||||
|  | -sasl-realm	@KRB5REALM@
 | ||||||
|  | -sasl-host	localhost
 | ||||||
|  | -
 | ||||||
|  | -database	config
 | ||||||
|  | -rootpw		secret
 | ||||||
|  | diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
 | ||||||
|  | index f9e5578ee..a84fd0a65 100755
 | ||||||
|  | --- a/tests/scripts/defines.sh
 | ||||||
|  | +++ b/tests/scripts/defines.sh
 | ||||||
|  | @@ -114,7 +114,6 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
 | ||||||
|  |  SCHEMACONF=$DATADIR/slapd-schema.conf | ||||||
|  |  TLSCONF=$DATADIR/slapd-tls.conf | ||||||
|  |  TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf | ||||||
|  | -SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
 | ||||||
|  |  GLUECONF=$DATADIR/slapd-glue.conf | ||||||
|  |  REFINTCONF=$DATADIR/slapd-refint.conf | ||||||
|  |  RETCODECONF=$DATADIR/slapd-retcode.conf | ||||||
|  | diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | index 20c414600..322df60a4 100755
 | ||||||
|  | --- a/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | +++ b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | @@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
 | ||||||
|  |          exit 0 | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  | +CONFDIR=$TESTDIR/slapd.d
 | ||||||
|  | +CONFLDIF=$TESTDIR/slapd.ldif
 | ||||||
|  | +
 | ||||||
|  |  mkdir -p $TESTDIR $DBDIR1 $CONFDIR | ||||||
|  |  cp -r $DATADIR/tls $TESTDIR | ||||||
|  | +$SLAPPASSWD -g -n >$CONFIGPWF
 | ||||||
|  |   | ||||||
|  |  echo "Starting KDC for SASL/GSSAPI tests..." | ||||||
|  |  . $SRCDIR/scripts/setup_kdc.sh | ||||||
|  |   | ||||||
|  | -echo "Running slapadd to build slapd database..."
 | ||||||
|  | -. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
 | ||||||
|  | -$SLAPADD -f $CONF1 -l $LDIFORDERED
 | ||||||
|  | +echo "Configuring slapd..."
 | ||||||
|  | +cat > $CONFLDIF <<EOF
 | ||||||
|  | +dn: cn=config
 | ||||||
|  | +objectClass: olcGlobal
 | ||||||
|  | +cn: config
 | ||||||
|  | +olcSaslHost: localhost
 | ||||||
|  | +olcSaslRealm: $KRB5REALM
 | ||||||
|  | +olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
 | ||||||
|  | +olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
 | ||||||
|  | +olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
 | ||||||
|  | +
 | ||||||
|  | +dn: cn=schema,cn=config
 | ||||||
|  | +objectClass: olcSchemaConfig
 | ||||||
|  | +cn: schema
 | ||||||
|  | +
 | ||||||
|  | +include: file://$ABS_SCHEMADIR/core.ldif
 | ||||||
|  | +
 | ||||||
|  | +dn: olcDatabase={0}config,cn=config
 | ||||||
|  | +objectClass: olcDatabaseConfig
 | ||||||
|  | +olcDatabase: {0}config
 | ||||||
|  | +olcRootPW:< file://$TESTDIR/configpw
 | ||||||
|  | +
 | ||||||
|  | +EOF
 | ||||||
|  | +$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
 | ||||||
|  |  RC=$? | ||||||
|  |  if test $RC != 0 ; then | ||||||
|  |  	echo "slapadd failed ($RC)!" | ||||||
|  | @@ -38,7 +63,7 @@ if test $RC != 0 ; then
 | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  |  echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." | ||||||
|  | -$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 | ||||||
|  | +$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 | ||||||
|  |  PID=$! | ||||||
|  |  if test $WAIT != 0 ; then | ||||||
|  |      echo PID $PID | ||||||
|  | @@ -151,7 +176,7 @@ else
 | ||||||
|  |  	for acb in "none" "tls-unique" "tls-endpoint" ; do | ||||||
|  |   | ||||||
|  |  		echo "Modifying slapd's olcSaslCBinding to ${acb} ..." | ||||||
|  | -		$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
 | ||||||
|  | +		$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
 | ||||||
|  |  dn: cn=config | ||||||
|  |  changetype: modify | ||||||
|  |  replace: olcSaslCBinding | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										62
									
								
								openldap-cbinding-Fix-slaptest-in-test077.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										62
									
								
								openldap-cbinding-Fix-slaptest-in-test077.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,62 @@ | |||||||
|  | From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Ryan Tandy <ryan@nardis.ca> | ||||||
|  | Date: Sun, 26 Apr 2020 11:40:23 -0700 | ||||||
|  | Subject: [PATCH] Fix slaptest in test077 | ||||||
|  | 
 | ||||||
|  | The libtool wrapper scripts lose argv[0] when exec'ing the real binary. | ||||||
|  | 
 | ||||||
|  | In the CI Docker container, where the build runs as root, this was | ||||||
|  | actually starting a real slapd on the default port. | ||||||
|  | 
 | ||||||
|  | Outside Docker, running as a non-root user, this slapd would just fail | ||||||
|  | to start, and wouldn't convert the config either. | ||||||
|  | 
 | ||||||
|  | Using "slapd -Tt" fixes the issue but also prints a warning from | ||||||
|  | slaptest since the database hasn't been initialized yet. | ||||||
|  | 
 | ||||||
|  | Dynamic config isn't actually used in this test script, so let's just | ||||||
|  | run slapd off the config file directly. | ||||||
|  | ---
 | ||||||
|  |  tests/scripts/test077-sasl-gssapi | 11 ++--------- | ||||||
|  |  1 file changed, 2 insertions(+), 9 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | index 19f665622..20c414600 100755
 | ||||||
|  | --- a/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | +++ b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | @@ -21,22 +21,15 @@ if test $WITH_SASL = no ; then
 | ||||||
|  |          exit 0 | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  | -SLAPTEST="$TESTWD/../servers/slapd/slaptest"
 | ||||||
|  | -CONFDIR=$TESTDIR/slapd.d
 | ||||||
|  | -
 | ||||||
|  |  mkdir -p $TESTDIR $DBDIR1 $CONFDIR | ||||||
|  |  cp -r $DATADIR/tls $TESTDIR | ||||||
|  |   | ||||||
|  | -cd $TESTWD
 | ||||||
|  | -
 | ||||||
|  | -
 | ||||||
|  |  echo "Starting KDC for SASL/GSSAPI tests..." | ||||||
|  |  . $SRCDIR/scripts/setup_kdc.sh | ||||||
|  |   | ||||||
|  |  echo "Running slapadd to build slapd database..." | ||||||
|  |  . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 | ||||||
|  | -$SLAPTEST -f $CONF1 -F $CONFDIR
 | ||||||
|  | -$SLAPADD -F $CONFDIR -l $LDIFORDERED
 | ||||||
|  | +$SLAPADD -f $CONF1 -l $LDIFORDERED
 | ||||||
|  |  RC=$? | ||||||
|  |  if test $RC != 0 ; then | ||||||
|  |  	echo "slapadd failed ($RC)!" | ||||||
|  | @@ -45,7 +38,7 @@ if test $RC != 0 ; then
 | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  |  echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." | ||||||
|  | -$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 | ||||||
|  | +$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 | ||||||
|  |  PID=$! | ||||||
|  |  if test $WAIT != 0 ; then | ||||||
|  |      echo PID $PID | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										220
									
								
								openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										220
									
								
								openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,220 @@ | |||||||
|  | NOTE: The patch has been adjusted to match the base code before backporting. | ||||||
|  | 
 | ||||||
|  | From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Howard Chu <hyc@openldap.org> | ||||||
|  | Date: Tue, 10 Sep 2013 04:26:51 -0700 | ||||||
|  | Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT | ||||||
|  | 
 | ||||||
|  | retrieve peer cert for an active TLS session | ||||||
|  | ---
 | ||||||
|  |  doc/man/man3/ldap_get_option.3 |  8 ++++++++ | ||||||
|  |  include/ldap.h                 |  1 + | ||||||
|  |  libraries/libldap/ldap-tls.h   |  2 ++ | ||||||
|  |  libraries/libldap/tls2.c       | 23 +++++++++++++++++++++++ | ||||||
|  |  libraries/libldap/tls_g.c      | 19 +++++++++++++++++++ | ||||||
|  |  libraries/libldap/tls_m.c      | 17 +++++++++++++++++ | ||||||
|  |  libraries/libldap/tls_o.c      | 16 ++++++++++++++++ | ||||||
|  |  7 files changed, 86 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
 | ||||||
|  | index e67de75e9..1bb55d357 100644
 | ||||||
|  | --- a/doc/man/man3/ldap_get_option.3
 | ||||||
|  | +++ b/doc/man/man3/ldap_get_option.3
 | ||||||
|  | @@ -732,6 +732,14 @@ A non-zero value pointed to by
 | ||||||
|  |  .BR invalue | ||||||
|  |  tells the library to create a context for a server. | ||||||
|  |  .TP | ||||||
|  | +.B LDAP_OPT_X_TLS_PEERCERT
 | ||||||
|  | +Gets the peer's certificate in DER format from an established TLS session.
 | ||||||
|  | +.BR outvalue
 | ||||||
|  | +must be
 | ||||||
|  | +.BR "struct berval *" ,
 | ||||||
|  | +and the data it returns needs to be freed by the caller using
 | ||||||
|  | +.BR ldap_memfree (3).
 | ||||||
|  | +.TP
 | ||||||
|  |  .B LDAP_OPT_X_TLS_PROTOCOL_MIN | ||||||
|  |  Sets/gets the minimum protocol version. | ||||||
|  |  .BR invalue | ||||||
|  | diff --git a/include/ldap.h b/include/ldap.h
 | ||||||
|  | index 4de3f7f32..97ca524d7 100644
 | ||||||
|  | --- a/include/ldap.h
 | ||||||
|  | +++ b/include/ldap.h
 | ||||||
|  | @@ -161,6 +161,7 @@ LDAP_BEGIN_DECL
 | ||||||
|  |  #define LDAP_OPT_X_TLS_CRLFILE		0x6010	/* GNUtls only */ | ||||||
|  |  #define LDAP_OPT_X_TLS_PACKAGE		0x6011 | ||||||
|  |  #define LDAP_OPT_X_TLS_ECNAME		0x6012 | ||||||
|  | +#define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */
 | ||||||
|  |   | ||||||
|  |  #define LDAP_OPT_X_TLS_NEVER	0 | ||||||
|  |  #define LDAP_OPT_X_TLS_HARD		1 | ||||||
|  | diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
 | ||||||
|  | index 548814d7f..890d20dc7 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-tls.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-tls.h
 | ||||||
|  | @@ -43,6 +43,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
 | ||||||
|  |  typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); | ||||||
|  |  typedef int (TI_session_strength)(tls_session *sess); | ||||||
|  |  typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); | ||||||
|  | +typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
 | ||||||
|  |   | ||||||
|  |  typedef void (TI_thr_init)(void); | ||||||
|  |   | ||||||
|  | @@ -69,6 +70,7 @@ typedef struct tls_impl {
 | ||||||
|  | 	TI_session_chkhost *ti_session_chkhost; | ||||||
|  | 	TI_session_strength *ti_session_strength; | ||||||
|  |  	TI_session_unique *ti_session_unique; | ||||||
|  | +	TI_session_peercert *ti_session_peercert;
 | ||||||
|  |   | ||||||
|  |  	Sockbuf_IO *ti_sbio; | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 | ||||||
|  | index 05fce3218..cbf73bdd5 100644
 | ||||||
|  | --- a/libraries/libldap/tls2.c
 | ||||||
|  | +++ b/libraries/libldap/tls2.c
 | ||||||
|  | @@ -718,6 +718,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 | ||||||
|  |  	case LDAP_OPT_X_TLS_CONNECT_ARG: | ||||||
|  |  		*(void **)arg = lo->ldo_tls_connect_arg; | ||||||
|  |  		break; | ||||||
|  | +	case LDAP_OPT_X_TLS_PEERCERT: {
 | ||||||
|  | +		void *sess = NULL;
 | ||||||
|  | +		struct berval *bv = arg;
 | ||||||
|  | +		bv->bv_len = 0;
 | ||||||
|  | +		bv->bv_val = NULL;
 | ||||||
|  | +		if ( ld != NULL ) {
 | ||||||
|  | +			LDAPConn *conn = ld->ld_defconn;
 | ||||||
|  | +			if ( conn != NULL ) {
 | ||||||
|  | +				Sockbuf *sb = conn->lconn_sb;
 | ||||||
|  | +				sess = ldap_pvt_tls_sb_ctx( sb );
 | ||||||
|  | +				if ( sess != NULL )
 | ||||||
|  | +					return ldap_pvt_tls_get_peercert( sess, bv );
 | ||||||
|  | +			}
 | ||||||
|  | +		}
 | ||||||
|  | +		break;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  |  	default: | ||||||
|  |  		return -1; | ||||||
|  |  	} | ||||||
|  | @@ -1050,6 +1066,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
 | ||||||
|  |  	tls_session *session = s; | ||||||
|  |  	return tls_imp->ti_session_unique( session, buf, is_server ); | ||||||
|  |  } | ||||||
|  | +
 | ||||||
|  | +int
 | ||||||
|  | +ldap_pvt_tls_get_peercert( void *s, struct berval *der )
 | ||||||
|  | +{
 | ||||||
|  | +	tls_session *session = s;
 | ||||||
|  | +	return tls_imp->ti_session_peercert( session, der );
 | ||||||
|  | +}
 | ||||||
|  |  #endif /* HAVE_TLS */ | ||||||
|  |   | ||||||
|  |  int | ||||||
|  | diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
 | ||||||
|  | index ce422387c..739680439 100644
 | ||||||
|  | --- a/libraries/libldap/tls_g.c
 | ||||||
|  | +++ b/libraries/libldap/tls_g.c
 | ||||||
|  | @@ -830,6 +830,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  |  	return 0; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlsg_session_peercert( tls_session *sess, struct berval *der )
 | ||||||
|  | +{
 | ||||||
|  | +	tlsg_session *s = (tlsg_session *)sess;
 | ||||||
|  | +	const gnutls_datum_t *peer_cert_list;
 | ||||||
|  | +	unsigned int list_size;
 | ||||||
|  | +
 | ||||||
|  | +	peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
 | ||||||
|  | +	if (!peer_cert_list)
 | ||||||
|  | +		return -1;
 | ||||||
|  | +	der->bv_len = peer_cert_list[0].size;
 | ||||||
|  | +	der->bv_val = LDAP_MALLOC( der->bv_len );
 | ||||||
|  | +	if (!der->bv_val)
 | ||||||
|  | +		return -1;
 | ||||||
|  | +	memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
 | ||||||
|  | +	return 0;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  /* suites is a string of colon-separated cipher suite names. */ | ||||||
|  |  static int | ||||||
|  |  tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) | ||||||
|  | @@ -1166,6 +1184,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlsg_session_chkhost, | ||||||
|  |  	tlsg_session_strength, | ||||||
|  |  	tlsg_session_unique, | ||||||
|  | +	tlsg_session_peercert,
 | ||||||
|  |   | ||||||
|  |  	&tlsg_sbio, | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
 | ||||||
|  | index 4bd9e63cb..36dc989ef 100644
 | ||||||
|  | --- a/libraries/libldap/tls_m.c
 | ||||||
|  | +++ b/libraries/libldap/tls_m.c
 | ||||||
|  | @@ -2891,6 +2891,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  |  	return 0; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlsm_session_peercert( tls_session *sess, struct berval *der )
 | ||||||
|  | +{
 | ||||||
|  | +	tlsm_session *s = (tlsm_session *)sess;
 | ||||||
|  | +	CERTCertificate *cert;
 | ||||||
|  | +	cert = SSL_PeerCertificate( s );
 | ||||||
|  | +	if (!cert)
 | ||||||
|  | +		return -1;
 | ||||||
|  | +	der->bv_len = cert->derCert.len;
 | ||||||
|  | +	der->bv_val = LDAP_MALLOC( der->bv_len );
 | ||||||
|  | +	if (!der->bv_val)
 | ||||||
|  | +		return -1;
 | ||||||
|  | +	memcpy( der->bv_val, cert->derCert.data, der->bv_len );
 | ||||||
|  | +	return 0;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * TLS support for LBER Sockbufs | ||||||
|  |   */ | ||||||
|  | @@ -3322,6 +3338,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlsm_session_chkhost, | ||||||
|  |  	tlsm_session_strength, | ||||||
|  |  	tlsm_session_unique, | ||||||
|  | +	tlsm_session_peercert,
 | ||||||
|  |   | ||||||
|  |  	&tlsm_sbio, | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 | ||||||
|  | index 6288456d3..1fa50392f 100644
 | ||||||
|  | --- a/libraries/libldap/tls_o.c
 | ||||||
|  | +++ b/libraries/libldap/tls_o.c
 | ||||||
|  | @@ -721,6 +721,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  |  	return buf->bv_len; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlso_session_peercert( tls_session *sess, struct berval *der )
 | ||||||
|  | +{
 | ||||||
|  | +	tlso_session *s = (tlso_session *)sess;
 | ||||||
|  | +	unsigned char *ptr;
 | ||||||
|  | +	X509 *x = SSL_get_peer_certificate(s);
 | ||||||
|  | +	der->bv_len = i2d_X509(x, NULL);
 | ||||||
|  | +	der->bv_val = LDAP_MALLOC(der->bv_len);
 | ||||||
|  | +	if ( !der->bv_val )
 | ||||||
|  | +		return -1;
 | ||||||
|  | +	ptr = der->bv_val;
 | ||||||
|  | +	i2d_X509(x, &ptr);
 | ||||||
|  | +	return 0;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  /* | ||||||
|  |   * TLS support for LBER Sockbufs | ||||||
|  |   */ | ||||||
|  | @@ -1229,6 +1244,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlso_session_chkhost, | ||||||
|  |  	tlso_session_strength, | ||||||
|  |  	tlso_session_unique, | ||||||
|  | +	tlso_session_peercert,
 | ||||||
|  |   | ||||||
|  |  	&tlso_sbio, | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,70 @@ | |||||||
|  | From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001 | ||||||
|  | From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com> | ||||||
|  | Date: Fri, 15 Jun 2018 15:12:28 +0100 | ||||||
|  | Subject: [PATCH] ITS#8573 Add missing URI variables for tests | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  tests/scripts/conf.sh    | 18 ++++++++++++++++++ | ||||||
|  |  tests/scripts/defines.sh |  7 +++++++ | ||||||
|  |  2 files changed, 25 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
 | ||||||
|  | index fe5e60509..02629f190 100755
 | ||||||
|  | --- a/tests/scripts/conf.sh
 | ||||||
|  | +++ b/tests/scripts/conf.sh
 | ||||||
|  | @@ -75,6 +75,24 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
 | ||||||
|  |  	-e "s;@PORT4@;${PORT4};"			\ | ||||||
|  |  	-e "s;@PORT5@;${PORT5};"			\ | ||||||
|  |  	-e "s;@PORT6@;${PORT6};"			\ | ||||||
|  | +	-e "s;@SURI1@;${SURI1};"			\
 | ||||||
|  | +	-e "s;@SURI2@;${SURI2};"			\
 | ||||||
|  | +	-e "s;@SURI3@;${SURI3};"			\
 | ||||||
|  | +	-e "s;@SURI4@;${SURI4};"			\
 | ||||||
|  | +	-e "s;@SURI5@;${SURI5};"			\
 | ||||||
|  | +	-e "s;@SURI6@;${SURI6};"			\
 | ||||||
|  | +	-e "s;@URIP1@;${URIP1};"			\
 | ||||||
|  | +	-e "s;@URIP2@;${URIP2};"			\
 | ||||||
|  | +	-e "s;@URIP3@;${URIP3};"			\
 | ||||||
|  | +	-e "s;@URIP4@;${URIP4};"			\
 | ||||||
|  | +	-e "s;@URIP5@;${URIP5};"			\
 | ||||||
|  | +	-e "s;@URIP6@;${URIP6};"			\
 | ||||||
|  | +	-e "s;@SURIP1@;${SURIP1};"			\
 | ||||||
|  | +	-e "s;@SURIP2@;${SURIP2};"			\
 | ||||||
|  | +	-e "s;@SURIP3@;${SURIP3};"			\
 | ||||||
|  | +	-e "s;@SURIP4@;${SURIP4};"			\
 | ||||||
|  | +	-e "s;@SURIP5@;${SURIP5};"			\
 | ||||||
|  | +	-e "s;@SURIP6@;${SURIP6};"			\
 | ||||||
|  |  	-e "s/@SASL_MECH@/${SASL_MECH}/"		\ | ||||||
|  |  	-e "s;@TESTDIR@;${TESTDIR};"			\ | ||||||
|  |  	-e "s;@TESTWD@;${TESTWD};"			\ | ||||||
|  | diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
 | ||||||
|  | index 2c9e8f76a..9816034f9 100755
 | ||||||
|  | --- a/tests/scripts/defines.sh
 | ||||||
|  | +++ b/tests/scripts/defines.sh
 | ||||||
|  | @@ -223,16 +223,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
 | ||||||
|  |  URI3="ldap://${LOCALHOST}:$PORT3/" | ||||||
|  |  URIP3="ldap://${LOCALIP}:$PORT3/" | ||||||
|  |  URI4="ldap://${LOCALHOST}:$PORT4/" | ||||||
|  | +URIP4="ldap://${LOCALIP}:$PORT4/"
 | ||||||
|  |  URI5="ldap://${LOCALHOST}:$PORT5/" | ||||||
|  | +URIP5="ldap://${LOCALIP}:$PORT5/"
 | ||||||
|  |  URI6="ldap://${LOCALHOST}:$PORT6/" | ||||||
|  | +URIP6="ldap://${LOCALIP}:$PORT6/"
 | ||||||
|  |  SURI1="ldaps://${LOCALHOST}:$PORT1/" | ||||||
|  |  SURIP1="ldaps://${LOCALIP}:$PORT1/" | ||||||
|  |  SURI2="ldaps://${LOCALHOST}:$PORT2/" | ||||||
|  |  SURIP2="ldaps://${LOCALIP}:$PORT2/" | ||||||
|  |  SURI3="ldaps://${LOCALHOST}:$PORT3/" | ||||||
|  | +SURIP3="ldaps://${LOCALIP}:$PORT3/"
 | ||||||
|  |  SURI4="ldaps://${LOCALHOST}:$PORT4/" | ||||||
|  | +SURIP4="ldaps://${LOCALIP}:$PORT4/"
 | ||||||
|  |  SURI5="ldaps://${LOCALHOST}:$PORT5/" | ||||||
|  | +SURIP5="ldaps://${LOCALIP}:$PORT5/"
 | ||||||
|  |  SURI6="ldaps://${LOCALHOST}:$PORT6/" | ||||||
|  | +SURIP6="ldaps://${LOCALIP}:$PORT6/"
 | ||||||
|  |   | ||||||
|  |  # LDIF | ||||||
|  |  LDIF=$DATADIR/test.ldif | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										2108
									
								
								openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2108
									
								
								openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							| @ -0,0 +1,582 @@ | |||||||
|  | NOTE: The patch has been adjusted to match the base code before backporting. | ||||||
|  | 
 | ||||||
|  | From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org> | ||||||
|  | Date: Thu, 14 Jun 2018 16:14:15 +0100 | ||||||
|  | Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  clients/tools/common.c     |  15 ++- | ||||||
|  |  doc/devel/args             |   2 +- | ||||||
|  |  doc/man/man1/ldapcompare.1 |   9 +- | ||||||
|  |  doc/man/man1/ldapdelete.1  |   9 +- | ||||||
|  |  doc/man/man1/ldapexop.1    |   9 +- | ||||||
|  |  doc/man/man1/ldapmodify.1  |   9 +- | ||||||
|  |  doc/man/man1/ldapmodrdn.1  |   9 +- | ||||||
|  |  doc/man/man1/ldappasswd.1  |   9 +- | ||||||
|  |  doc/man/man1/ldapsearch.1  |   9 +- | ||||||
|  |  doc/man/man1/ldapwhoami.1  |  13 ++- | ||||||
|  |  doc/man/man8/slapcat.8     |   2 +- | ||||||
|  |  include/ldap_pvt.h         |   5 + | ||||||
|  |  libraries/libldap/init.c   | 231 ++++++++++++++++++++++--------------- | ||||||
|  |  servers/slapd/slapcommon.c |   5 +- | ||||||
|  |  14 files changed, 200 insertions(+), 136 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/clients/tools/common.c b/clients/tools/common.c
 | ||||||
|  | index 1cd8a2c1b..b1edffdaf 100644
 | ||||||
|  | --- a/clients/tools/common.c
 | ||||||
|  | +++ b/clients/tools/common.c
 | ||||||
|  | @@ -374,9 +374,9 @@ N_("  -I         use SASL Interactive mode\n"),
 | ||||||
|  |  N_("  -n         show what would be done but don't actually do it\n"), | ||||||
|  |  N_("  -N         do not use reverse DNS to canonicalize SASL host name\n"), | ||||||
|  |  N_("  -O props   SASL security properties\n"), | ||||||
|  | -N_("  -o <opt>[=<optparam>] general options\n"),
 | ||||||
|  | +N_("  -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
 | ||||||
|  | +N_("             ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
 | ||||||
|  |  N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"), | ||||||
|  | -N_("             ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
 | ||||||
|  |  N_("  -p port    port on LDAP server\n"), | ||||||
|  |  N_("  -Q         use SASL Quiet mode\n"), | ||||||
|  |  N_("  -R realm   SASL realm\n"), | ||||||
|  | @@ -838,6 +838,11 @@ tool_args( int argc, char **argv )
 | ||||||
|  |  			if ( (cvalue = strchr( control, '=' )) != NULL ) { | ||||||
|  |  				*cvalue++ = '\0'; | ||||||
|  |  			} | ||||||
|  | +			for ( next=control; *next; next++ ) {
 | ||||||
|  | +				if ( *next == '-' ) {
 | ||||||
|  | +					*next = '_';
 | ||||||
|  | +				}
 | ||||||
|  | +			}
 | ||||||
|  |   | ||||||
|  |  			if ( strcasecmp( control, "nettimeout" ) == 0 ) { | ||||||
|  |  				if( nettimeout.tv_sec != -1 ) { | ||||||
|  | @@ -867,7 +872,7 @@ tool_args( int argc, char **argv )
 | ||||||
|  |  	 				exit( EXIT_FAILURE ); | ||||||
|  |   				} | ||||||
|  |   | ||||||
|  | -			} else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) {
 | ||||||
|  | +			} else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) {
 | ||||||
|  |  				if ( cvalue == 0 ) { | ||||||
|  |  					ldif_wrap = LDIF_LINE_WIDTH; | ||||||
|  |   | ||||||
|  | @@ -878,13 +883,13 @@ tool_args( int argc, char **argv )
 | ||||||
|  |  					unsigned int u; | ||||||
|  |  					if ( lutil_atou( &u, cvalue ) ) { | ||||||
|  |  						fprintf( stderr, | ||||||
|  | -							_("Unable to parse ldif-wrap=\"%s\"\n"), cvalue );
 | ||||||
|  | +							_("Unable to parse ldif_wrap=\"%s\"\n"), cvalue );
 | ||||||
|  |  		 				exit( EXIT_FAILURE ); | ||||||
|  |  					} | ||||||
|  |  					ldif_wrap = (ber_len_t)u; | ||||||
|  |  				} | ||||||
|  |   | ||||||
|  | -			} else {
 | ||||||
|  | +			} else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) {
 | ||||||
|  |  				fprintf( stderr, "Invalid general option name: %s\n", | ||||||
|  |  					control ); | ||||||
|  |  				usage(); | ||||||
|  | diff --git a/doc/devel/args b/doc/devel/args
 | ||||||
|  | index 9796fe528..c5aa02f11 100644
 | ||||||
|  | --- a/doc/devel/args
 | ||||||
|  | +++ b/doc/devel/args
 | ||||||
|  | @@ -28,7 +28,7 @@ ldapwhoami       * DE**HI**  NO QR  UVWXYZ   def*h*** *nop*    vwxy
 | ||||||
|  |  	-h host | ||||||
|  |  	-n no-op | ||||||
|  |  	-N no (SASLprep) normalization of simple bind password | ||||||
|  | -	-o general options (currently nettimeout and ldif-wrap only)
 | ||||||
|  | +	-o general libldap options (plus ldif_wrap and nettimeout for backwards comp.)
 | ||||||
|  |  	-p port | ||||||
|  |  	-v verbose | ||||||
|  |  	-V version | ||||||
|  | diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
 | ||||||
|  | index 9e66cd4b2..a0e58d7c3 100644
 | ||||||
|  | --- a/doc/man/man1/ldapcompare.1
 | ||||||
|  | +++ b/doc/man/man1/ldapcompare.1
 | ||||||
|  | @@ -186,13 +186,14 @@ Compare extensions:
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
 | ||||||
|  | index 394d35275..85dbf4360 100644
 | ||||||
|  | --- a/doc/man/man1/ldapdelete.1
 | ||||||
|  | +++ b/doc/man/man1/ldapdelete.1
 | ||||||
|  | @@ -192,13 +192,14 @@ Delete extensions:
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
 | ||||||
|  | index 503d681ca..26e1730a8 100644
 | ||||||
|  | --- a/doc/man/man1/ldapexop.1
 | ||||||
|  | +++ b/doc/man/man1/ldapexop.1
 | ||||||
|  | @@ -189,13 +189,14 @@ Specify general extensions.  \'!\' indicates criticality.
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
 | ||||||
|  | index 2792d460b..6c277d89c 100644
 | ||||||
|  | --- a/doc/man/man1/ldapmodify.1
 | ||||||
|  | +++ b/doc/man/man1/ldapmodify.1
 | ||||||
|  | @@ -255,13 +255,14 @@ Modify extensions:
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR]] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
 | ||||||
|  | index 5d0f3fcd9..b24e500fe 100644
 | ||||||
|  | --- a/doc/man/man1/ldapmodrdn.1
 | ||||||
|  | +++ b/doc/man/man1/ldapmodrdn.1
 | ||||||
|  | @@ -186,13 +186,14 @@ Modrdn extensions:
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
 | ||||||
|  | index 36857ab8f..a2805e57b 100644
 | ||||||
|  | --- a/doc/man/man1/ldappasswd.1
 | ||||||
|  | +++ b/doc/man/man1/ldappasswd.1
 | ||||||
|  | @@ -188,13 +188,14 @@ Passwd Modify extensions:
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR]] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
 | ||||||
|  | index 036ce6245..1914eafbf 100644
 | ||||||
|  | --- a/doc/man/man1/ldapsearch.1
 | ||||||
|  | +++ b/doc/man/man1/ldapsearch.1
 | ||||||
|  | @@ -332,13 +332,14 @@ Search extensions:
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
 | ||||||
|  | index 5912af5ba..2c8cfded2 100644
 | ||||||
|  | --- a/doc/man/man1/ldapwhoami.1
 | ||||||
|  | +++ b/doc/man/man1/ldapwhoami.1
 | ||||||
|  | @@ -143,13 +143,18 @@ WhoAmI extensions:
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-o \ opt \fR[= optparam \fR] | ||||||
|  |   | ||||||
|  | -Specify general options.
 | ||||||
|  | -
 | ||||||
|  | -General options:
 | ||||||
|  | +Specify any
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +option or one of the following:
 | ||||||
|  |  .nf | ||||||
|  |    nettimeout=<timeout>  (in seconds, or "none" or "max") | ||||||
|  | -  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  | +  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
 | ||||||
|  |  .fi | ||||||
|  | +
 | ||||||
|  | +.B -o
 | ||||||
|  | +option that can be passed here, check
 | ||||||
|  | +.BR ldap.conf (5)
 | ||||||
|  | +for details.
 | ||||||
|  |  .TP | ||||||
|  |  .BI \-O \ security-properties | ||||||
|  |  Specify SASL security properties. | ||||||
|  | diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
 | ||||||
|  | index 57c41deff..2085e9176 100644
 | ||||||
|  | --- a/doc/man/man8/slapcat.8
 | ||||||
|  | +++ b/doc/man/man8/slapcat.8
 | ||||||
|  | @@ -149,7 +149,7 @@ Possible generic options/values are:
 | ||||||
|  |                syslog\-level=<level> (see `\-S' in slapd(8)) | ||||||
|  |                syslog\-user=<user>   (see `\-l' in slapd(8)) | ||||||
|  |   | ||||||
|  | -              ldif-wrap={no|<n>}
 | ||||||
|  | +              ldif_wrap={no|<n>}
 | ||||||
|  |   | ||||||
|  |  .in | ||||||
|  |  \fIn\fP is the number of columns allowed for the LDIF output | ||||||
|  | diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
 | ||||||
|  | index 31f37277c..e86b032cb 100644
 | ||||||
|  | --- a/include/ldap_pvt.h
 | ||||||
|  | +++ b/include/ldap_pvt.h
 | ||||||
|  | @@ -326,6 +326,11 @@ struct ldifrecord;
 | ||||||
|  |  LDAP_F ( int ) ldap_pvt_discard LDAP_P(( | ||||||
|  |  	struct ldap *ld, ber_int_t msgid )); | ||||||
|  |   | ||||||
|  | +/* init.c */
 | ||||||
|  | +LDAP_F( int )
 | ||||||
|  | +ldap_pvt_conf_option LDAP_P((
 | ||||||
|  | +	char *cmd, char *opt, int userconf ));
 | ||||||
|  | +
 | ||||||
|  |  /* messages.c */ | ||||||
|  |  LDAP_F( BerElement * ) | ||||||
|  |  ldap_get_message_ber LDAP_P(( | ||||||
|  | diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
 | ||||||
|  | index 548d2c1cb..4a7e81bdb 100644
 | ||||||
|  | --- a/libraries/libldap/init.c
 | ||||||
|  | +++ b/libraries/libldap/init.c
 | ||||||
|  | @@ -147,6 +147,141 @@ static const struct ol_attribute {
 | ||||||
|  |  #define MAX_LDAP_ATTR_LEN  sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL") | ||||||
|  |  #define MAX_LDAP_ENV_PREFIX_LEN 8 | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +ldap_int_conf_option(
 | ||||||
|  | +	struct ldapoptions *gopts,
 | ||||||
|  | +	char *cmd, char *opt, int userconf )
 | ||||||
|  | +{
 | ||||||
|  | +	int i;
 | ||||||
|  | +
 | ||||||
|  | +	for(i=0; attrs[i].type != ATTR_NONE; i++) {
 | ||||||
|  | +		void *p;
 | ||||||
|  | +
 | ||||||
|  | +		if( !userconf && attrs[i].useronly ) {
 | ||||||
|  | +			continue;
 | ||||||
|  | +		}
 | ||||||
|  | +
 | ||||||
|  | +		if(strcasecmp(cmd, attrs[i].name) != 0) {
 | ||||||
|  | +			continue;
 | ||||||
|  | +		}
 | ||||||
|  | +
 | ||||||
|  | +		switch(attrs[i].type) {
 | ||||||
|  | +		case ATTR_BOOL:
 | ||||||
|  | +			if((strcasecmp(opt, "on") == 0)
 | ||||||
|  | +				|| (strcasecmp(opt, "yes") == 0)
 | ||||||
|  | +				|| (strcasecmp(opt, "true") == 0))
 | ||||||
|  | +			{
 | ||||||
|  | +				LDAP_BOOL_SET(gopts, attrs[i].offset);
 | ||||||
|  | +
 | ||||||
|  | +			} else {
 | ||||||
|  | +				LDAP_BOOL_CLR(gopts, attrs[i].offset);
 | ||||||
|  | +			}
 | ||||||
|  | +
 | ||||||
|  | +			break;
 | ||||||
|  | +
 | ||||||
|  | +		case ATTR_INT: {
 | ||||||
|  | +			char *next;
 | ||||||
|  | +			long l;
 | ||||||
|  | +			p = &((char *) gopts)[attrs[i].offset];
 | ||||||
|  | +			l = strtol( opt, &next, 10 );
 | ||||||
|  | +			if ( next != opt && next[ 0 ] == '\0' ) {
 | ||||||
|  | +				* (int*) p = l;
 | ||||||
|  | +			}
 | ||||||
|  | +			} break;
 | ||||||
|  | +
 | ||||||
|  | +		case ATTR_KV: {
 | ||||||
|  | +				const struct ol_keyvalue *kv;
 | ||||||
|  | +
 | ||||||
|  | +				for(kv = attrs[i].data;
 | ||||||
|  | +					kv->key != NULL;
 | ||||||
|  | +					kv++) {
 | ||||||
|  | +
 | ||||||
|  | +					if(strcasecmp(opt, kv->key) == 0) {
 | ||||||
|  | +						p = &((char *) gopts)[attrs[i].offset];
 | ||||||
|  | +						* (int*) p = kv->value;
 | ||||||
|  | +						break;
 | ||||||
|  | +					}
 | ||||||
|  | +				}
 | ||||||
|  | +			} break;
 | ||||||
|  | +
 | ||||||
|  | +		case ATTR_STRING:
 | ||||||
|  | +			p = &((char *) gopts)[attrs[i].offset];
 | ||||||
|  | +			if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
 | ||||||
|  | +			* (char**) p = LDAP_STRDUP(opt);
 | ||||||
|  | +			break;
 | ||||||
|  | +		case ATTR_OPTION:
 | ||||||
|  | +			ldap_set_option( NULL, attrs[i].offset, opt );
 | ||||||
|  | +			break;
 | ||||||
|  | +		case ATTR_SASL:
 | ||||||
|  | +#ifdef HAVE_CYRUS_SASL
 | ||||||
|  | +			ldap_int_sasl_config( gopts, attrs[i].offset, opt );
 | ||||||
|  | +#endif
 | ||||||
|  | +			break;
 | ||||||
|  | +		case ATTR_GSSAPI:
 | ||||||
|  | +#ifdef HAVE_GSSAPI
 | ||||||
|  | +			ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
 | ||||||
|  | +#endif
 | ||||||
|  | +			break;
 | ||||||
|  | +		case ATTR_TLS:
 | ||||||
|  | +#ifdef HAVE_TLS
 | ||||||
|  | +			ldap_int_tls_config( NULL, attrs[i].offset, opt );
 | ||||||
|  | +#endif
 | ||||||
|  | +			break;
 | ||||||
|  | +		case ATTR_OPT_TV: {
 | ||||||
|  | +			struct timeval tv;
 | ||||||
|  | +			char *next;
 | ||||||
|  | +			tv.tv_usec = 0;
 | ||||||
|  | +			tv.tv_sec = strtol( opt, &next, 10 );
 | ||||||
|  | +			if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
 | ||||||
|  | +				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
 | ||||||
|  | +			}
 | ||||||
|  | +			} break;
 | ||||||
|  | +		case ATTR_OPT_INT: {
 | ||||||
|  | +			long l;
 | ||||||
|  | +			char *next;
 | ||||||
|  | +			l = strtol( opt, &next, 10 );
 | ||||||
|  | +			if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
 | ||||||
|  | +				int v = (int)l;
 | ||||||
|  | +				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
 | ||||||
|  | +			}
 | ||||||
|  | +			} break;
 | ||||||
|  | +		}
 | ||||||
|  | +
 | ||||||
|  | +		break;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	if ( attrs[i].type == ATTR_NONE ) {
 | ||||||
|  | +		Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: "
 | ||||||
|  | +				"unknown option '%s'",
 | ||||||
|  | +				cmd, 0, 0 );
 | ||||||
|  | +		return 1;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	return 0;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +int
 | ||||||
|  | +ldap_pvt_conf_option(
 | ||||||
|  | +	char *cmd, char *opt, int userconf )
 | ||||||
|  | +{
 | ||||||
|  | +	struct ldapoptions *gopts;
 | ||||||
|  | +	int rc = LDAP_OPT_ERROR;
 | ||||||
|  | +
 | ||||||
|  | +	/* Get pointer to global option structure */
 | ||||||
|  | +	gopts = LDAP_INT_GLOBAL_OPT();
 | ||||||
|  | +	if (NULL == gopts) {
 | ||||||
|  | +		return LDAP_NO_MEMORY;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	if ( gopts->ldo_valid != LDAP_INITIALIZED ) {
 | ||||||
|  | +		ldap_int_initialize(gopts, NULL);
 | ||||||
|  | +		if ( gopts->ldo_valid != LDAP_INITIALIZED )
 | ||||||
|  | +			return LDAP_LOCAL_ERROR;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	return ldap_int_conf_option( gopts, cmd, opt, userconf );
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  static void openldap_ldap_init_w_conf( | ||||||
|  |  	const char *file, int userconf ) | ||||||
|  |  { | ||||||
|  | @@ -212,101 +347,7 @@ static void openldap_ldap_init_w_conf(
 | ||||||
|  |  		while(isspace((unsigned char)*start)) start++; | ||||||
|  |  		opt = start; | ||||||
|  |   | ||||||
|  | -		for(i=0; attrs[i].type != ATTR_NONE; i++) {
 | ||||||
|  | -			void *p;
 | ||||||
|  | -
 | ||||||
|  | -			if( !userconf && attrs[i].useronly ) {
 | ||||||
|  | -				continue;
 | ||||||
|  | -			}
 | ||||||
|  | -
 | ||||||
|  | -			if(strcasecmp(cmd, attrs[i].name) != 0) {
 | ||||||
|  | -				continue;
 | ||||||
|  | -			}
 | ||||||
|  | -
 | ||||||
|  | -			switch(attrs[i].type) {
 | ||||||
|  | -			case ATTR_BOOL:
 | ||||||
|  | -				if((strcasecmp(opt, "on") == 0) 
 | ||||||
|  | -					|| (strcasecmp(opt, "yes") == 0)
 | ||||||
|  | -					|| (strcasecmp(opt, "true") == 0))
 | ||||||
|  | -				{
 | ||||||
|  | -					LDAP_BOOL_SET(gopts, attrs[i].offset);
 | ||||||
|  | -
 | ||||||
|  | -				} else {
 | ||||||
|  | -					LDAP_BOOL_CLR(gopts, attrs[i].offset);
 | ||||||
|  | -				}
 | ||||||
|  | -
 | ||||||
|  | -				break;
 | ||||||
|  | -
 | ||||||
|  | -			case ATTR_INT: {
 | ||||||
|  | -				char *next;
 | ||||||
|  | -				long l;
 | ||||||
|  | -				p = &((char *) gopts)[attrs[i].offset];
 | ||||||
|  | -				l = strtol( opt, &next, 10 );
 | ||||||
|  | -				if ( next != opt && next[ 0 ] == '\0' ) {
 | ||||||
|  | -					* (int*) p = l;
 | ||||||
|  | -				}
 | ||||||
|  | -				} break;
 | ||||||
|  | -
 | ||||||
|  | -			case ATTR_KV: {
 | ||||||
|  | -					const struct ol_keyvalue *kv;
 | ||||||
|  | -
 | ||||||
|  | -					for(kv = attrs[i].data;
 | ||||||
|  | -						kv->key != NULL;
 | ||||||
|  | -						kv++) {
 | ||||||
|  | -
 | ||||||
|  | -						if(strcasecmp(opt, kv->key) == 0) {
 | ||||||
|  | -							p = &((char *) gopts)[attrs[i].offset];
 | ||||||
|  | -							* (int*) p = kv->value;
 | ||||||
|  | -							break;
 | ||||||
|  | -						}
 | ||||||
|  | -					}
 | ||||||
|  | -				} break;
 | ||||||
|  | -
 | ||||||
|  | -			case ATTR_STRING:
 | ||||||
|  | -				p = &((char *) gopts)[attrs[i].offset];
 | ||||||
|  | -				if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
 | ||||||
|  | -				* (char**) p = LDAP_STRDUP(opt);
 | ||||||
|  | -				break;
 | ||||||
|  | -			case ATTR_OPTION:
 | ||||||
|  | -				ldap_set_option( NULL, attrs[i].offset, opt );
 | ||||||
|  | -				break;
 | ||||||
|  | -			case ATTR_SASL:
 | ||||||
|  | -#ifdef HAVE_CYRUS_SASL
 | ||||||
|  | -			   	ldap_int_sasl_config( gopts, attrs[i].offset, opt );
 | ||||||
|  | -#endif
 | ||||||
|  | -				break;
 | ||||||
|  | -			case ATTR_GSSAPI:
 | ||||||
|  | -#ifdef HAVE_GSSAPI
 | ||||||
|  | -				ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
 | ||||||
|  | -#endif
 | ||||||
|  | -				break;
 | ||||||
|  | -			case ATTR_TLS:
 | ||||||
|  | -#ifdef HAVE_TLS
 | ||||||
|  | -			   	ldap_int_tls_config( NULL, attrs[i].offset, opt );
 | ||||||
|  | -#endif
 | ||||||
|  | -				break;
 | ||||||
|  | -			case ATTR_OPT_TV: {
 | ||||||
|  | -				struct timeval tv;
 | ||||||
|  | -				char *next;
 | ||||||
|  | -				tv.tv_usec = 0;
 | ||||||
|  | -				tv.tv_sec = strtol( opt, &next, 10 );
 | ||||||
|  | -				if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
 | ||||||
|  | -					(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
 | ||||||
|  | -				}
 | ||||||
|  | -				} break;
 | ||||||
|  | -			case ATTR_OPT_INT: {
 | ||||||
|  | -				long l;
 | ||||||
|  | -				char *next;
 | ||||||
|  | -				l = strtol( opt, &next, 10 );
 | ||||||
|  | -				if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
 | ||||||
|  | -					int v = (int)l;
 | ||||||
|  | -					(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
 | ||||||
|  | -				}
 | ||||||
|  | -				} break;
 | ||||||
|  | -			}
 | ||||||
|  | -
 | ||||||
|  | -			break;
 | ||||||
|  | -		}
 | ||||||
|  | +		ldap_int_conf_option( gopts, cmd, opt, userconf );
 | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  |  	fclose(fp); | ||||||
|  | diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
 | ||||||
|  | index 87ea0ea06..39384e5e9 100644
 | ||||||
|  | --- a/servers/slapd/slapcommon.c
 | ||||||
|  | +++ b/servers/slapd/slapcommon.c
 | ||||||
|  | @@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode )
 | ||||||
|  |  			break; | ||||||
|  |  		} | ||||||
|  |   | ||||||
|  | -	} else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) {
 | ||||||
|  | +	} else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) ||
 | ||||||
|  | +			( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) {
 | ||||||
|  |  		switch ( tool ) { | ||||||
|  |  		case SLAPCAT: | ||||||
|  |  			if ( strcasecmp( p, "no" ) == 0 ) { | ||||||
|  | @@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode )
 | ||||||
|  |  			} else { | ||||||
|  |  				unsigned int u; | ||||||
|  |  				if ( lutil_atou( &u, p ) ) { | ||||||
|  | -					Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 );
 | ||||||
|  | +					Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 );
 | ||||||
|  |  					return -1; | ||||||
|  |  				} | ||||||
|  |  				ldif_wrap = (ber_len_t)u; | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										631
									
								
								openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										631
									
								
								openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,631 @@ | |||||||
|  | NOTE: The patch has been adjusted to match the base code before backporting. | ||||||
|  | 
 | ||||||
|  | From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Isaac Boukris <iboukris@gmail.com> | ||||||
|  | Date: Tue, 14 Apr 2020 16:10:48 +0300 | ||||||
|  | Subject: [PATCH] ITS#9189 rework sasl-cbinding support | ||||||
|  | 
 | ||||||
|  | Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use, | ||||||
|  | defaults to "none". | ||||||
|  | 
 | ||||||
|  | Add "tls-endpoint" binding type implementing "tls-server-end-point" from | ||||||
|  | RCF 5929, which is compatible with Windows. | ||||||
|  | 
 | ||||||
|  | Fix "tls-unique" to include the prefix in the bindings as per RFC 5056. | ||||||
|  | ---
 | ||||||
|  |  doc/man/man3/ldap_get_option.3 |  16 +++++ | ||||||
|  |  doc/man/man5/ldap.conf.5       |   3 + | ||||||
|  |  doc/man/man5/slapd-config.5    |   4 ++ | ||||||
|  |  doc/man/man5/slapd.conf.5      |   3 + | ||||||
|  |  include/ldap.h                 |   5 ++ | ||||||
|  |  include/ldap_pvt.h             |   5 ++ | ||||||
|  |  libraries/libldap/cyrus.c      | 103 ++++++++++++++++++++++++++++----- | ||||||
|  |  libraries/libldap/init.c       |   1 + | ||||||
|  |  libraries/libldap/ldap-int.h   |   1 + | ||||||
|  |  libraries/libldap/ldap-tls.h   |   2 + | ||||||
|  |  libraries/libldap/tls2.c       |   7 +++ | ||||||
|  |  libraries/libldap/tls_g.c      |  59 +++++++++++++++++++ | ||||||
|  |  libraries/libldap/tls_o.c      |  45 ++++++++++++++ | ||||||
|  |  servers/slapd/bconfig.c        |  11 +++- | ||||||
|  |  servers/slapd/config.c         |   1 + | ||||||
|  |  servers/slapd/connection.c     |   9 +-- | ||||||
|  |  servers/slapd/proto-slap.h     |   4 +- | ||||||
|  |  servers/slapd/sasl.c           |  27 ++++++--- | ||||||
|  |  18 files changed, 274 insertions(+), 32 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
 | ||||||
|  | index 4f03a01a3..fd1b3c91c 100644
 | ||||||
|  | --- a/doc/man/man3/ldap_get_option.3
 | ||||||
|  | +++ b/doc/man/man3/ldap_get_option.3
 | ||||||
|  | @@ -563,6 +563,22 @@ must be a
 | ||||||
|  |  .BR "char **" . | ||||||
|  |  Its content needs to be freed by the caller using | ||||||
|  |  .BR ldap_memfree (3). | ||||||
|  | +.B LDAP_OPT_X_SASL_CBINDING
 | ||||||
|  | +Sets/gets the channel-binding type to use in SASL,
 | ||||||
|  | +one of
 | ||||||
|  | +.BR LDAP_OPT_X_SASL_CBINDING_NONE
 | ||||||
|  | +(the default),
 | ||||||
|  | +.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE
 | ||||||
|  | +the "tls-unique" type from RCF 5929.
 | ||||||
|  | +.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT
 | ||||||
|  | +the "tls-server-end-point" from RCF 5929, compatible with Windows.
 | ||||||
|  | +.BR invalue
 | ||||||
|  | +must be
 | ||||||
|  | +.BR "const int *" ;
 | ||||||
|  | +.BR outvalue
 | ||||||
|  | +must be
 | ||||||
|  | +.BR "int *" .
 | ||||||
|  | +.TP
 | ||||||
|  |  .SH TCP OPTIONS | ||||||
|  |  The TCP options are OpenLDAP specific. | ||||||
|  |  Mainly intended for use with Linux, they may not be portable. | ||||||
|  | diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
 | ||||||
|  | index 65ad40c1b..4974f8340 100644
 | ||||||
|  | --- a/doc/man/man5/ldap.conf.5
 | ||||||
|  | +++ b/doc/man/man5/ldap.conf.5
 | ||||||
|  | @@ -286,6 +286,9 @@ size allowed.  0 disables security layers.  The default is 65536.
 | ||||||
|  |  .TP | ||||||
|  |  .B SASL_NOCANON <on/true/yes/off/false/no> | ||||||
|  |  Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. | ||||||
|  | +.TP
 | ||||||
|  | +.B SASL_CBINDING <none/tls-unique/tls-endpoint>
 | ||||||
|  | +The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
 | ||||||
|  |  .SH GSSAPI OPTIONS | ||||||
|  |  If OpenLDAP is built with Generic Security Services Application Programming Interface support, | ||||||
|  |  there are more options you can specify. | ||||||
|  | diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
 | ||||||
|  | index 18518a186..dc0ab769f 100644
 | ||||||
|  | --- a/doc/man/man5/slapd-config.5
 | ||||||
|  | +++ b/doc/man/man5/slapd-config.5
 | ||||||
|  | @@ -720,6 +720,10 @@ Used to specify the fully qualified domain name used for SASL processing.
 | ||||||
|  |  .B olcSaslRealm: <realm> | ||||||
|  |  Specify SASL realm.  Default is empty. | ||||||
|  |  .TP | ||||||
|  | +.B olcSaslCbinding: none | tls-unique | tls-endpoint
 | ||||||
|  | +Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
 | ||||||
|  | +Default is none.
 | ||||||
|  | +.TP
 | ||||||
|  |  .B olcSaslSecProps: <properties> | ||||||
|  |  Used to specify Cyrus SASL security properties. | ||||||
|  |  The | ||||||
|  | diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
 | ||||||
|  | index f2094b7fd..73a151a70 100644
 | ||||||
|  | --- a/doc/man/man5/slapd.conf.5
 | ||||||
|  | +++ b/doc/man/man5/slapd.conf.5
 | ||||||
|  | @@ -914,6 +914,9 @@ The
 | ||||||
|  |  property specifies the maximum security layer receive buffer | ||||||
|  |  size allowed.  0 disables security layers.  The default is 65536. | ||||||
|  |  .TP | ||||||
|  | +.B sasl\-cbinding none | tls-unique | tls-endpoint
 | ||||||
|  | +Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
 | ||||||
|  | +.TP
 | ||||||
|  |  .B schemadn <dn> | ||||||
|  |  Specify the distinguished name for the subschema subentry that | ||||||
|  |  controls the entries on this server.  The default is "cn=Subschema". | ||||||
|  | diff --git a/include/ldap.h b/include/ldap.h
 | ||||||
|  | index 7b4fc9d64..9d5679ae8 100644
 | ||||||
|  | --- a/include/ldap.h
 | ||||||
|  | +++ b/include/ldap.h
 | ||||||
|  | @@ -186,6 +186,10 @@ LDAP_BEGIN_DECL
 | ||||||
|  |  #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2) | ||||||
|  |  #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3) | ||||||
|  |   | ||||||
|  | +#define LDAP_OPT_X_SASL_CBINDING_NONE		0
 | ||||||
|  | +#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE	1
 | ||||||
|  | +#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT	2
 | ||||||
|  | +
 | ||||||
|  |  /* OpenLDAP SASL options */ | ||||||
|  |  #define LDAP_OPT_X_SASL_MECH			0x6100 | ||||||
|  |  #define LDAP_OPT_X_SASL_REALM			0x6101 | ||||||
|  | @@ -201,6 +205,7 @@ LDAP_BEGIN_DECL
 | ||||||
|  |  #define LDAP_OPT_X_SASL_NOCANON			0x610b | ||||||
|  |  #define LDAP_OPT_X_SASL_USERNAME		0x610c /* read-only */ | ||||||
|  |  #define LDAP_OPT_X_SASL_GSS_CREDS		0x610d | ||||||
|  | +#define LDAP_OPT_X_SASL_CBINDING		0x610e
 | ||||||
|  |   | ||||||
|  |  /* OpenLDAP GSSAPI options */ | ||||||
|  |  #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT      0x6200 | ||||||
|  | diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
 | ||||||
|  | index 783d280a5..01220d00a 100644
 | ||||||
|  | --- a/include/ldap_pvt.h
 | ||||||
|  | +++ b/include/ldap_pvt.h
 | ||||||
|  | @@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void));
 | ||||||
|  |  LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex)); | ||||||
|  |  LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex)); | ||||||
|  |  LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex)); | ||||||
|  | +
 | ||||||
|  | +LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg ));
 | ||||||
|  | +LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type,
 | ||||||
|  | +					        int is_server ));
 | ||||||
|  |  #endif /* HAVE_CYRUS_SASL */ | ||||||
|  |   | ||||||
|  |  struct sockbuf; /* avoid pulling in <lber.h> */ | ||||||
|  | @@ -438,6 +442,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
 | ||||||
|  |  	LDAPDN_rewrite_dummy *func, unsigned flags )); | ||||||
|  |  LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); | ||||||
|  |  LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server )); | ||||||
|  | +LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server ));
 | ||||||
|  |   | ||||||
|  |  LDAP_END_DECL | ||||||
|  |   | ||||||
|  | diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
 | ||||||
|  | index beb1cf4a0..4d4d5b3e3 100644
 | ||||||
|  | --- a/libraries/libldap/cyrus.c
 | ||||||
|  | +++ b/libraries/libldap/cyrus.c
 | ||||||
|  | @@ -372,6 +372,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
 | ||||||
|  |  	return LDAP_SUCCESS; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +int ldap_pvt_sasl_cbinding_parse( const char *arg )
 | ||||||
|  | +{
 | ||||||
|  | +	int i = -1;
 | ||||||
|  | +
 | ||||||
|  | +	if ( strcasecmp(arg, "none") == 0 )
 | ||||||
|  | +		i = LDAP_OPT_X_SASL_CBINDING_NONE;
 | ||||||
|  | +	else if ( strcasecmp(arg, "tls-unique") == 0 )
 | ||||||
|  | +		i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE;
 | ||||||
|  | +	else if ( strcasecmp(arg, "tls-endpoint") == 0 )
 | ||||||
|  | +		i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT;
 | ||||||
|  | +
 | ||||||
|  | +	return i;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  | +void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server )
 | ||||||
|  | +{
 | ||||||
|  | +#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS)
 | ||||||
|  | +	char unique_prefix[] = "tls-unique:";
 | ||||||
|  | +	char endpoint_prefix[] = "tls-server-end-point:";
 | ||||||
|  | +	char cbinding[ 64 ];
 | ||||||
|  | +	struct berval cbv = { 64, cbinding };
 | ||||||
|  | +	void *cb_data; /* used since cb->data is const* */
 | ||||||
|  | +	sasl_channel_binding_t *cb;
 | ||||||
|  | +	char *prefix;
 | ||||||
|  | +	int plen;
 | ||||||
|  | +
 | ||||||
|  | +	switch (type) {
 | ||||||
|  | +	case LDAP_OPT_X_SASL_CBINDING_NONE:
 | ||||||
|  | +		return NULL;
 | ||||||
|  | +	case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
 | ||||||
|  | +		if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server ))
 | ||||||
|  | +			return NULL;
 | ||||||
|  | +		prefix = unique_prefix;
 | ||||||
|  | +		plen = sizeof(unique_prefix) -1;
 | ||||||
|  | +		break;
 | ||||||
|  | +	case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
 | ||||||
|  | +		if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server ))
 | ||||||
|  | +			return NULL;
 | ||||||
|  | +		prefix = endpoint_prefix;
 | ||||||
|  | +		plen = sizeof(endpoint_prefix) -1;
 | ||||||
|  | +		break;
 | ||||||
|  | +	default:
 | ||||||
|  | +		return NULL;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len );
 | ||||||
|  | +	cb->len = plen + cbv.bv_len;
 | ||||||
|  | +	cb->data = cb_data = cb+1;
 | ||||||
|  | +	memcpy( cb_data, prefix, plen );
 | ||||||
|  | +	memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len );
 | ||||||
|  | +	cb->name = "ldap";
 | ||||||
|  | +	cb->critical = 0;
 | ||||||
|  | +
 | ||||||
|  | +	return cb;
 | ||||||
|  | +#else
 | ||||||
|  | +	return NULL;
 | ||||||
|  | +#endif
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  int | ||||||
|  |  ldap_int_sasl_bind( | ||||||
|  |  	LDAP			*ld, | ||||||
|  | @@ -497,17 +556,12 @@ ldap_int_sasl_bind(
 | ||||||
|  |  			(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); | ||||||
|  |  			LDAP_FREE( authid.bv_val ); | ||||||
|  |  #ifdef SASL_CHANNEL_BINDING	/* 2.1.25+ */ | ||||||
|  | -			{
 | ||||||
|  | -				char cbinding[64];
 | ||||||
|  | -				struct berval cbv = { sizeof(cbinding), cbinding };
 | ||||||
|  | -				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
 | ||||||
|  | -					sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
 | ||||||
|  | -						cbv.bv_len);
 | ||||||
|  | -					cb->name = "ldap";
 | ||||||
|  | -					cb->critical = 0;
 | ||||||
|  | -					cb->data = (char *)(cb+1);
 | ||||||
|  | -					cb->len = cbv.bv_len;
 | ||||||
|  | -					memcpy( cb->data, cbv.bv_val, cbv.bv_len );
 | ||||||
|  | +			if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) {
 | ||||||
|  | +				void *cb;
 | ||||||
|  | +				cb = ldap_pvt_sasl_cbinding( ssl,
 | ||||||
|  | +							     ld->ld_options.ldo_sasl_cbinding,
 | ||||||
|  | +							     0 );
 | ||||||
|  | +				if ( cb != NULL ) {
 | ||||||
|  |  					sasl_setprop( ld->ld_defconn->lconn_sasl_authctx, | ||||||
|  |  						SASL_CHANNEL_BINDING, cb ); | ||||||
|  |  					ld->ld_defconn->lconn_sasl_cbind = cb; | ||||||
|  | @@ -931,12 +983,20 @@ int ldap_pvt_sasl_secprops(
 | ||||||
|  |  int | ||||||
|  |  ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg ) | ||||||
|  |  { | ||||||
|  | -	int rc;
 | ||||||
|  | +	int rc, i;
 | ||||||
|  |   | ||||||
|  |  	switch( option ) { | ||||||
|  |  	case LDAP_OPT_X_SASL_SECPROPS: | ||||||
|  |  		rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops ); | ||||||
|  |  		if( rc == LDAP_SUCCESS ) return 0; | ||||||
|  | +		break;
 | ||||||
|  | +	case LDAP_OPT_X_SASL_CBINDING:
 | ||||||
|  | +		i = ldap_pvt_sasl_cbinding_parse( arg );
 | ||||||
|  | +		if ( i >= 0 ) {
 | ||||||
|  | +			lo->ldo_sasl_cbinding = i;
 | ||||||
|  | +			return 0;
 | ||||||
|  | +		}
 | ||||||
|  | +		break;
 | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  |  	return -1; | ||||||
|  | @@ -1042,6 +1102,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
 | ||||||
|  |  			/* this option is write only */ | ||||||
|  |  			return -1; | ||||||
|  |   | ||||||
|  | +		case LDAP_OPT_X_SASL_CBINDING:
 | ||||||
|  | +			*(int *)arg = ld->ld_options.ldo_sasl_cbinding;
 | ||||||
|  | +			break;
 | ||||||
|  | +
 | ||||||
|  |  #ifdef SASL_GSS_CREDS | ||||||
|  |  		case LDAP_OPT_X_SASL_GSS_CREDS: { | ||||||
|  |  			sasl_conn_t *ctx; | ||||||
|  | @@ -1143,6 +1207,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
 | ||||||
|  |  		return sc == LDAP_SUCCESS ? 0 : -1; | ||||||
|  |  		} | ||||||
|  |   | ||||||
|  | +	case LDAP_OPT_X_SASL_CBINDING:
 | ||||||
|  | +		if ( !arg ) return -1;
 | ||||||
|  | +		switch( *(int *) arg ) {
 | ||||||
|  | +		case LDAP_OPT_X_SASL_CBINDING_NONE:
 | ||||||
|  | +		case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
 | ||||||
|  | +		case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
 | ||||||
|  | +			ld->ld_options.ldo_sasl_cbinding = *(int *) arg;
 | ||||||
|  | +			return 0;
 | ||||||
|  | +		}
 | ||||||
|  | +		return -1;
 | ||||||
|  | +
 | ||||||
|  |  #ifdef SASL_GSS_CREDS | ||||||
|  |  	case LDAP_OPT_X_SASL_GSS_CREDS: { | ||||||
|  |  		sasl_conn_t *ctx; | ||||||
|  | diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
 | ||||||
|  | index 3468ee249..dfe1ea9da 100644
 | ||||||
|  | --- a/libraries/libldap/init.c
 | ||||||
|  | +++ b/libraries/libldap/init.c
 | ||||||
|  | @@ -110,6 +110,7 @@ static const struct ol_attribute {
 | ||||||
|  |  		offsetof(struct ldapoptions, ldo_def_sasl_authzid)}, | ||||||
|  |  	{0, ATTR_SASL,		"SASL_SECPROPS",	NULL,	LDAP_OPT_X_SASL_SECPROPS}, | ||||||
|  |  	{0, ATTR_BOOL,		"SASL_NOCANON",	NULL,	LDAP_BOOL_SASL_NOCANON}, | ||||||
|  | +	{0, ATTR_SASL,		"SASL_CBINDING",	NULL,	LDAP_OPT_X_SASL_CBINDING},
 | ||||||
|  |  #endif | ||||||
|  |   | ||||||
|  |  #ifdef HAVE_GSSAPI | ||||||
|  | diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
 | ||||||
|  | index 67e8bd6da..c6c6891a9 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-int.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-int.h
 | ||||||
|  | @@ -300,6 +300,7 @@ struct ldapoptions {
 | ||||||
|  |   | ||||||
|  |  	/* SASL Security Properties */ | ||||||
|  |  	struct sasl_security_properties	ldo_sasl_secprops; | ||||||
|  | +	int ldo_sasl_cbinding;
 | ||||||
|  |  #define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0} | ||||||
|  |  #else | ||||||
|  |  #define LDAP_LDO_SASL_NULLARG | ||||||
|  | diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
 | ||||||
|  | index efd51aaa2..9f01ddda1 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-tls.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-tls.h
 | ||||||
|  | @@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
 | ||||||
|  |  typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); | ||||||
|  |  typedef int (TI_session_strength)(tls_session *sess); | ||||||
|  |  typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); | ||||||
|  | +typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server);
 | ||||||
|  |  typedef int (TI_session_peercert)(tls_session *s, struct berval *der); | ||||||
|  | 
 | ||||||
|  |  typedef void (TI_thr_init)(void); | ||||||
|  | @@ -69,6 +70,7 @@ typedef struct tls_impl {
 | ||||||
|  |  	TI_session_chkhost *ti_session_chkhost; | ||||||
|  |  	TI_session_strength *ti_session_strength; | ||||||
|  |  	TI_session_unique *ti_session_unique; | ||||||
|  | +	TI_session_endpoint *ti_session_endpoint;
 | ||||||
|  |  	TI_session_peercert *ti_session_peercert; | ||||||
|  |   | ||||||
|  |  	Sockbuf_IO *ti_sbio; | ||||||
|  | diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 | ||||||
|  | index 79a651a38..72827a1a3 100644
 | ||||||
|  | --- a/libraries/libldap/tls2.c
 | ||||||
|  | +++ b/libraries/libldap/tls2.c
 | ||||||
|  | @@ -1200,6 +1200,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
 | ||||||
|  |  	return tls_imp->ti_session_unique( session, buf, is_server ); | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +int
 | ||||||
|  | +ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server )
 | ||||||
|  | +{
 | ||||||
|  | +	tls_session *session = s;
 | ||||||
|  | +	return tls_imp->ti_session_endpoint( session, buf, is_server );
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  int | ||||||
|  |  ldap_pvt_tls_get_peercert( void *s, struct berval *der ) | ||||||
|  |  { | ||||||
|  | diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
 | ||||||
|  | index 956a9ec90..ef0f44e20 100644
 | ||||||
|  | --- a/libraries/libldap/tls_g.c
 | ||||||
|  | +++ b/libraries/libldap/tls_g.c
 | ||||||
|  | @@ -729,6 +729,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  |  	return 0; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 | ||||||
|  | +{
 | ||||||
|  | +	tlsg_session *s = (tlsg_session *)sess;
 | ||||||
|  | +	const gnutls_datum_t *cert_data;
 | ||||||
|  | +	gnutls_x509_crt_t server_cert;
 | ||||||
|  | +	gnutls_digest_algorithm_t md;
 | ||||||
|  | +	int sign_algo, md_len, rc;
 | ||||||
|  | +
 | ||||||
|  | +	if ( is_server )
 | ||||||
|  | +		cert_data = gnutls_certificate_get_ours( s->session );
 | ||||||
|  | +	else
 | ||||||
|  | +		cert_data = gnutls_certificate_get_peers( s->session, NULL );
 | ||||||
|  | +
 | ||||||
|  | +	if ( cert_data == NULL )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	rc = gnutls_x509_crt_init( &server_cert );
 | ||||||
|  | +	if ( rc != GNUTLS_E_SUCCESS )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER );
 | ||||||
|  | +	if ( rc != GNUTLS_E_SUCCESS ) {
 | ||||||
|  | +		gnutls_x509_crt_deinit( server_cert );
 | ||||||
|  | +		return 0;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert );
 | ||||||
|  | +	gnutls_x509_crt_deinit( server_cert );
 | ||||||
|  | +	if ( sign_algo <= GNUTLS_SIGN_UNKNOWN )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	md = gnutls_sign_get_hash_algorithm( sign_algo );
 | ||||||
|  | +	if ( md == GNUTLS_DIG_UNKNOWN )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	/* See RFC 5929 */
 | ||||||
|  | +	switch (md) {
 | ||||||
|  | +	case GNUTLS_DIG_NULL:
 | ||||||
|  | +	case GNUTLS_DIG_MD2:
 | ||||||
|  | +	case GNUTLS_DIG_MD5:
 | ||||||
|  | +	case GNUTLS_DIG_SHA1:
 | ||||||
|  | +		md = GNUTLS_DIG_SHA256;
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +	md_len = gnutls_hash_get_len( md );
 | ||||||
|  | +	if ( md_len == 0 || md_len > buf->bv_len )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val );
 | ||||||
|  | +	if ( rc != GNUTLS_E_SUCCESS )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	buf->bv_len = md_len;
 | ||||||
|  | +
 | ||||||
|  | +	return md_len;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  static int | ||||||
|  |  tlsg_session_peercert( tls_session *sess, struct berval *der ) | ||||||
|  |  { | ||||||
|  | @@ -1117,6 +1175,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlsg_session_chkhost, | ||||||
|  |  	tlsg_session_strength, | ||||||
|  |  	tlsg_session_unique, | ||||||
|  | +	tlsg_session_endpoint,
 | ||||||
|  |  	tlsg_session_peercert, | ||||||
|  |   | ||||||
|  |  	&tlsg_sbio, | ||||||
|  | diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 | ||||||
|  | index cf97d7632..aa855d77a 100644
 | ||||||
|  | --- a/libraries/libldap/tls_o.c
 | ||||||
|  | +++ b/libraries/libldap/tls_o.c
 | ||||||
|  | @@ -858,6 +858,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
 | ||||||
|  |  	return buf->bv_len; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static int
 | ||||||
|  | +tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 | ||||||
|  | +{
 | ||||||
|  | +	tlso_session *s = (tlso_session *)sess;
 | ||||||
|  | +	const EVP_MD *md;
 | ||||||
|  | +	unsigned int md_len;
 | ||||||
|  | +	X509 *cert;
 | ||||||
|  | +
 | ||||||
|  | +	if ( buf->bv_len < EVP_MAX_MD_SIZE )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	if ( is_server )
 | ||||||
|  | +		cert = SSL_get_certificate( s );
 | ||||||
|  | +	else
 | ||||||
|  | +		cert = SSL_get_peer_certificate( s );
 | ||||||
|  | +
 | ||||||
|  | +	if ( cert == NULL )
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +#if OPENSSL_VERSION_NUMBER >= 0x10100000
 | ||||||
|  | +	md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
 | ||||||
|  | +#else
 | ||||||
|  | +	md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
 | ||||||
|  | +#endif
 | ||||||
|  | +
 | ||||||
|  | +	/* See RFC 5929 */
 | ||||||
|  | +	if ( md == NULL ||
 | ||||||
|  | +	     md == EVP_md_null() ||
 | ||||||
|  | +#ifndef OPENSSL_NO_MD2
 | ||||||
|  | +	     md == EVP_md2() ||
 | ||||||
|  | +#endif
 | ||||||
|  | +	     md == EVP_md4() ||
 | ||||||
|  | +	     md == EVP_md5() ||
 | ||||||
|  | +	     md == EVP_sha1() )
 | ||||||
|  | +		md = EVP_sha256();
 | ||||||
|  | +
 | ||||||
|  | +	if ( !X509_digest( cert, md, buf->bv_val, &md_len ))
 | ||||||
|  | +		return 0;
 | ||||||
|  | +
 | ||||||
|  | +	buf->bv_len = md_len;
 | ||||||
|  | +
 | ||||||
|  | +	return md_len;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  static int | ||||||
|  |  tlso_session_peercert( tls_session *sess, struct berval *der ) | ||||||
|  |  { | ||||||
|  | @@ -1474,6 +1518,7 @@ tls_impl ldap_int_tls_impl = {
 | ||||||
|  |  	tlso_session_chkhost, | ||||||
|  |  	tlso_session_strength, | ||||||
|  |  	tlso_session_unique, | ||||||
|  | +	tlso_session_endpoint,
 | ||||||
|  |  	tlso_session_peercert, | ||||||
|  |   | ||||||
|  |  	&tlso_sbio, | ||||||
|  | diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
 | ||||||
|  | index 6069ee203..4c90715be 100644
 | ||||||
|  | --- a/servers/slapd/bconfig.c
 | ||||||
|  | +++ b/servers/slapd/bconfig.c
 | ||||||
|  | @@ -630,6 +630,15 @@ static ConfigTable config_back_cf_table[] = {
 | ||||||
|  |  #endif | ||||||
|  |  		"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' " | ||||||
|  |  			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, | ||||||
|  | +	{ "sasl-cbinding", NULL, 2, 2, 0,
 | ||||||
|  | +#ifdef HAVE_CYRUS_SASL
 | ||||||
|  | +		ARG_STRING, &sasl_cbinding,
 | ||||||
|  | +#else
 | ||||||
|  | +		ARG_IGNORED, NULL,
 | ||||||
|  | +#endif
 | ||||||
|  | +		"( OLcfgGlAt:100 NAME 'olcSaslCBinding' "
 | ||||||
|  | +			"EQUALITY caseIgnoreMatch "
 | ||||||
|  | +			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 | ||||||
|  |  	{ "sasl-host", "host", 2, 2, 0, | ||||||
|  |  #ifdef HAVE_CYRUS_SASL | ||||||
|  |  		ARG_STRING|ARG_UNIQUE, &sasl_host, | ||||||
|  | @@ -948,7 +957,7 @@ static ConfigOCs cf_ocs[] = {
 | ||||||
|  |  		 "olcPluginLogFile $ olcReadOnly $ olcReferral $ " | ||||||
|  |  		 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ " | ||||||
|  |  		 "olcRootDSE $ " | ||||||
|  | -		 "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
 | ||||||
|  | +		 "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
 | ||||||
|  |  		 "olcSecurity $ olcServerID $ olcSizeLimit $ " | ||||||
|  |  		 "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ " | ||||||
|  |  		 "olcTCPBuffer $ " | ||||||
|  | diff --git a/servers/slapd/config.c b/servers/slapd/config.c
 | ||||||
|  | index 060d3410f..3d713d4fb 100644
 | ||||||
|  | --- a/servers/slapd/config.c
 | ||||||
|  | +++ b/servers/slapd/config.c
 | ||||||
|  | @@ -73,6 +73,7 @@ char	*global_host = NULL;
 | ||||||
|  |  struct berval global_host_bv = BER_BVNULL; | ||||||
|  |  char	*global_realm = NULL; | ||||||
|  |  char	*sasl_host = NULL; | ||||||
|  | +char	*sasl_cbinding = NULL;
 | ||||||
|  |  char		**default_passwd_hash = NULL; | ||||||
|  |  struct berval default_search_base = BER_BVNULL; | ||||||
|  |  struct berval default_search_nbase = BER_BVNULL; | ||||||
|  | diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
 | ||||||
|  | index 5f11a0cf1..6d9bb8e85 100644
 | ||||||
|  | --- a/servers/slapd/connection.c
 | ||||||
|  | +++ b/servers/slapd/connection.c
 | ||||||
|  | @@ -1440,12 +1440,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
 | ||||||
|  |  			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); | ||||||
|  |  			slap_sasl_external( c, c->c_tls_ssf, &authid ); | ||||||
|  |  			if ( authid.bv_val ) free( authid.bv_val ); | ||||||
|  | -			{
 | ||||||
|  | -				char cbinding[64];
 | ||||||
|  | -				struct berval cbv = { sizeof(cbinding), cbinding };
 | ||||||
|  | -				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
 | ||||||
|  | -					slap_sasl_cbinding( c, &cbv );
 | ||||||
|  | -			}
 | ||||||
|  | +
 | ||||||
|  | +			slap_sasl_cbinding( c, ssl );
 | ||||||
|  | +
 | ||||||
|  |  		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb, | ||||||
|  |  			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */ | ||||||
|  |  			slapd_set_write( s, 1 ); | ||||||
|  | diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
 | ||||||
|  | index b89fa836a..0790a8004 100644
 | ||||||
|  | --- a/servers/slapd/proto-slap.h
 | ||||||
|  | +++ b/servers/slapd/proto-slap.h
 | ||||||
|  | @@ -1681,8 +1681,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
 | ||||||
|  |  	slap_ssf_t ssf,	/* relative strength of external security */ | ||||||
|  |  	struct berval *authid );	/* asserted authenication id */ | ||||||
|  |   | ||||||
|  | -LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
 | ||||||
|  | -	struct berval *cbv );
 | ||||||
|  | +LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl );
 | ||||||
|  |   | ||||||
|  |  LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c ); | ||||||
|  |  LDAP_SLAPD_F (int) slap_sasl_close( Connection *c ); | ||||||
|  | @@ -2072,6 +2071,7 @@ LDAP_SLAPD_V (char *)	global_host;
 | ||||||
|  |  LDAP_SLAPD_V (struct berval)	global_host_bv; | ||||||
|  |  LDAP_SLAPD_V (char *)	global_realm; | ||||||
|  |  LDAP_SLAPD_V (char *)	sasl_host; | ||||||
|  | +LDAP_SLAPD_V (char *)	sasl_cbinding;
 | ||||||
|  |  LDAP_SLAPD_V (char *)	slap_sasl_auxprops; | ||||||
|  |  LDAP_SLAPD_V (char **)	default_passwd_hash; | ||||||
|  |  LDAP_SLAPD_V (int)		lber_debug; | ||||||
|  | diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
 | ||||||
|  | index fc023904a..5cced358c 100644
 | ||||||
|  | --- a/servers/slapd/sasl.c
 | ||||||
|  | +++ b/servers/slapd/sasl.c
 | ||||||
|  | @@ -1320,6 +1320,8 @@ int slap_sasl_destroy( void )
 | ||||||
|  |  #endif | ||||||
|  |  	free( sasl_host ); | ||||||
|  |  	sasl_host = NULL; | ||||||
|  | +	free( sasl_cbinding );
 | ||||||
|  | +	sasl_cbinding = NULL;
 | ||||||
|  |   | ||||||
|  |  	return 0; | ||||||
|  |  } | ||||||
|  | @@ -1506,17 +1508,24 @@ int slap_sasl_external(
 | ||||||
|  |  	return LDAP_SUCCESS; | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
 | ||||||
|  | +int slap_sasl_cbinding( Connection *conn, void *ssl )
 | ||||||
|  |  { | ||||||
|  |  #ifdef SASL_CHANNEL_BINDING | ||||||
|  | -	sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
 | ||||||
|  | -	cb->name = "ldap";
 | ||||||
|  | -	cb->critical = 0;
 | ||||||
|  | -	cb->data = (char *)(cb+1);
 | ||||||
|  | -	cb->len = cbv->bv_len;
 | ||||||
|  | -	memcpy( cb->data, cbv->bv_val, cbv->bv_len );
 | ||||||
|  | -	sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
 | ||||||
|  | -	conn->c_sasl_cbind = cb;
 | ||||||
|  | +	void *cb;
 | ||||||
|  | +	int i;
 | ||||||
|  | +
 | ||||||
|  | +	if ( sasl_cbinding == NULL )
 | ||||||
|  | +		return LDAP_SUCCESS;
 | ||||||
|  | +
 | ||||||
|  | +	i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding );
 | ||||||
|  | +	if ( i < 0 )
 | ||||||
|  | +		return LDAP_SUCCESS;
 | ||||||
|  | +
 | ||||||
|  | +	cb = ldap_pvt_sasl_cbinding( ssl, i, 1 );
 | ||||||
|  | +	if ( cb != NULL ) {
 | ||||||
|  | +		sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
 | ||||||
|  | +		conn->c_sasl_cbind = cb;
 | ||||||
|  | +	}
 | ||||||
|  |  #endif | ||||||
|  |  	return LDAP_SUCCESS; | ||||||
|  |  } | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										190
									
								
								openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										190
									
								
								openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,190 @@ | |||||||
|  | From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Isaac Boukris <iboukris@gmail.com> | ||||||
|  | Date: Sat, 18 Apr 2020 16:30:03 +0200 | ||||||
|  | Subject: [PATCH] ITS#9189 add channel-bindings tests | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  tests/data/slapd-sasl-gssapi.conf       |  3 + | ||||||
|  |  tests/scripts/setup_kdc.sh              |  8 +++ | ||||||
|  |  tests/scripts/test068-sasl-tls-external | 22 +++++++ | ||||||
|  |  tests/scripts/test077-sasl-gssapi       | 83 ++++++++++++++++++++++++- | ||||||
|  |  4 files changed, 113 insertions(+), 3 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
 | ||||||
|  | index 611fc7097..29ab6040b 100644
 | ||||||
|  | --- a/tests/data/slapd-sasl-gssapi.conf
 | ||||||
|  | +++ b/tests/data/slapd-sasl-gssapi.conf
 | ||||||
|  | @@ -63,3 +63,6 @@ rootpw          secret
 | ||||||
|  |   | ||||||
|  |  sasl-realm	@KRB5REALM@ | ||||||
|  |  sasl-host	localhost | ||||||
|  | +
 | ||||||
|  | +database	config
 | ||||||
|  | +rootpw		secret
 | ||||||
|  | diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
 | ||||||
|  | index 1cb784075..98bcd9f96 100755
 | ||||||
|  | --- a/tests/scripts/setup_kdc.sh
 | ||||||
|  | +++ b/tests/scripts/setup_kdc.sh
 | ||||||
|  | @@ -142,3 +142,11 @@ if test $RC != 0 ; then
 | ||||||
|  |  		exit 0 | ||||||
|  |  	fi | ||||||
|  |  fi | ||||||
|  | +
 | ||||||
|  | +HAVE_SASL_GSS_CBIND=no
 | ||||||
|  | +
 | ||||||
|  | +grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC = 0 ; then
 | ||||||
|  | +	HAVE_SASL_GSS_CBIND=yes
 | ||||||
|  | +fi
 | ||||||
|  | diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
 | ||||||
|  | index f647b1012..0b91aa197 100755
 | ||||||
|  | --- a/tests/scripts/test068-sasl-tls-external
 | ||||||
|  | +++ b/tests/scripts/test068-sasl-tls-external
 | ||||||
|  | @@ -88,6 +88,28 @@ else
 | ||||||
|  |  	echo "success" | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  | +# Exercise channel-bindings code in builds without SASL support
 | ||||||
|  | +for cb in "none" "tls-unique" "tls-endpoint" ; do
 | ||||||
|  | +
 | ||||||
|  | +	echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
 | ||||||
|  | +
 | ||||||
|  | +	$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt     \
 | ||||||
|  | +	-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt           \
 | ||||||
|  | +	-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key          \
 | ||||||
|  | +	-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1      \
 | ||||||
|  | +	> $TESTOUT 2>&1
 | ||||||
|  | +
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "ldapwhoami failed ($RC)!"
 | ||||||
|  | +		test $KILLSERVERS != no && kill -HUP $PID
 | ||||||
|  | +		exit $RC
 | ||||||
|  | +	else
 | ||||||
|  | +		echo "success"
 | ||||||
|  | +	fi
 | ||||||
|  | +done
 | ||||||
|  | +
 | ||||||
|  | +
 | ||||||
|  |  test $KILLSERVERS != no && kill -HUP $KILLPIDS | ||||||
|  |   | ||||||
|  |  if test $RC != 0 ; then | ||||||
|  | diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | index 64abe16fe..19f665622 100755
 | ||||||
|  | --- a/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | +++ b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | @@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
 | ||||||
|  |          exit 0 | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  | -mkdir -p $TESTDIR $DBDIR1
 | ||||||
|  | +SLAPTEST="$TESTWD/../servers/slapd/slaptest"
 | ||||||
|  | +CONFDIR=$TESTDIR/slapd.d
 | ||||||
|  | +
 | ||||||
|  | +mkdir -p $TESTDIR $DBDIR1 $CONFDIR
 | ||||||
|  |  cp -r $DATADIR/tls $TESTDIR | ||||||
|  |   | ||||||
|  |  cd $TESTWD | ||||||
|  | @@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
 | ||||||
|  |   | ||||||
|  |  echo "Running slapadd to build slapd database..." | ||||||
|  |  . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 | ||||||
|  | -$SLAPADD -f $CONF1 -l $LDIFORDERED
 | ||||||
|  | +$SLAPTEST -f $CONF1 -F $CONFDIR
 | ||||||
|  | +$SLAPADD -F $CONFDIR -l $LDIFORDERED
 | ||||||
|  |  RC=$? | ||||||
|  |  if test $RC != 0 ; then | ||||||
|  |  	echo "slapadd failed ($RC)!" | ||||||
|  | @@ -41,7 +45,7 @@ if test $RC != 0 ; then
 | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  |  echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." | ||||||
|  | -$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 | ||||||
|  | +$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 | ||||||
|  |  PID=$! | ||||||
|  |  if test $WAIT != 0 ; then | ||||||
|  |      echo PID $PID | ||||||
|  | @@ -144,6 +148,79 @@ else
 | ||||||
|  |  	fi | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  | +if test $WITH_TLS = no ; then
 | ||||||
|  | +        echo "TLS support not available, skipping channe-binding test"
 | ||||||
|  | +elif test $HAVE_SASL_GSS_CBIND = no ; then
 | ||||||
|  | +        echo "SASL has no channel-binding support in GSSAPI, test skipped"
 | ||||||
|  | +else
 | ||||||
|  | +	echo "Testing SASL/GSSAPI with SASL_CBINDING..."
 | ||||||
|  | +
 | ||||||
|  | +	for acb in "none" "tls-unique" "tls-endpoint" ; do
 | ||||||
|  | +
 | ||||||
|  | +		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
 | ||||||
|  | +		$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
 | ||||||
|  | +dn: cn=config
 | ||||||
|  | +changetype: modify
 | ||||||
|  | +replace: olcSaslCBinding
 | ||||||
|  | +olcSaslCBinding: ${acb}
 | ||||||
|  | +EOF
 | ||||||
|  | +		RC=$?
 | ||||||
|  | +		if test $RC != 0 ; then
 | ||||||
|  | +			echo "ldapmodify failed ($RC)!"
 | ||||||
|  | +			kill $KDCPROC
 | ||||||
|  | +			test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +			exit $RC
 | ||||||
|  | +		fi
 | ||||||
|  | +
 | ||||||
|  | +		for icb in "none" "tls-unique" "tls-endpoint" ; do
 | ||||||
|  | +
 | ||||||
|  | +			# The gnutls implemantation of "tls-unique" seems broken
 | ||||||
|  | +			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
 | ||||||
|  | +				if test $WITH_TLS_TYPE == gnutls  ; then
 | ||||||
|  | +					continue
 | ||||||
|  | +				fi
 | ||||||
|  | +			fi
 | ||||||
|  | +
 | ||||||
|  | +			fail="no"
 | ||||||
|  | +			if test $icb != $acb -a $acb != "none" ; then
 | ||||||
|  | +				# This currently fails in MIT, but it is planned to be
 | ||||||
|  | +				# fixed not to fail like in heimdal - avoid testing.
 | ||||||
|  | +				if test $icb = "none" ; then
 | ||||||
|  | +					continue
 | ||||||
|  | +				fi
 | ||||||
|  | +				# Otherwise unmatching bindings are expected to fail.
 | ||||||
|  | +				fail="yes"
 | ||||||
|  | +			fi
 | ||||||
|  | +
 | ||||||
|  | +			echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
 | ||||||
|  | +			echo -ne "(client: ${icb},\tserver: ${acb}): "
 | ||||||
|  | +
 | ||||||
|  | +			$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
 | ||||||
|  | +			-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
 | ||||||
|  | +			-o SASL_CBINDING=$icb > $TESTOUT 2>&1
 | ||||||
|  | +
 | ||||||
|  | +			RC=$?
 | ||||||
|  | +			if test $RC != 0 ; then
 | ||||||
|  | +				if test $fail = "no" ; then
 | ||||||
|  | +					echo "test failed ($RC)!"
 | ||||||
|  | +					kill $KDCPROC
 | ||||||
|  | +					test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +					exit $RC
 | ||||||
|  | +				fi
 | ||||||
|  | +			elif test $fail = "yes" ; then
 | ||||||
|  | +				echo "failed: command succeeded unexpectedly."
 | ||||||
|  | +				kill $KDCPROC
 | ||||||
|  | +				test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +				exit 1
 | ||||||
|  | +			fi
 | ||||||
|  | +
 | ||||||
|  | +			echo "success"
 | ||||||
|  | +			RC=0
 | ||||||
|  | +		done
 | ||||||
|  | +	done
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +
 | ||||||
|  |  kill $KDCPROC | ||||||
|  |  test $KILLSERVERS != no && kill -HUP $KILLPIDS | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,27 @@ | |||||||
|  | From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Isaac Boukris <iboukris@gmail.com> | ||||||
|  | Date: Thu, 23 Apr 2020 22:47:32 +0200 | ||||||
|  | Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in | ||||||
|  |  LDAP_LDO_SASL_NULLARG | ||||||
|  | 
 | ||||||
|  | Reported-by: Ryan Tandy @ryan | ||||||
|  | ---
 | ||||||
|  |  libraries/libldap/ldap-int.h | 2 +- | ||||||
|  |  1 file changed, 1 insertion(+), 1 deletion(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
 | ||||||
|  | index c6c6891a9..336448115 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-int.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-int.h
 | ||||||
|  | @@ -301,7 +301,7 @@ struct ldapoptions {
 | ||||||
|  |  	/* SASL Security Properties */ | ||||||
|  |  	struct sasl_security_properties	ldo_sasl_secprops; | ||||||
|  |  	int ldo_sasl_cbinding; | ||||||
|  | -#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
 | ||||||
|  | +#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0
 | ||||||
|  |  #else | ||||||
|  |  #define LDAP_LDO_SASL_NULLARG | ||||||
|  |  #endif | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,64 @@ | |||||||
|  | NOTE: The patch has been adjusted to match the base code before backporting. | ||||||
|  | 
 | ||||||
|  | From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org> | ||||||
|  | Date: Tue, 19 Feb 2019 10:26:39 +0000 | ||||||
|  | Subject: [PATCH] Make prototypes available where needed | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  libraries/libldap/tls2.c   | 3 +++ | ||||||
|  |  servers/slapd/config.c     | 1 + | ||||||
|  |  servers/slapd/proto-slap.h | 4 ++++ | ||||||
|  |  3 files changed, 8 insertions(+) | ||||||
|  | 
 | ||||||
|  | diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 | ||||||
|  | index 1a96b62c3..869de2eb5 100644
 | ||||||
|  | --- a/libraries/libldap/tls2.c
 | ||||||
|  | +++ b/libraries/libldap/tls2.c
 | ||||||
|  | @@ -76,6 +76,9 @@ static oid_name oids[] = {
 | ||||||
|  |   | ||||||
|  |  #ifdef HAVE_TLS | ||||||
|  |   | ||||||
|  | +LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in ));
 | ||||||
|  | +LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der ));
 | ||||||
|  | +
 | ||||||
|  |  void | ||||||
|  |  ldap_pvt_tls_ctx_free ( void *c ) | ||||||
|  |  { | ||||||
|  | diff --git a/servers/slapd/config.c b/servers/slapd/config.c
 | ||||||
|  | index 778365fd0..2816455a3 100644
 | ||||||
|  | --- a/servers/slapd/config.c
 | ||||||
|  | +++ b/servers/slapd/config.c
 | ||||||
|  | @@ -48,6 +48,7 @@
 | ||||||
|  |  #endif | ||||||
|  |  #include "lutil.h" | ||||||
|  |  #include "lutil_ldap.h" | ||||||
|  | +#include "ldif.h"
 | ||||||
|  |  #include "config.h" | ||||||
|  |   | ||||||
|  |  #ifdef _WIN32 | ||||||
|  | diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
 | ||||||
|  | index 4bfdcf930..e33e3b7d9 100644
 | ||||||
|  | --- a/servers/slapd/proto-slap.h
 | ||||||
|  | +++ b/servers/slapd/proto-slap.h
 | ||||||
|  | @@ -755,6 +755,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
 | ||||||
|  |  LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P(( | ||||||
|  |  	slap_bindconf *bc, LDAP *ld )); | ||||||
|  |  LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc )); | ||||||
|  | +LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk ));
 | ||||||
|  |  LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb )); | ||||||
|  |  LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be, | ||||||
|  |  	const char *fname, int lineno, int argc, char **argv )); | ||||||
|  | @@ -1683,6 +1684,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
 | ||||||
|  |  	slap_ssf_t ssf,	/* relative strength of external security */ | ||||||
|  |  	struct berval *authid );	/* asserted authenication id */ | ||||||
|  |   | ||||||
|  | +LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
 | ||||||
|  | +	struct berval *cbv );
 | ||||||
|  | +
 | ||||||
|  |  LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c ); | ||||||
|  |  LDAP_SLAPD_F (int) slap_sasl_close( Connection *c ); | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										526
									
								
								openldap-cbinding-Update-keys-to-RSA-4096.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										526
									
								
								openldap-cbinding-Update-keys-to-RSA-4096.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,526 @@ | |||||||
|  | From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org> | ||||||
|  | Date: Tue, 30 Oct 2018 15:42:35 +0000 | ||||||
|  | Subject: [PATCH] Update keys to RSA 4096 | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  tests/data/tls/ca/certs/testsuiteCA.crt       | 133 ++++++++++++++++-- | ||||||
|  |  tests/data/tls/ca/private/testsuiteCA.key     |  64 +++++++-- | ||||||
|  |  .../tls/certs/bjensen@mailgw.example.com.crt  |  44 ++++-- | ||||||
|  |  tests/data/tls/certs/localhost.crt            |  44 ++++-- | ||||||
|  |  tests/data/tls/conf/openssl.cnf               |   2 +- | ||||||
|  |  tests/data/tls/create-crt.sh                  |   9 +- | ||||||
|  |  .../private/bjensen@mailgw.example.com.key    |  64 +++++++-- | ||||||
|  |  tests/data/tls/private/localhost.key          |  64 +++++++-- | ||||||
|  |  8 files changed, 336 insertions(+), 88 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt
 | ||||||
|  | index 7458e7461..62c88acca 100644
 | ||||||
|  | --- a/tests/data/tls/ca/certs/testsuiteCA.crt
 | ||||||
|  | +++ b/tests/data/tls/ca/certs/testsuiteCA.crt
 | ||||||
|  | @@ -1,16 +1,121 @@
 | ||||||
|  | +Certificate:
 | ||||||
|  | +    Data:
 | ||||||
|  | +        Version: 3 (0x2)
 | ||||||
|  | +        Serial Number:
 | ||||||
|  | +            0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06
 | ||||||
|  | +        Signature Algorithm: sha256WithRSAEncryption
 | ||||||
|  | +        Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
 | ||||||
|  | +        Validity
 | ||||||
|  | +            Not Before: Oct 30 15:29:02 2018 GMT
 | ||||||
|  | +            Not After : Nov 13 15:29:02 2519 GMT
 | ||||||
|  | +        Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
 | ||||||
|  | +        Subject Public Key Info:
 | ||||||
|  | +            Public Key Algorithm: rsaEncryption
 | ||||||
|  | +                RSA Public-Key: (4096 bit)
 | ||||||
|  | +                Modulus:
 | ||||||
|  | +                    00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81:
 | ||||||
|  | +                    97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24:
 | ||||||
|  | +                    62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5:
 | ||||||
|  | +                    9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6:
 | ||||||
|  | +                    66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88:
 | ||||||
|  | +                    5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af:
 | ||||||
|  | +                    59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8:
 | ||||||
|  | +                    15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75:
 | ||||||
|  | +                    f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57:
 | ||||||
|  | +                    cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9:
 | ||||||
|  | +                    65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c:
 | ||||||
|  | +                    6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4:
 | ||||||
|  | +                    64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd:
 | ||||||
|  | +                    df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3:
 | ||||||
|  | +                    61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87:
 | ||||||
|  | +                    e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af:
 | ||||||
|  | +                    aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3:
 | ||||||
|  | +                    0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7:
 | ||||||
|  | +                    d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4:
 | ||||||
|  | +                    33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d:
 | ||||||
|  | +                    fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8:
 | ||||||
|  | +                    48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85:
 | ||||||
|  | +                    26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96:
 | ||||||
|  | +                    be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39:
 | ||||||
|  | +                    a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f:
 | ||||||
|  | +                    f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84:
 | ||||||
|  | +                    66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac:
 | ||||||
|  | +                    fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a:
 | ||||||
|  | +                    27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b:
 | ||||||
|  | +                    a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66:
 | ||||||
|  | +                    e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22:
 | ||||||
|  | +                    ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82:
 | ||||||
|  | +                    76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df:
 | ||||||
|  | +                    ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32:
 | ||||||
|  | +                    4d:11:39
 | ||||||
|  | +                Exponent: 65537 (0x10001)
 | ||||||
|  | +        X509v3 extensions:
 | ||||||
|  | +            X509v3 Subject Key Identifier: 
 | ||||||
|  | +                90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
 | ||||||
|  | +            X509v3 Authority Key Identifier: 
 | ||||||
|  | +                keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
 | ||||||
|  | +
 | ||||||
|  | +            X509v3 Basic Constraints: critical
 | ||||||
|  | +                CA:TRUE
 | ||||||
|  | +    Signature Algorithm: sha256WithRSAEncryption
 | ||||||
|  | +         0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5:
 | ||||||
|  | +         37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08:
 | ||||||
|  | +         e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41:
 | ||||||
|  | +         8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6:
 | ||||||
|  | +         a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93:
 | ||||||
|  | +         d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06:
 | ||||||
|  | +         92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e:
 | ||||||
|  | +         d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a:
 | ||||||
|  | +         0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5:
 | ||||||
|  | +         bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab:
 | ||||||
|  | +         a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8:
 | ||||||
|  | +         92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76:
 | ||||||
|  | +         0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63:
 | ||||||
|  | +         a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74:
 | ||||||
|  | +         ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe:
 | ||||||
|  | +         37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee:
 | ||||||
|  | +         7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94:
 | ||||||
|  | +         4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e:
 | ||||||
|  | +         d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e:
 | ||||||
|  | +         35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83:
 | ||||||
|  | +         91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe:
 | ||||||
|  | +         cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d:
 | ||||||
|  | +         b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83:
 | ||||||
|  | +         c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07:
 | ||||||
|  | +         7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a:
 | ||||||
|  | +         7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98:
 | ||||||
|  | +         ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d:
 | ||||||
|  | +         2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c:
 | ||||||
|  | +         6f:1c:c4:a9:28:e1:3d:4d
 | ||||||
|  |  -----BEGIN CERTIFICATE----- | ||||||
|  | -MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
 | ||||||
|  | -BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv
 | ||||||
|  | -bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0
 | ||||||
|  | -NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
 | ||||||
|  | -MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB
 | ||||||
|  | -UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd
 | ||||||
|  | -rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb
 | ||||||
|  | -lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL
 | ||||||
|  | -6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU
 | ||||||
|  | -7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB
 | ||||||
|  | -SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/
 | ||||||
|  | -wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws
 | ||||||
|  | -ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q
 | ||||||
|  | -aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==
 | ||||||
|  | +MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL
 | ||||||
|  | +BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB
 | ||||||
|  | +UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4
 | ||||||
|  | +MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG
 | ||||||
|  | +A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM
 | ||||||
|  | +E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
 | ||||||
|  | +AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz
 | ||||||
|  | +xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf
 | ||||||
|  | +t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7
 | ||||||
|  | +Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ
 | ||||||
|  | +Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq
 | ||||||
|  | +Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S
 | ||||||
|  | +9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq
 | ||||||
|  | +rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq
 | ||||||
|  | +t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm
 | ||||||
|  | +9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz
 | ||||||
|  | +I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd
 | ||||||
|  | +BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI
 | ||||||
|  | +1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
 | ||||||
|  | +AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS
 | ||||||
|  | +04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI
 | ||||||
|  | +HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z
 | ||||||
|  | +UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J
 | ||||||
|  | +wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF
 | ||||||
|  | +gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3
 | ||||||
|  | +R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb
 | ||||||
|  | +q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0
 | ||||||
|  | +juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc
 | ||||||
|  | +3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR
 | ||||||
|  | +IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0=
 | ||||||
|  |  -----END CERTIFICATE----- | ||||||
|  | diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key
 | ||||||
|  | index 2e14d7033..01a6614c1 100644
 | ||||||
|  | --- a/tests/data/tls/ca/private/testsuiteCA.key
 | ||||||
|  | +++ b/tests/data/tls/ca/private/testsuiteCA.key
 | ||||||
|  | @@ -1,16 +1,52 @@
 | ||||||
|  |  -----BEGIN PRIVATE KEY----- | ||||||
|  | -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ
 | ||||||
|  | -WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc
 | ||||||
|  | -338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/
 | ||||||
|  | -dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg
 | ||||||
|  | -O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf
 | ||||||
|  | -7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn
 | ||||||
|  | -rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f
 | ||||||
|  | -wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk
 | ||||||
|  | -AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l
 | ||||||
|  | -vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9
 | ||||||
|  | -27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X
 | ||||||
|  | -KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N
 | ||||||
|  | -I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL
 | ||||||
|  | -+b2qljWeZbGH
 | ||||||
|  | +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm
 | ||||||
|  | +JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI
 | ||||||
|  | +xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU
 | ||||||
|  | +x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB
 | ||||||
|  | +XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq
 | ||||||
|  | +NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt
 | ||||||
|  | +Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu
 | ||||||
|  | +bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T
 | ||||||
|  | ++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL
 | ||||||
|  | +wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM
 | ||||||
|  | +MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3
 | ||||||
|  | +0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f
 | ||||||
|  | +vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki
 | ||||||
|  | +uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y
 | ||||||
|  | +Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ
 | ||||||
|  | +/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B
 | ||||||
|  | +DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6
 | ||||||
|  | +pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS
 | ||||||
|  | +KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q
 | ||||||
|  | +/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3
 | ||||||
|  | +H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM
 | ||||||
|  | +Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM
 | ||||||
|  | +QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP
 | ||||||
|  | ++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY
 | ||||||
|  | +7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs
 | ||||||
|  | +cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux
 | ||||||
|  | +nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg
 | ||||||
|  | +p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN
 | ||||||
|  | +nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX
 | ||||||
|  | +qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb
 | ||||||
|  | +JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn
 | ||||||
|  | +b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6
 | ||||||
|  | +lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ
 | ||||||
|  | +O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq
 | ||||||
|  | +P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn
 | ||||||
|  | +L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF
 | ||||||
|  | +D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si
 | ||||||
|  | +yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw
 | ||||||
|  | +vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP
 | ||||||
|  | +39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5
 | ||||||
|  | +qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q
 | ||||||
|  | +XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM
 | ||||||
|  | +PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp
 | ||||||
|  | +DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp
 | ||||||
|  | +mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk
 | ||||||
|  | +hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c
 | ||||||
|  | +zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9
 | ||||||
|  | +16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO
 | ||||||
|  | +WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y
 | ||||||
|  | +yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY=
 | ||||||
|  |  -----END PRIVATE KEY----- | ||||||
|  | diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
 | ||||||
|  | index 93e3a0d39..eb0fc693f 100644
 | ||||||
|  | --- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt
 | ||||||
|  | +++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
 | ||||||
|  | @@ -1,16 +1,32 @@
 | ||||||
|  |  -----BEGIN CERTIFICATE----- | ||||||
|  | -MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
 | ||||||
|  | -MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
 | ||||||
|  | -BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
 | ||||||
|  | -ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV
 | ||||||
|  | -BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD
 | ||||||
|  | -VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa
 | ||||||
|  | -YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
 | ||||||
|  | -MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg
 | ||||||
|  | -QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU
 | ||||||
|  | -U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL
 | ||||||
|  | -MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn
 | ||||||
|  | -wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f
 | ||||||
|  | -7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo
 | ||||||
|  | -4DnnYQBDnq48VORVX94=
 | ||||||
|  | +MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
 | ||||||
|  | +MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
 | ||||||
|  | +BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx
 | ||||||
|  | +MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM
 | ||||||
|  | +E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD
 | ||||||
|  | +DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl
 | ||||||
|  | +bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
 | ||||||
|  | +ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA
 | ||||||
|  | +7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg
 | ||||||
|  | +qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38
 | ||||||
|  | +kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN
 | ||||||
|  | +LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms
 | ||||||
|  | +CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR
 | ||||||
|  | +X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL
 | ||||||
|  | +twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI
 | ||||||
|  | +LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui
 | ||||||
|  | +cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4
 | ||||||
|  | +yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w
 | ||||||
|  | +CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB
 | ||||||
|  | +LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+
 | ||||||
|  | +7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH
 | ||||||
|  | +1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD
 | ||||||
|  | +ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS
 | ||||||
|  | +s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl
 | ||||||
|  | +U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o
 | ||||||
|  | +W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw
 | ||||||
|  | ++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd
 | ||||||
|  | +hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw
 | ||||||
|  | +iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ
 | ||||||
|  | +nYsN5WfwDZrtG24dTotxVQ==
 | ||||||
|  |  -----END CERTIFICATE----- | ||||||
|  | diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt
 | ||||||
|  | index 194cb119d..3aeae3c16 100644
 | ||||||
|  | --- a/tests/data/tls/certs/localhost.crt
 | ||||||
|  | +++ b/tests/data/tls/certs/localhost.crt
 | ||||||
|  | @@ -1,16 +1,32 @@
 | ||||||
|  |  -----BEGIN CERTIFICATE----- | ||||||
|  | -MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
 | ||||||
|  | -MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
 | ||||||
|  | -BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
 | ||||||
|  | -ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE
 | ||||||
|  | -CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT
 | ||||||
|  | -dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 | ||||||
|  | -iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4
 | ||||||
|  | -7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv
 | ||||||
|  | -8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ
 | ||||||
|  | -BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A
 | ||||||
|  | -AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG
 | ||||||
|  | -8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl
 | ||||||
|  | -0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR
 | ||||||
|  | -GjeZB1FxqDGHjxBq2O828iejw28bSz4=
 | ||||||
|  | +MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
 | ||||||
|  | +MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
 | ||||||
|  | +BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx
 | ||||||
|  | +MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
 | ||||||
|  | +T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0
 | ||||||
|  | +ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
 | ||||||
|  | +CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA
 | ||||||
|  | +Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY
 | ||||||
|  | +VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac
 | ||||||
|  | +xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh
 | ||||||
|  | +ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm
 | ||||||
|  | +ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO
 | ||||||
|  | +hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P
 | ||||||
|  | +BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM
 | ||||||
|  | +26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn
 | ||||||
|  | +bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb
 | ||||||
|  | +Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw
 | ||||||
|  | +CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
 | ||||||
|  | +AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY
 | ||||||
|  | +t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw
 | ||||||
|  | +0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9
 | ||||||
|  | +cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6
 | ||||||
|  | +6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq
 | ||||||
|  | +9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd
 | ||||||
|  | +GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn
 | ||||||
|  | +cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO
 | ||||||
|  | +qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW
 | ||||||
|  | +LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S
 | ||||||
|  | +keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf
 | ||||||
|  | +0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ==
 | ||||||
|  |  -----END CERTIFICATE----- | ||||||
|  | diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf
 | ||||||
|  | index a3c8ad9f6..632cff11c 100644
 | ||||||
|  | --- a/tests/data/tls/conf/openssl.cnf
 | ||||||
|  | +++ b/tests/data/tls/conf/openssl.cnf
 | ||||||
|  | @@ -51,7 +51,7 @@ commonName              = supplied
 | ||||||
|  |  emailAddress            = optional | ||||||
|  |   | ||||||
|  |  [ req ] | ||||||
|  | -default_bits            = 2048
 | ||||||
|  | +default_bits            = @KEY_BITS@
 | ||||||
|  |  default_keyfile         = privkey.pem | ||||||
|  |  distinguished_name      = req_distinguished_name | ||||||
|  |  attributes              = req_attributes | ||||||
|  | diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
 | ||||||
|  | index 8c33a24fe..739f8eaf1 100755
 | ||||||
|  | --- a/tests/data/tls/create-crt.sh
 | ||||||
|  | +++ b/tests/data/tls/create-crt.sh
 | ||||||
|  | @@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then
 | ||||||
|  |  echo "OpenSSL command line binary not found, skipping..." | ||||||
|  |  fi | ||||||
|  |   | ||||||
|  | +KEY_BITS=4096
 | ||||||
|  | +KEY_TYPE=rsa:$KEY_BITS
 | ||||||
|  | +
 | ||||||
|  |  USAGE="$0 [-s] [-u <user@domain.com>]" | ||||||
|  |  SERVER=0 | ||||||
|  |  USER=0 | ||||||
|  | @@ -45,13 +48,13 @@ echo "00" > cruft/serial
 | ||||||
|  |  touch cruft/index.txt | ||||||
|  |  touch cruft/index.txt.attr | ||||||
|  |  hn=$(hostname -f) | ||||||
|  | -sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf >  ./openssl.cnf
 | ||||||
|  | +sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf >  ./openssl.cnf
 | ||||||
|  |   | ||||||
|  |  if [ $SERVER = 1 ]; then | ||||||
|  |  	rm -rf private/localhost.key certs/localhost.crt | ||||||
|  |   | ||||||
|  |  	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \ | ||||||
|  | -		-newkey rsa:1024 -config ./openssl.cnf \
 | ||||||
|  | +		-newkey $KEY_TYPE -config ./openssl.cnf \
 | ||||||
|  |  		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \ | ||||||
|  |  		-batch > /dev/null 2>&1 | ||||||
|  |   | ||||||
|  | @@ -66,7 +69,7 @@ if [ $USER = 1 ]; then
 | ||||||
|  |  	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr | ||||||
|  |   | ||||||
|  |  	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \ | ||||||
|  | -		-newkey rsa:1024 -config ./openssl.cnf \
 | ||||||
|  | +		-newkey $KEY_TYPE -config ./openssl.cnf \
 | ||||||
|  |  		-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \ | ||||||
|  |  		-batch >/dev/null 2>&1 | ||||||
|  |   | ||||||
|  | diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key
 | ||||||
|  | index 5f4625fd7..e30e11586 100644
 | ||||||
|  | --- a/tests/data/tls/private/bjensen@mailgw.example.com.key
 | ||||||
|  | +++ b/tests/data/tls/private/bjensen@mailgw.example.com.key
 | ||||||
|  | @@ -1,16 +1,52 @@
 | ||||||
|  |  -----BEGIN PRIVATE KEY----- | ||||||
|  | -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2
 | ||||||
|  | -xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4
 | ||||||
|  | -9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z
 | ||||||
|  | -yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r
 | ||||||
|  | -oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e
 | ||||||
|  | -nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg
 | ||||||
|  | -xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra
 | ||||||
|  | -EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd
 | ||||||
|  | -9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/
 | ||||||
|  | -pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI
 | ||||||
|  | -tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ
 | ||||||
|  | -3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D
 | ||||||
|  | -tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg
 | ||||||
|  | -36Ixj3L+5H18
 | ||||||
|  | +MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7
 | ||||||
|  | +nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4
 | ||||||
|  | ++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2
 | ||||||
|  | +Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI
 | ||||||
|  | +RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr
 | ||||||
|  | +W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x
 | ||||||
|  | +pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy
 | ||||||
|  | +hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV
 | ||||||
|  | +7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn
 | ||||||
|  | ++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2
 | ||||||
|  | +GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg
 | ||||||
|  | +7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn
 | ||||||
|  | +MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd
 | ||||||
|  | +jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL
 | ||||||
|  | +1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft
 | ||||||
|  | +Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry
 | ||||||
|  | +wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM
 | ||||||
|  | +J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo
 | ||||||
|  | +ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H
 | ||||||
|  | +umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6
 | ||||||
|  | +wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/
 | ||||||
|  | +PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu
 | ||||||
|  | +5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb
 | ||||||
|  | +gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9
 | ||||||
|  | +67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX
 | ||||||
|  | +/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ
 | ||||||
|  | +VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4
 | ||||||
|  | +FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth
 | ||||||
|  | +UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP
 | ||||||
|  | +wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt
 | ||||||
|  | +Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY
 | ||||||
|  | +5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ
 | ||||||
|  | +EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ
 | ||||||
|  | +0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd
 | ||||||
|  | +MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf
 | ||||||
|  | ++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI
 | ||||||
|  | +8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf
 | ||||||
|  | +p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw
 | ||||||
|  | +jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su
 | ||||||
|  | +QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik
 | ||||||
|  | +lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT
 | ||||||
|  | +UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD
 | ||||||
|  | +r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v
 | ||||||
|  | +YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR
 | ||||||
|  | +cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa
 | ||||||
|  | +mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu
 | ||||||
|  | +kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi
 | ||||||
|  | +Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO
 | ||||||
|  | +NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU
 | ||||||
|  | +dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx
 | ||||||
|  |  -----END PRIVATE KEY----- | ||||||
|  | diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key
 | ||||||
|  | index 8a24f69f8..99cb512c4 100644
 | ||||||
|  | --- a/tests/data/tls/private/localhost.key
 | ||||||
|  | +++ b/tests/data/tls/private/localhost.key
 | ||||||
|  | @@ -1,16 +1,52 @@
 | ||||||
|  |  -----BEGIN PRIVATE KEY----- | ||||||
|  | -MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg
 | ||||||
|  | -ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM
 | ||||||
|  | -w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM
 | ||||||
|  | -brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij
 | ||||||
|  | -Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf
 | ||||||
|  | -2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ
 | ||||||
|  | -bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q
 | ||||||
|  | -1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf
 | ||||||
|  | -3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U
 | ||||||
|  | -VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7
 | ||||||
|  | -TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b
 | ||||||
|  | -iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP
 | ||||||
|  | -5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3
 | ||||||
|  | -b61hkjQZfbEg5cg=
 | ||||||
|  | +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj
 | ||||||
|  | +TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3
 | ||||||
|  | +jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w
 | ||||||
|  | +WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW
 | ||||||
|  | +q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H
 | ||||||
|  | +Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT
 | ||||||
|  | +/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M
 | ||||||
|  | +Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU
 | ||||||
|  | +MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6
 | ||||||
|  | +lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA
 | ||||||
|  | +yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb
 | ||||||
|  | +qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm
 | ||||||
|  | +afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ
 | ||||||
|  | +JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e
 | ||||||
|  | +nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE
 | ||||||
|  | +bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5
 | ||||||
|  | +mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H
 | ||||||
|  | +Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt
 | ||||||
|  | ++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc
 | ||||||
|  | +GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09
 | ||||||
|  | +j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG
 | ||||||
|  | +72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/
 | ||||||
|  | +eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+
 | ||||||
|  | +CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W
 | ||||||
|  | +LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW
 | ||||||
|  | +fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9
 | ||||||
|  | +6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64
 | ||||||
|  | +09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv
 | ||||||
|  | +pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR
 | ||||||
|  | +s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI
 | ||||||
|  | +Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU
 | ||||||
|  | +57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr
 | ||||||
|  | +uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ
 | ||||||
|  | +xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl
 | ||||||
|  | ++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu
 | ||||||
|  | +XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI
 | ||||||
|  | +pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09
 | ||||||
|  | +6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms
 | ||||||
|  | +tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E
 | ||||||
|  | +FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc
 | ||||||
|  | +5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6
 | ||||||
|  | +OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI
 | ||||||
|  | +Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6
 | ||||||
|  | +MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA
 | ||||||
|  | +oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH
 | ||||||
|  | +xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU
 | ||||||
|  | +WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc
 | ||||||
|  | +p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6
 | ||||||
|  | +xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW
 | ||||||
|  | +bcnWV4XIPIMbouL4132Ove+GukJlPA==
 | ||||||
|  |  -----END PRIVATE KEY----- | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										487
									
								
								openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										487
									
								
								openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,487 @@ | |||||||
|  | From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Isaac Boukris <iboukris@gmail.com> | ||||||
|  | Date: Tue, 14 Apr 2020 16:19:05 +0300 | ||||||
|  | Subject: [PATCH] auth: add SASL/GSSAPI tests | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  tests/data/krb5.conf              |  32 ++++++ | ||||||
|  |  tests/data/slapd-sasl-gssapi.conf |  65 ++++++++++++ | ||||||
|  |  tests/scripts/conf.sh             |   3 + | ||||||
|  |  tests/scripts/defines.sh          |   5 + | ||||||
|  |  tests/scripts/setup_kdc.sh        | 144 +++++++++++++++++++++++++++ | ||||||
|  |  tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++ | ||||||
|  |  6 files changed, 408 insertions(+) | ||||||
|  |  create mode 100644 tests/data/krb5.conf | ||||||
|  |  create mode 100644 tests/data/slapd-sasl-gssapi.conf | ||||||
|  |  create mode 100755 tests/scripts/setup_kdc.sh | ||||||
|  |  create mode 100755 tests/scripts/test077-sasl-gssapi | ||||||
|  | 
 | ||||||
|  | diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 000000000..739113742
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/tests/data/krb5.conf
 | ||||||
|  | @@ -0,0 +1,32 @@
 | ||||||
|  | +[libdefaults]
 | ||||||
|  | +  default_realm = @KRB5REALM@
 | ||||||
|  | +  dns_lookup_realm = false
 | ||||||
|  | +  dns_lookup_kdc = false
 | ||||||
|  | +  default_ccache_name = FILE://@TESTDIR@/ccache
 | ||||||
|  | +  #udp_preference_limit = 1
 | ||||||
|  | +[realms]
 | ||||||
|  | + @KRB5REALM@ = {
 | ||||||
|  | +  kdc = @KDCHOST@:@KDCPORT@
 | ||||||
|  | +  acl_file = @TESTDIR@/kadm.acl
 | ||||||
|  | +  database_name = @TESTDIR@/kdc.db
 | ||||||
|  | +  key_stash_file = @TESTDIR@/kdc.stash
 | ||||||
|  | + }
 | ||||||
|  | +[kdcdefaults]
 | ||||||
|  | +  kdc_ports = @KDCPORT@
 | ||||||
|  | +  kdc_tcp_ports = @KDCPORT@
 | ||||||
|  | +[logging]
 | ||||||
|  | +  kdc = FILE:@TESTDIR@/kdc.log
 | ||||||
|  | +  admin_server = FILE:@TESTDIR@/kadm.log
 | ||||||
|  | +  default = FILE:@TESTDIR@/krb5.log
 | ||||||
|  | +
 | ||||||
|  | +#Heimdal
 | ||||||
|  | +[kdc]
 | ||||||
|  | + database = {
 | ||||||
|  | +  dbname = @TESTDIR@/kdc.db
 | ||||||
|  | +  realm = @KRB5REALM@
 | ||||||
|  | +  mkey_file = @TESTDIR@/kdc.stash
 | ||||||
|  | +  log_file = @TESTDIR@/kdc.log
 | ||||||
|  | +  acl_file = @TESTDIR@/kadm.acl
 | ||||||
|  | + }
 | ||||||
|  | +[hdb]
 | ||||||
|  | +  db-dir = @TESTDIR@
 | ||||||
|  | diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
 | ||||||
|  | new file mode 100644 | ||||||
|  | index 000000000..611fc7097
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/tests/data/slapd-sasl-gssapi.conf
 | ||||||
|  | @@ -0,0 +1,65 @@
 | ||||||
|  | +# stand-alone slapd config -- for testing (with indexing)
 | ||||||
|  | +# $OpenLDAP$
 | ||||||
|  | +## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 | ||||||
|  | +##
 | ||||||
|  | +## Copyright 1998-2020 The OpenLDAP Foundation.
 | ||||||
|  | +## All rights reserved.
 | ||||||
|  | +##
 | ||||||
|  | +## Redistribution and use in source and binary forms, with or without
 | ||||||
|  | +## modification, are permitted only as authorized by the OpenLDAP
 | ||||||
|  | +## Public License.
 | ||||||
|  | +##
 | ||||||
|  | +## A copy of this license is available in the file LICENSE in the
 | ||||||
|  | +## top-level directory of the distribution or, alternatively, at
 | ||||||
|  | +## <http://www.OpenLDAP.org/license.html>.
 | ||||||
|  | +
 | ||||||
|  | +#
 | ||||||
|  | +include		@SCHEMADIR@/core.schema
 | ||||||
|  | +include		@SCHEMADIR@/cosine.schema
 | ||||||
|  | +#
 | ||||||
|  | +include		@SCHEMADIR@/corba.schema
 | ||||||
|  | +include		@SCHEMADIR@/java.schema
 | ||||||
|  | +include		@SCHEMADIR@/inetorgperson.schema
 | ||||||
|  | +include		@SCHEMADIR@/misc.schema
 | ||||||
|  | +include		@SCHEMADIR@/nis.schema
 | ||||||
|  | +include		@SCHEMADIR@/openldap.schema
 | ||||||
|  | +#
 | ||||||
|  | +include		@SCHEMADIR@/duaconf.schema
 | ||||||
|  | +include		@SCHEMADIR@/dyngroup.schema
 | ||||||
|  | +
 | ||||||
|  | +#
 | ||||||
|  | +pidfile		@TESTDIR@/slapd.1.pid
 | ||||||
|  | +argsfile	@TESTDIR@/slapd.1.args
 | ||||||
|  | +
 | ||||||
|  | +# SSL configuration
 | ||||||
|  | +TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
 | ||||||
|  | +TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
 | ||||||
|  | +TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
 | ||||||
|  | +
 | ||||||
|  | +#
 | ||||||
|  | +rootdse 	@DATADIR@/rootdse.ldif
 | ||||||
|  | +
 | ||||||
|  | +#mod#modulepath	../servers/slapd/back-@BACKEND@/
 | ||||||
|  | +#mod#moduleload	back_@BACKEND@.la
 | ||||||
|  | +#monitormod#modulepath ../servers/slapd/back-monitor/
 | ||||||
|  | +#monitormod#moduleload back_monitor.la
 | ||||||
|  | +
 | ||||||
|  | +
 | ||||||
|  | +#######################################################################
 | ||||||
|  | +# database definitions
 | ||||||
|  | +#######################################################################
 | ||||||
|  | +
 | ||||||
|  | +database	@BACKEND@
 | ||||||
|  | +suffix          "dc=example,dc=com"
 | ||||||
|  | +rootdn          "cn=Manager,dc=example,dc=com"
 | ||||||
|  | +rootpw          secret
 | ||||||
|  | +#~null~#directory	@TESTDIR@/db.1.a
 | ||||||
|  | +#indexdb#index		objectClass eq
 | ||||||
|  | +#indexdb#index		mail eq
 | ||||||
|  | +#ndb#dbname db_1_a
 | ||||||
|  | +#ndb#include @DATADIR@/ndb.conf
 | ||||||
|  | +
 | ||||||
|  | +#monitor#database	monitor
 | ||||||
|  | +
 | ||||||
|  | +sasl-realm	@KRB5REALM@
 | ||||||
|  | +sasl-host	localhost
 | ||||||
|  | diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
 | ||||||
|  | index b0393865d..c9e1a4b0a 100755
 | ||||||
|  | --- a/tests/scripts/conf.sh
 | ||||||
|  | +++ b/tests/scripts/conf.sh
 | ||||||
|  | @@ -99,4 +99,7 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
 | ||||||
|  |  	-e "s;@TESTWD@;${TESTWD};"			\ | ||||||
|  |  	-e "s;@DATADIR@;${DATADIR};"			\ | ||||||
|  |  	-e "s;@SCHEMADIR@;${SCHEMADIR};"		\ | ||||||
|  | +	-e "s;@KRB5REALM@;${KRB5REALM};"		\
 | ||||||
|  | +	-e "s;@KDCHOST@;${KDCHOST};"			\
 | ||||||
|  | +	-e "s;@KDCPORT@;${KDCPORT};"			\
 | ||||||
|  |  	-e "/^#/d" | ||||||
|  | diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
 | ||||||
|  | index 1d6c2b3f1..ccb2e5b41 100755
 | ||||||
|  | --- a/tests/scripts/defines.sh
 | ||||||
|  | +++ b/tests/scripts/defines.sh
 | ||||||
|  | @@ -114,6 +114,7 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
 | ||||||
|  |  SCHEMACONF=$DATADIR/slapd-schema.conf | ||||||
|  |  TLSCONF=$DATADIR/slapd-tls.conf | ||||||
|  |  TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf | ||||||
|  | +SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
 | ||||||
|  |  GLUECONF=$DATADIR/slapd-glue.conf | ||||||
|  |  REFINTCONF=$DATADIR/slapd-refint.conf | ||||||
|  |  RETCODECONF=$DATADIR/slapd-retcode.conf | ||||||
|  | @@ -223,6 +224,7 @@ PORT3=`expr $BASEPORT + 3`
 | ||||||
|  |  PORT4=`expr $BASEPORT + 4` | ||||||
|  |  PORT5=`expr $BASEPORT + 5` | ||||||
|  |  PORT6=`expr $BASEPORT + 6` | ||||||
|  | +KDCPORT=`expr $BASEPORT + 7`
 | ||||||
|  |  URI1="ldap://${LOCALHOST}:$PORT1/" | ||||||
|  |  URIP1="ldap://${LOCALIP}:$PORT1/" | ||||||
|  |  URI2="ldap://${LOCALHOST}:$PORT2/" | ||||||
|  | @@ -248,6 +250,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
 | ||||||
|  |  SURI6="ldaps://${LOCALHOST}:$PORT6/" | ||||||
|  |  SURIP6="ldaps://${LOCALIP}:$PORT6/" | ||||||
|  |   | ||||||
|  | +KRB5REALM="K5.REALM"
 | ||||||
|  | +KDCHOST=$LOCALHOST
 | ||||||
|  | +
 | ||||||
|  |  # LDIF | ||||||
|  |  LDIF=$DATADIR/test.ldif | ||||||
|  |  LDIFADD1=$DATADIR/do_add.1 | ||||||
|  | diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
 | ||||||
|  | new file mode 100755 | ||||||
|  | index 000000000..1cb784075
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/tests/scripts/setup_kdc.sh
 | ||||||
|  | @@ -0,0 +1,144 @@
 | ||||||
|  | +#! /bin/sh
 | ||||||
|  | +# $OpenLDAP$
 | ||||||
|  | +## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 | ||||||
|  | +##
 | ||||||
|  | +## Copyright 1998-2020 The OpenLDAP Foundation.
 | ||||||
|  | +## All rights reserved.
 | ||||||
|  | +##
 | ||||||
|  | +## Redistribution and use in source and binary forms, with or without
 | ||||||
|  | +## modification, are permitted only as authorized by the OpenLDAP
 | ||||||
|  | +## Public License.
 | ||||||
|  | +##
 | ||||||
|  | +## A copy of this license is available in the file LICENSE in the
 | ||||||
|  | +## top-level directory of the distribution or, alternatively, at
 | ||||||
|  | +## <http://www.OpenLDAP.org/license.html>.
 | ||||||
|  | +
 | ||||||
|  | +export KRB5_TRACE=$TESTDIR/k5_trace
 | ||||||
|  | +export KRB5_CONFIG=$TESTDIR/krb5.conf
 | ||||||
|  | +export KRB5_KDC_PROFILE=$KRB5_CONFIG
 | ||||||
|  | +export KRB5_KTNAME=$TESTDIR/server.kt
 | ||||||
|  | +export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt
 | ||||||
|  | +export KRB5CCNAME=$TESTDIR/client.ccache
 | ||||||
|  | +
 | ||||||
|  | +KDCLOG=$TESTDIR/setup_kdc.log
 | ||||||
|  | +KSERVICE=ldap/$LOCALHOST
 | ||||||
|  | +KUSER=kuser
 | ||||||
|  | +
 | ||||||
|  | +. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG
 | ||||||
|  | +
 | ||||||
|  | +PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin
 | ||||||
|  | +
 | ||||||
|  | +echo "Trying Heimdal KDC..."
 | ||||||
|  | +
 | ||||||
|  | +kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC = 0 ; then
 | ||||||
|  | +
 | ||||||
|  | +	kstash --random-key > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "Heimdal: kstash failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h"
 | ||||||
|  | +	kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "Heimdal: kadmin init failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 &
 | ||||||
|  | +else
 | ||||||
|  | +	echo "Trying MIT KDC..."
 | ||||||
|  | +
 | ||||||
|  | +	kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "MIT: kdb5_util create failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "MIT: admin addprinc failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "MIT: kadmin addprinc failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	krb5kdc -n > $KDCLOG 2>&1 &
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +KDCPROC=$!
 | ||||||
|  | +sleep 1
 | ||||||
|  | +
 | ||||||
|  | +kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	kill $KDCPROC
 | ||||||
|  | +	echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests"
 | ||||||
|  | +	exit 0
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +
 | ||||||
|  | +	saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		kill $KDCPROC
 | ||||||
|  | +		echo "cyrus-sasl has no GSSAPI support, test skipped"
 | ||||||
|  | +		exit 0
 | ||||||
|  | +	fi
 | ||||||
|  | +fi
 | ||||||
|  | diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | new file mode 100755 | ||||||
|  | index 000000000..64abe16fe
 | ||||||
|  | --- /dev/null
 | ||||||
|  | +++ b/tests/scripts/test077-sasl-gssapi
 | ||||||
|  | @@ -0,0 +1,159 @@
 | ||||||
|  | +#! /bin/sh
 | ||||||
|  | +# $OpenLDAP$
 | ||||||
|  | +## This work is part of OpenLDAP Software <http://www.openldap.org/>.
 | ||||||
|  | +##
 | ||||||
|  | +## Copyright 1998-2020 The OpenLDAP Foundation.
 | ||||||
|  | +## All rights reserved.
 | ||||||
|  | +##
 | ||||||
|  | +## Redistribution and use in source and binary forms, with or without
 | ||||||
|  | +## modification, are permitted only as authorized by the OpenLDAP
 | ||||||
|  | +## Public License.
 | ||||||
|  | +##
 | ||||||
|  | +## A copy of this license is available in the file LICENSE in the
 | ||||||
|  | +## top-level directory of the distribution or, alternatively, at
 | ||||||
|  | +## <http://www.OpenLDAP.org/license.html>.
 | ||||||
|  | +
 | ||||||
|  | +echo "running defines.sh"
 | ||||||
|  | +. $SRCDIR/scripts/defines.sh
 | ||||||
|  | +
 | ||||||
|  | +if test $WITH_SASL = no ; then
 | ||||||
|  | +        echo "SASL support not available, test skipped"
 | ||||||
|  | +        exit 0
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +mkdir -p $TESTDIR $DBDIR1
 | ||||||
|  | +cp -r $DATADIR/tls $TESTDIR
 | ||||||
|  | +
 | ||||||
|  | +cd $TESTWD
 | ||||||
|  | +
 | ||||||
|  | +
 | ||||||
|  | +echo "Starting KDC for SASL/GSSAPI tests..."
 | ||||||
|  | +. $SRCDIR/scripts/setup_kdc.sh
 | ||||||
|  | +
 | ||||||
|  | +echo "Running slapadd to build slapd database..."
 | ||||||
|  | +. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
 | ||||||
|  | +$SLAPADD -f $CONF1 -l $LDIFORDERED
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	echo "slapadd failed ($RC)!"
 | ||||||
|  | +	kill $KDCPROC
 | ||||||
|  | +	exit $RC
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
 | ||||||
|  | +$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
 | ||||||
|  | +PID=$!
 | ||||||
|  | +if test $WAIT != 0 ; then
 | ||||||
|  | +    echo PID $PID
 | ||||||
|  | +    read foo
 | ||||||
|  | +fi
 | ||||||
|  | +KILLPIDS="$PID"
 | ||||||
|  | +
 | ||||||
|  | +sleep 1
 | ||||||
|  | +
 | ||||||
|  | +for i in 0 1 2 3 4 5; do
 | ||||||
|  | +	$LDAPSEARCH -s base -b "" -H $URI1 \
 | ||||||
|  | +		'objectclass=*' > /dev/null 2>&1
 | ||||||
|  | +        RC=$?
 | ||||||
|  | +        if test $RC = 0 ; then
 | ||||||
|  | +                break
 | ||||||
|  | +        fi
 | ||||||
|  | +        echo "Waiting 5 seconds for slapd to start..."
 | ||||||
|  | +        sleep 5
 | ||||||
|  | +done
 | ||||||
|  | +
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	echo "ldapsearch failed ($RC)!"
 | ||||||
|  | +	kill $KDCPROC
 | ||||||
|  | +	test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +	exit $RC
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	echo "ldapsearch failed ($RC)!"
 | ||||||
|  | +	kill $KDCPROC
 | ||||||
|  | +	test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +	exit $RC
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +grep GSSAPI $TESTOUT
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
 | ||||||
|  | +	kill $KDCPROC
 | ||||||
|  | +	test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +	exit $RC
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +echo -n "Using ldapwhoami with SASL/GSSAPI: "
 | ||||||
|  | +$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	echo "ldapwhoami failed ($RC)!"
 | ||||||
|  | +	kill $KDCPROC
 | ||||||
|  | +	test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +	exit $RC
 | ||||||
|  | +else
 | ||||||
|  | +	echo "success"
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +echo -n "Validating mapped SASL/GSSAPI ID: "
 | ||||||
|  | +echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
 | ||||||
|  | +$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
 | ||||||
|  | +RC=$?
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	echo "Comparison failed"
 | ||||||
|  | +	kill $KDCPROC
 | ||||||
|  | +	test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +	exit $RC
 | ||||||
|  | +else
 | ||||||
|  | +	echo "success"
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +if test $WITH_TLS = no ; then
 | ||||||
|  | +        echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
 | ||||||
|  | +else
 | ||||||
|  | +	echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
 | ||||||
|  | +	$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
 | ||||||
|  | +		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
 | ||||||
|  | +		> $TESTOUT 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "ldapwhoami failed ($RC)!"
 | ||||||
|  | +		kill $KDCPROC
 | ||||||
|  | +		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +		exit $RC
 | ||||||
|  | +	else
 | ||||||
|  | +		echo "success"
 | ||||||
|  | +	fi
 | ||||||
|  | +
 | ||||||
|  | +	echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
 | ||||||
|  | +	$LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow	\
 | ||||||
|  | +		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
 | ||||||
|  | +		> $TESTOUT 2>&1
 | ||||||
|  | +	RC=$?
 | ||||||
|  | +	if test $RC != 0 ; then
 | ||||||
|  | +		echo "ldapwhoami failed ($RC)!"
 | ||||||
|  | +		kill $KDCPROC
 | ||||||
|  | +		test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +		exit $RC
 | ||||||
|  | +	else
 | ||||||
|  | +		echo "success"
 | ||||||
|  | +	fi
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +kill $KDCPROC
 | ||||||
|  | +test $KILLSERVERS != no && kill -HUP $KILLPIDS
 | ||||||
|  | +
 | ||||||
|  | +if test $RC != 0 ; then
 | ||||||
|  | +	echo ">>>>> Test failed"
 | ||||||
|  | +else
 | ||||||
|  | +	echo ">>>>> Test succeeded"
 | ||||||
|  | +	RC=0
 | ||||||
|  | +fi
 | ||||||
|  | +
 | ||||||
|  | +test $KILLSERVERS != no && wait
 | ||||||
|  | +
 | ||||||
|  | +exit $RC
 | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										46
									
								
								openldap-change-TLS_REQSAN-default-to-TRY.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										46
									
								
								openldap-change-TLS_REQSAN-default-to-TRY.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,46 @@ | |||||||
|  | From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Simon Pichugin <spichugi@rehdat.com> | ||||||
|  | Date: Thu, 5 Aug 2021 16:15:09 +0200 | ||||||
|  | Subject: [PATCH] Change TLS_REQSAN default to TRY | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  doc/man/man5/ldap.conf.5 | 2 +- | ||||||
|  |  libraries/libldap/init.c | 2 +- | ||||||
|  |  2 files changed, 2 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
 | ||||||
|  | index cde2c875f..9f1aa2c0a 100644
 | ||||||
|  | --- a/doc/man/man5/ldap.conf.5
 | ||||||
|  | +++ b/doc/man/man5/ldap.conf.5
 | ||||||
|  | @@ -479,7 +479,6 @@ The client will not check any SAN in the certificate.
 | ||||||
|  |  The SAN is checked against the specified hostname. If a SAN is | ||||||
|  |  present but none match the specified hostname, the SANs are ignored | ||||||
|  |  and the usual check against the certificate DN is used. | ||||||
|  | -This is the default setting.
 | ||||||
|  |  .TP | ||||||
|  |  .B try | ||||||
|  |  The SAN is checked against the specified hostname. If no SAN is present | ||||||
|  | @@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN
 | ||||||
|  |  is used. If a SAN is present but doesn't match the specified hostname, | ||||||
|  |  the session is immediately terminated. This setting may be preferred | ||||||
|  |  when a mix of certs with and without SANs are in use. | ||||||
|  | +This is the default setting.
 | ||||||
|  |  .TP | ||||||
|  |  .B demand | hard | ||||||
|  |  These keywords are equivalent. The SAN is checked against the specified | ||||||
|  | diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
 | ||||||
|  | index 0d91808ec..fa4c176fd 100644
 | ||||||
|  | --- a/libraries/libldap/init.c
 | ||||||
|  | +++ b/libraries/libldap/init.c
 | ||||||
|  | @@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
 | ||||||
|  |  	gopts->ldo_tls_connect_cb = NULL; | ||||||
|  |  	gopts->ldo_tls_connect_arg = NULL; | ||||||
|  |  	gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; | ||||||
|  | -	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
 | ||||||
|  | +	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY;
 | ||||||
|  |  #endif | ||||||
|  |  	gopts->ldo_keepalive_probes = 0; | ||||||
|  |  	gopts->ldo_keepalive_interval = 0; | ||||||
|  | -- 
 | ||||||
|  | 2.31.1 | ||||||
|  | 
 | ||||||
							
								
								
									
										41
									
								
								openldap-cldap-check-for-error-on-connected-socket.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										41
									
								
								openldap-cldap-check-for-error-on-connected-socket.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,41 @@ | |||||||
|  | From ec5eba5393e5cc65b05e54658c55500cdbff775a Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Howard Chu <hyc@openldap.org> | ||||||
|  | Date: Wed, 26 Aug 2020 13:22:52 +0100 | ||||||
|  | Subject: [PATCH 01/34] ITS#9328 cldap: check for error on connected socket | ||||||
|  | 
 | ||||||
|  | libldap doesn't use a connected socket for UDP sessions, but 3rd | ||||||
|  | parties can, passed in with ldap_init_fd(). | ||||||
|  | ---
 | ||||||
|  |  libraries/libldap/result.c | 6 ++++-- | ||||||
|  |  1 file changed, 4 insertions(+), 2 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
 | ||||||
|  | index bdced135b..e2b220630 100644
 | ||||||
|  | --- a/libraries/libldap/result.c
 | ||||||
|  | +++ b/libraries/libldap/result.c
 | ||||||
|  | @@ -486,7 +486,8 @@ retry:
 | ||||||
|  |  #ifdef LDAP_CONNECTIONLESS | ||||||
|  |  	if ( LDAP_IS_UDP(ld) ) { | ||||||
|  |  		struct sockaddr_storage from; | ||||||
|  | -		ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
 | ||||||
|  | +		if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 )
 | ||||||
|  | +			goto fail;
 | ||||||
|  |  		if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1; | ||||||
|  |  	} | ||||||
|  |  nextresp3: | ||||||
|  | @@ -502,10 +503,11 @@ nextresp3:
 | ||||||
|  |  		break; | ||||||
|  |   | ||||||
|  |  	case LBER_DEFAULT: | ||||||
|  | +fail:
 | ||||||
|  |  		err = sock_errno(); | ||||||
|  |  #ifdef LDAP_DEBUG		    | ||||||
|  |  		Debug( LDAP_DEBUG_CONNS, | ||||||
|  | -			"ber_get_next failed.\n", 0, 0, 0 );
 | ||||||
|  | +			"ber_get_next failed, errno=%d.\n", err, 0, 0 );
 | ||||||
|  |  #endif		    | ||||||
|  |  		if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING; | ||||||
|  |  		if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING; | ||||||
|  | -- 
 | ||||||
|  | 2.26.2 | ||||||
|  | 
 | ||||||
							
								
								
									
										55
									
								
								openldap-ldapi-sasl.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								openldap-ldapi-sasl.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,55 @@ | |||||||
|  | From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Sumit Bose <sbose@redhat.com> | ||||||
|  | Date: Tue, 7 May 2013 17:02:57 +0200 | ||||||
|  | Subject: [PATCH] LDAPI SASL fix | ||||||
|  | 
 | ||||||
|  | Resolves: #960222 | ||||||
|  | ---
 | ||||||
|  |  libraries/libldap/cyrus.c | 19 ++++++++++++++++--- | ||||||
|  |  1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
 | ||||||
|  | index 28c241b..a9acf36 100644
 | ||||||
|  | --- a/libraries/libldap/cyrus.c
 | ||||||
|  | +++ b/libraries/libldap/cyrus.c
 | ||||||
|  | @@ -394,6 +394,8 @@ ldap_int_sasl_bind(
 | ||||||
|  |  	struct berval	ccred = BER_BVNULL; | ||||||
|  |  	int saslrc, rc; | ||||||
|  |  	unsigned credlen; | ||||||
|  | +	char my_hostname[HOST_NAME_MAX + 1];
 | ||||||
|  | +	int free_saslhost = 0;
 | ||||||
|  |   | ||||||
|  |  	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", | ||||||
|  |  		mechs ? mechs : "<null>", 0, 0 ); | ||||||
|  | @@ -454,14 +456,25 @@ ldap_int_sasl_bind(
 | ||||||
|  |   | ||||||
|  |  			/* If we don't need to canonicalize just use the host | ||||||
|  |  			 * from the LDAP URI. | ||||||
|  | +			 * Always use the result of gethostname() for LDAPI.
 | ||||||
|  |  			 */ | ||||||
|  | -			if ( nocanon )
 | ||||||
|  | +			if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
 | ||||||
|  | +			    strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
 | ||||||
|  | +				rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
 | ||||||
|  | +				if (rc == 0) {
 | ||||||
|  | +					saslhost = my_hostname;
 | ||||||
|  | +				} else {
 | ||||||
|  | +					saslhost = "localhost";
 | ||||||
|  | +				}
 | ||||||
|  | +			} else if ( nocanon )
 | ||||||
|  |  				saslhost = ld->ld_defconn->lconn_server->lud_host; | ||||||
|  | -			else 
 | ||||||
|  | +			else {
 | ||||||
|  |  				saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, | ||||||
|  |  				"localhost" ); | ||||||
|  | +				free_saslhost = 1;
 | ||||||
|  | +			}
 | ||||||
|  |  			rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); | ||||||
|  | -			if ( !nocanon )
 | ||||||
|  | +			if ( free_saslhost )
 | ||||||
|  |  				LDAP_FREE( saslhost ); | ||||||
|  |  		} | ||||||
|  |   | ||||||
|  | -- 
 | ||||||
|  | 1.7.11.7 | ||||||
|  | 
 | ||||||
							
								
								
									
										73
									
								
								openldap-manpages.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										73
									
								
								openldap-manpages.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,73 @@ | |||||||
|  | Various manual pages changes: | ||||||
|  | * removes LIBEXECDIR from slapd.8 | ||||||
|  | * removes references to non-existing manpages (bz 624616) | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
 | ||||||
|  | index 3def6da..466c772 100644
 | ||||||
|  | --- a/doc/man/man1/ldapmodify.1
 | ||||||
|  | +++ b/doc/man/man1/ldapmodify.1
 | ||||||
|  | @@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
 | ||||||
|  |  .BR ldap_add_ext (3), | ||||||
|  |  .BR ldap_delete_ext (3), | ||||||
|  |  .BR ldap_modify_ext (3), | ||||||
|  | -.BR ldap_modrdn_ext (3),
 | ||||||
|  | -.BR ldif (5).
 | ||||||
|  | +.BR ldif (5)
 | ||||||
|  |  .SH AUTHOR | ||||||
|  |  The OpenLDAP Project <http://www.openldap.org/> | ||||||
|  |  .SH ACKNOWLEDGEMENTS | ||||||
|  | diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
 | ||||||
|  | index cfde143..63592cb 100644
 | ||||||
|  | --- a/doc/man/man5/ldap.conf.5
 | ||||||
|  | +++ b/doc/man/man5/ldap.conf.5
 | ||||||
|  | @@ -317,6 +317,7 @@ certificates in separate individual files. The
 | ||||||
|  |  .B TLS_CACERT | ||||||
|  |  is always used before | ||||||
|  |  .B TLS_CACERTDIR. | ||||||
|  | +The specified directory must be managed with the OpenSSL c_rehash utility.
 | ||||||
|  |  This parameter is ignored with GnuTLS. | ||||||
|  |   | ||||||
|  |  When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key | ||||||
|  | diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
 | ||||||
|  | index b739f4d..e2a1a00 100644
 | ||||||
|  | --- a/doc/man/man8/slapd.8
 | ||||||
|  | +++ b/doc/man/man8/slapd.8
 | ||||||
|  | @@ -5,7 +5,7 @@
 | ||||||
|  |  .SH NAME | ||||||
|  |  slapd \- Stand-alone LDAP Daemon | ||||||
|  |  .SH SYNOPSIS | ||||||
|  | -.B LIBEXECDIR/slapd 
 | ||||||
|  | +.B slapd
 | ||||||
|  |  [\c | ||||||
|  |  .BR \-4 | \-6 ] | ||||||
|  |  [\c | ||||||
|  | @@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
 | ||||||
|  |  .LP | ||||||
|  |  .nf | ||||||
|  |  .ft tt | ||||||
|  | -	LIBEXECDIR/slapd
 | ||||||
|  | +	slapd
 | ||||||
|  |  .ft | ||||||
|  |  .fi | ||||||
|  |  .LP | ||||||
|  | @@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
 | ||||||
|  |  .LP | ||||||
|  |  .nf | ||||||
|  |  .ft tt | ||||||
|  | -	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
 | ||||||
|  | +	slapd -f /var/tmp/slapd.conf -d 255
 | ||||||
|  |  .ft | ||||||
|  |  .fi | ||||||
|  |  .LP | ||||||
|  | @@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
 | ||||||
|  |  .LP | ||||||
|  |  .nf | ||||||
|  |  .ft tt | ||||||
|  | -	LIBEXECDIR/slapd \-Tt
 | ||||||
|  | +	slapd -Tt
 | ||||||
|  |  .ft | ||||||
|  |  .fi | ||||||
|  |  .LP | ||||||
|  | -- 
 | ||||||
|  | 1.8.1.4 | ||||||
|  | 
 | ||||||
							
								
								
									
										227
									
								
								openldap-openssl-ITS7595-Add-EC-support-1.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										227
									
								
								openldap-openssl-ITS7595-Add-EC-support-1.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,227 @@ | |||||||
|  | ITS#7595 Add Elliptic Curve support for OpenSSL | ||||||
|  | 
 | ||||||
|  | Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08 | ||||||
|  | Author:    Howard Chu <hyc@openldap.org> | ||||||
|  | Date:      Sat Sep 7 09:47:19 2013 -0700 | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
 | ||||||
|  | index 9c72e8296..2311c3096 100644
 | ||||||
|  | --- a/doc/man/man5/slapd-config.5
 | ||||||
|  | +++ b/doc/man/man5/slapd-config.5
 | ||||||
|  | @@ -922,6 +922,13 @@ are not used.
 | ||||||
|  |  When using Mozilla NSS these parameters are always generated randomly | ||||||
|  |  so this directive is ignored. | ||||||
|  |  .TP | ||||||
|  | +.B olcTLSECName: <name>
 | ||||||
|  | +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
 | ||||||
|  | +ephemeral key exchange.  This is required to enable ECDHE algorithms in
 | ||||||
|  | +OpenSSL.  This option is not used with GnuTLS; the curves may be
 | ||||||
|  | +chosen in the GnuTLS ciphersuite specification. This option is also
 | ||||||
|  | +ignored for Mozilla NSS.
 | ||||||
|  | +.TP
 | ||||||
|  |  .B olcTLSProtocolMin: <major>[.<minor>] | ||||||
|  |  Specifies minimum SSL/TLS protocol version that will be negotiated. | ||||||
|  |  If the server doesn't support at least that version, | ||||||
|  | diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
 | ||||||
|  | index f504adcf9..ef03e0ad8 100644
 | ||||||
|  | --- a/doc/man/man5/slapd.conf.5
 | ||||||
|  | +++ b/doc/man/man5/slapd.conf.5
 | ||||||
|  | @@ -1153,6 +1153,13 @@ are not used.
 | ||||||
|  |  When using Mozilla NSS these parameters are always generated randomly | ||||||
|  |  so this directive is ignored. | ||||||
|  |  .TP | ||||||
|  | +.B TLSECName <name>
 | ||||||
|  | +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
 | ||||||
|  | +ephemeral key exchange.  This is required to enable ECDHE algorithms in
 | ||||||
|  | +OpenSSL.  This option is not used with GnuTLS; the curves may be
 | ||||||
|  | +chosen in the GnuTLS ciphersuite specification. This option is also
 | ||||||
|  | +ignored for Mozilla NSS.
 | ||||||
|  | +.TP
 | ||||||
|  |  .B TLSProtocolMin <major>[.<minor>] | ||||||
|  |  Specifies minimum SSL/TLS protocol version that will be negotiated. | ||||||
|  |  If the server doesn't support at least that version, | ||||||
|  | diff --git a/include/ldap.h b/include/ldap.h
 | ||||||
|  | index c245651c2..0964a193e 100644
 | ||||||
|  | --- a/include/ldap.h
 | ||||||
|  | +++ b/include/ldap.h
 | ||||||
|  | @@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
 | ||||||
|  |  #define LDAP_OPT_X_TLS_NEWCTX		0x600f | ||||||
|  |  #define LDAP_OPT_X_TLS_CRLFILE		0x6010	/* GNUtls only */ | ||||||
|  |  #define LDAP_OPT_X_TLS_PACKAGE		0x6011 | ||||||
|  | +#define LDAP_OPT_X_TLS_ECNAME		0x6012
 | ||||||
|  |   | ||||||
|  |  #define LDAP_OPT_X_TLS_NEVER	0 | ||||||
|  |  #define LDAP_OPT_X_TLS_HARD		1 | ||||||
|  | diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
 | ||||||
|  | index 66e04ae80..db7193f4f 100644
 | ||||||
|  | --- a/libraries/libldap/ldap-int.h
 | ||||||
|  | +++ b/libraries/libldap/ldap-int.h
 | ||||||
|  | @@ -165,6 +165,7 @@ struct ldaptls {
 | ||||||
|  |  	char		*lt_ciphersuite; | ||||||
|  |  	char		*lt_crlfile; | ||||||
|  |  	char		*lt_randfile;	/* OpenSSL only */ | ||||||
|  | +	char		*lt_ecname;		/* OpenSSL only */
 | ||||||
|  |  	int		lt_protocol_min; | ||||||
|  |  }; | ||||||
|  |  #endif | ||||||
|  | @@ -250,6 +251,7 @@ struct ldapoptions {
 | ||||||
|  |  #define ldo_tls_certfile	ldo_tls_info.lt_certfile | ||||||
|  |  #define ldo_tls_keyfile	ldo_tls_info.lt_keyfile | ||||||
|  |  #define ldo_tls_dhfile	ldo_tls_info.lt_dhfile | ||||||
|  | +#define ldo_tls_ecname	ldo_tls_info.lt_ecname
 | ||||||
|  |  #define ldo_tls_cacertfile	ldo_tls_info.lt_cacertfile | ||||||
|  |  #define ldo_tls_cacertdir	ldo_tls_info.lt_cacertdir | ||||||
|  |  #define ldo_tls_ciphersuite	ldo_tls_info.lt_ciphersuite | ||||||
|  | diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 | ||||||
|  | index d25c190ea..0451b01af 100644
 | ||||||
|  | --- a/libraries/libldap/tls2.c
 | ||||||
|  | +++ b/libraries/libldap/tls2.c
 | ||||||
|  | @@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
 | ||||||
|  |  		LDAP_FREE( lo->ldo_tls_dhfile ); | ||||||
|  |  		lo->ldo_tls_dhfile = NULL; | ||||||
|  |  	} | ||||||
|  | +	if ( lo->ldo_tls_ecname ) {
 | ||||||
|  | +		LDAP_FREE( lo->ldo_tls_ecname );
 | ||||||
|  | +		lo->ldo_tls_ecname = NULL;
 | ||||||
|  | +	}
 | ||||||
|  |  	if ( lo->ldo_tls_cacertfile ) { | ||||||
|  |  		LDAP_FREE( lo->ldo_tls_cacertfile ); | ||||||
|  |  		lo->ldo_tls_cacertfile = NULL; | ||||||
|  | @@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
 | ||||||
|  |  		lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); | ||||||
|  |  		__atoe( lts.lt_dhfile ); | ||||||
|  |  	} | ||||||
|  | +	if ( lts.lt_ecname ) {
 | ||||||
|  | +		lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
 | ||||||
|  | +		__atoe( lts.lt_ecname );
 | ||||||
|  | +	}
 | ||||||
|  |  #endif | ||||||
|  |  	lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); | ||||||
|  |  	if ( lo->ldo_tls_ctx == NULL ) { | ||||||
|  | @@ -257,6 +265,7 @@ error_exit:
 | ||||||
|  |  	LDAP_FREE( lts.lt_crlfile ); | ||||||
|  |  	LDAP_FREE( lts.lt_cacertdir ); | ||||||
|  |  	LDAP_FREE( lts.lt_dhfile ); | ||||||
|  | +	LDAP_FREE( lts.lt_ecname );
 | ||||||
|  |  #endif | ||||||
|  |  	return rc; | ||||||
|  |  } | ||||||
|  | @@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 | ||||||
|  |  		*(char **)arg = lo->ldo_tls_dhfile ? | ||||||
|  |  			LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; | ||||||
|  |  		break; | ||||||
|  | +	case LDAP_OPT_X_TLS_ECNAME:
 | ||||||
|  | +		*(char **)arg = lo->ldo_tls_ecname ?
 | ||||||
|  | +			LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
 | ||||||
|  | +		break;
 | ||||||
|  |  	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */ | ||||||
|  |  		*(char **)arg = lo->ldo_tls_crlfile ? | ||||||
|  |  			LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; | ||||||
|  | @@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 | ||||||
|  |  		if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); | ||||||
|  |  		lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; | ||||||
|  |  		return 0; | ||||||
|  | +	case LDAP_OPT_X_TLS_ECNAME:
 | ||||||
|  | +		if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
 | ||||||
|  | +		lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 | ||||||
|  | +		return 0;
 | ||||||
|  |  	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */ | ||||||
|  |  		if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); | ||||||
|  |  		lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; | ||||||
|  | diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 | ||||||
|  | index f24060b7e..1370923af 100644
 | ||||||
|  | --- a/libraries/libldap/tls_o.c
 | ||||||
|  | +++ b/libraries/libldap/tls_o.c
 | ||||||
|  | @@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 | ||||||
|  |  		return -1; | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | -	if ( lo->ldo_tls_dhfile ) {
 | ||||||
|  | -		DH *dh = NULL;
 | ||||||
|  | +	if ( is_server && lo->ldo_tls_dhfile ) {
 | ||||||
|  | +		DH *dh;
 | ||||||
|  |  		BIO *bio; | ||||||
|  | -		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
 | ||||||
|  |   | ||||||
|  |  		if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { | ||||||
|  |  			Debug( LDAP_DEBUG_ANY, | ||||||
|  | @@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 | ||||||
|  |  		} | ||||||
|  |  		BIO_free( bio ); | ||||||
|  |  		SSL_CTX_set_tmp_dh( ctx, dh ); | ||||||
|  | +		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
 | ||||||
|  | +		DH_free( dh );
 | ||||||
|  | +	}
 | ||||||
|  | +
 | ||||||
|  | +#ifdef SSL_OP_SINGLE_ECDH_USE
 | ||||||
|  | +	if ( is_server && lo->ldo_tls_ecname ) {
 | ||||||
|  | +		EC_KEY *ecdh;
 | ||||||
|  | +
 | ||||||
|  | +		int nid = OBJ_sn2nid( lt->lt_ecname );
 | ||||||
|  | +		if ( nid == NID_undef ) {
 | ||||||
|  | +			Debug( LDAP_DEBUG_ANY,
 | ||||||
|  | +				"TLS: could not use EC name `%s'.\n",
 | ||||||
|  | +				lo->ldo_tls_ecname,0,0);
 | ||||||
|  | +			tlso_report_error();
 | ||||||
|  | +			return -1;
 | ||||||
|  | +		}
 | ||||||
|  | +		ecdh = EC_KEY_new_by_curve_name( nid );
 | ||||||
|  | +		if ( ecdh == NULL ) {
 | ||||||
|  | +			Debug( LDAP_DEBUG_ANY,
 | ||||||
|  | +				"TLS: could not generate key for EC name `%s'.\n",
 | ||||||
|  | +				lo->ldo_tls_ecname,0,0);
 | ||||||
|  | +			tlso_report_error();
 | ||||||
|  | +			return -1;
 | ||||||
|  | +		}
 | ||||||
|  | +		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
 | ||||||
|  | +		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
 | ||||||
|  | +		EC_KEY_free( ecdh );
 | ||||||
|  |  	} | ||||||
|  | +#endif
 | ||||||
|  |   | ||||||
|  |  	if ( tlso_opt_trace ) { | ||||||
|  |  		SSL_CTX_set_info_callback( ctx, tlso_info_cb ); | ||||||
|  | diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
 | ||||||
|  | index 250f14100..8b1e4e582 100644
 | ||||||
|  | --- a/servers/slapd/bconfig.c
 | ||||||
|  | +++ b/servers/slapd/bconfig.c
 | ||||||
|  | @@ -194,6 +194,7 @@ enum {
 | ||||||
|  |  	CFG_ACL_ADD, | ||||||
|  |  	CFG_SYNC_SUBENTRY, | ||||||
|  |  	CFG_LTHREADS, | ||||||
|  | +	CFG_TLS_ECNAME,
 | ||||||
|  |   | ||||||
|  |  	CFG_LAST | ||||||
|  |  }; | ||||||
|  | @@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
 | ||||||
|  |  #endif | ||||||
|  |  		"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " | ||||||
|  |  			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, | ||||||
|  | +	{ "TLSECName", NULL, 2, 2, 0,
 | ||||||
|  | +#ifdef HAVE_TLS
 | ||||||
|  | +		CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
 | ||||||
|  | +#else
 | ||||||
|  | +		ARG_IGNORED, NULL,
 | ||||||
|  | +#endif
 | ||||||
|  | +		"( OLcfgGlAt:96 NAME 'olcTLSECName' "
 | ||||||
|  | +			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 | ||||||
|  |  	{ "TLSProtocolMin",	NULL, 2, 2, 0, | ||||||
|  |  #ifdef HAVE_TLS | ||||||
|  |  		CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, | ||||||
|  | @@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
 | ||||||
|  |  		 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " | ||||||
|  |  		 "olcTLSCACertificatePath $ olcTLSCertificateFile $ " | ||||||
|  |  		 "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " | ||||||
|  | -		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
 | ||||||
|  | +		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
 | ||||||
|  |  		 "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " | ||||||
|  |  		 "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " | ||||||
|  |  		 "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, | ||||||
|  | @@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
 | ||||||
|  |  	case CFG_TLS_CA_PATH:	flag = LDAP_OPT_X_TLS_CACERTDIR;	break; | ||||||
|  |  	case CFG_TLS_CA_FILE:	flag = LDAP_OPT_X_TLS_CACERTFILE;	break; | ||||||
|  |  	case CFG_TLS_DH_FILE:	flag = LDAP_OPT_X_TLS_DHFILE;	break; | ||||||
|  | +	case CFG_TLS_ECNAME:	flag = LDAP_OPT_X_TLS_ECNAME;	break;
 | ||||||
|  |  #ifdef HAVE_GNUTLS | ||||||
|  |  	case CFG_TLS_CRL_FILE:	flag = LDAP_OPT_X_TLS_CRLFILE;	break; | ||||||
|  |  #endif | ||||||
							
								
								
									
										34
									
								
								openldap-openssl-ITS7595-Add-EC-support-2.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								openldap-openssl-ITS7595-Add-EC-support-2.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,34 @@ | |||||||
|  | ITS#7595 don't try to use EC if OpenSSL lacks it | ||||||
|  | 
 | ||||||
|  | Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d | ||||||
|  | Author: Howard Chu <hyc@openldap.org> | ||||||
|  | Date: Sun Sep 8 06:32:23 2013 -0700 | ||||||
|  | 
 | ||||||
|  | diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 | ||||||
|  | index 1a81bc625..71c2b055c 100644
 | ||||||
|  | --- a/libraries/libldap/tls_o.c
 | ||||||
|  | +++ b/libraries/libldap/tls_o.c
 | ||||||
|  | @@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 | ||||||
|  |  		DH_free( dh ); | ||||||
|  |  	} | ||||||
|  |   | ||||||
|  | -#ifdef SSL_OP_SINGLE_ECDH_USE
 | ||||||
|  |  	if ( is_server && lo->ldo_tls_ecname ) { | ||||||
|  | +#ifdef OPENSSL_NO_EC
 | ||||||
|  | +		Debug( LDAP_DEBUG_ANY,
 | ||||||
|  | +			"TLS: Elliptic Curves not supported.\n", 0,0,0 );
 | ||||||
|  | +		return -1;
 | ||||||
|  | +#else
 | ||||||
|  |  		EC_KEY *ecdh; | ||||||
|  |   | ||||||
|  |  		int nid = OBJ_sn2nid( lt->lt_ecname ); | ||||||
|  | @@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 | ||||||
|  |  		SSL_CTX_set_tmp_ecdh( ctx, ecdh ); | ||||||
|  |  		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); | ||||||
|  |  		EC_KEY_free( ecdh ); | ||||||
|  | -	}
 | ||||||
|  |  #endif | ||||||
|  | +	}
 | ||||||
|  |   | ||||||
|  |  	if ( tlso_opt_trace ) { | ||||||
|  |  		SSL_CTX_set_info_callback( ctx, tlso_info_cb ); | ||||||
							
								
								
									
										48
									
								
								openldap-openssl-manpage-defaultCA.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										48
									
								
								openldap-openssl-manpage-defaultCA.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,48 @@ | |||||||
|  | Reference default system-wide CA certificates in manpages | ||||||
|  | 
 | ||||||
|  | OpenSSL, unless explicitly configured, uses system-wide default set of CA | ||||||
|  | certificates. | ||||||
|  | 
 | ||||||
|  | Author: Matus Honek <mhonek@redhat.com> | ||||||
|  | 
 | ||||||
|  | diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
 | ||||||
|  | --- a/doc/man/man5/ldap.conf.5
 | ||||||
|  | +++ b/doc/man/man5/ldap.conf.5
 | ||||||
|  | @@ -307,6 +307,9 @@ are more options you can specify.  These options are used when an
 | ||||||
|  |  .B ldaps:// URI | ||||||
|  |  is selected (by default or otherwise) or when the application | ||||||
|  |  negotiates TLS by issuing the LDAP StartTLS operation. | ||||||
|  | +.LP
 | ||||||
|  | +When using OpenSSL, if neither  \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
 | ||||||
|  | +is set, the system-wide default set of CA certificates is used.
 | ||||||
|  |  .TP | ||||||
|  |  .B TLS_CACERT <filename> | ||||||
|  |  Specifies the file that contains certificates for all of the Certificate | ||||||
|  | diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
 | ||||||
|  | --- a/doc/man/man5/slapd-config.5
 | ||||||
|  | +++ b/doc/man/man5/slapd-config.5
 | ||||||
|  | @@ -801,6 +801,10 @@ If
 | ||||||
|  |  .B slapd | ||||||
|  |  is built with support for Transport Layer Security, there are more options | ||||||
|  |  you can specify. | ||||||
|  | +.LP
 | ||||||
|  | +When using OpenSSL, if neither  \fBolcTLSCACertificateFile\fP nor
 | ||||||
|  | +\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
 | ||||||
|  | +certificates is used.
 | ||||||
|  |  .TP | ||||||
|  |  .B olcTLSCipherSuite: <cipher-suite-spec> | ||||||
|  |  Permits configuring what ciphers will be accepted and the preference order. | ||||||
|  | diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
 | ||||||
|  | --- a/doc/man/man5/slapd.conf.5
 | ||||||
|  | +++ b/doc/man/man5/slapd.conf.5
 | ||||||
|  | @@ -1032,6 +1032,10 @@ If
 | ||||||
|  |  .B slapd | ||||||
|  |  is built with support for Transport Layer Security, there are more options | ||||||
|  |  you can specify. | ||||||
|  | +.LP
 | ||||||
|  | +When using OpenSSL, if neither  \fBTLSCACertificateFile\fP nor
 | ||||||
|  | +\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
 | ||||||
|  | +certificates is used.
 | ||||||
|  |  .TP | ||||||
|  |  .B TLSCipherSuite <cipher-suite-spec> | ||||||
|  |  Permits configuring what ciphers will be accepted and the preference order. | ||||||
							
								
								
									
										33
									
								
								openldap-reentrant-gethostby.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								openldap-reentrant-gethostby.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,33 @@ | |||||||
|  | The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for | ||||||
|  | example if libldap needs to be initialized from within gethostbyXXXX() (which | ||||||
|  | actually happens if nss_ldap is used for hostname resolution and earlier | ||||||
|  | modules can't resolve the local host name), so use the reentrant versions of | ||||||
|  | the functions, even if we're not being compiled for use in libldap_r | ||||||
|  | 
 | ||||||
|  | Resolves: #179730 | ||||||
|  | Author: Jeffery Layton <jlayton@redhat.com> | ||||||
|  | 
 | ||||||
|  | diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
 | ||||||
|  | index 373c81c..a012062 100644
 | ||||||
|  | --- a/libraries/libldap/util-int.c
 | ||||||
|  | +++ b/libraries/libldap/util-int.c
 | ||||||
|  | @@ -52,8 +52,8 @@ extern int h_errno;
 | ||||||
|  |  #ifndef LDAP_R_COMPILE | ||||||
|  |  # undef HAVE_REENTRANT_FUNCTIONS | ||||||
|  |  # undef HAVE_CTIME_R | ||||||
|  | -# undef HAVE_GETHOSTBYNAME_R
 | ||||||
|  | -# undef HAVE_GETHOSTBYADDR_R
 | ||||||
|  | +/* # undef HAVE_GETHOSTBYNAME_R */
 | ||||||
|  | +/* # undef HAVE_GETHOSTBYADDR_R */
 | ||||||
|  |   | ||||||
|  |  #else | ||||||
|  |  # include <ldap_pvt_thread.h> | ||||||
|  | @@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
 | ||||||
|  |  #define BUFSTART (1024-32) | ||||||
|  |  #define BUFMAX (32*1024-32) | ||||||
|  |   | ||||||
|  | -#if defined(LDAP_R_COMPILE)
 | ||||||
|  | +#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
 | ||||||
|  |  static char *safe_realloc( char **buf, int len ); | ||||||
|  |   | ||||||
|  |  #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) | ||||||
							
								
								
									
										62
									
								
								openldap-smbk5pwd-overlay.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										62
									
								
								openldap-smbk5pwd-overlay.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,62 @@ | |||||||
|  | Compile smbk5pwd together with other overlays. | ||||||
|  | 
 | ||||||
|  | Author: Jan Šafránek <jsafrane@redhat.com> | ||||||
|  | Resolves: #550895 | ||||||
|  | 
 | ||||||
|  | Update to link against OpenSSL | ||||||
|  | 
 | ||||||
|  | Author: Jan Vcelak <jvcelak@redhat.com> | ||||||
|  | Resolves: #841560 | ||||||
|  | 
 | ||||||
|  | diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
 | ||||||
|  | index f20ad94..b6433ff 100644
 | ||||||
|  | --- a/contrib/slapd-modules/smbk5pwd/README
 | ||||||
|  | +++ b/contrib/slapd-modules/smbk5pwd/README
 | ||||||
|  | @@ -1,3 +1,8 @@
 | ||||||
|  | +******************************************************************************
 | ||||||
|  | +Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
 | ||||||
|  | +is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
 | ||||||
|  | +******************************************************************************
 | ||||||
|  | +
 | ||||||
|  |  This directory contains a slapd overlay, smbk5pwd, that extends the | ||||||
|  |  PasswordModify Extended Operation to update Kerberos keys and Samba | ||||||
|  |  password hashes for an LDAP user. | ||||||
|  | diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
 | ||||||
|  | index 3af20e8..ef73663 100644
 | ||||||
|  | --- a/servers/slapd/overlays/Makefile.in
 | ||||||
|  | +++ b/servers/slapd/overlays/Makefile.in
 | ||||||
|  | @@ -33,7 +33,8 @@ SRCS = overlays.c \
 | ||||||
|  |  	syncprov.c \ | ||||||
|  |  	translucent.c \ | ||||||
|  |  	unique.c \ | ||||||
|  | -	valsort.c
 | ||||||
|  | +	valsort.c \
 | ||||||
|  | +	smbk5pwd.c
 | ||||||
|  |  OBJS = statover.o \ | ||||||
|  |  	@SLAPD_STATIC_OVERLAYS@ \ | ||||||
|  |  	overlays.o | ||||||
|  | @@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
 | ||||||
|  |  UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) | ||||||
|  |   | ||||||
|  |  LIBRARY = ../liboverlays.a | ||||||
|  | -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
 | ||||||
|  | +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
 | ||||||
|  |   | ||||||
|  |  XINCPATH = -I.. -I$(srcdir)/.. | ||||||
|  |  XDEFS = $(MODULES_CPPFLAGS) | ||||||
|  | @@ -125,6 +126,12 @@ unique.la : unique.lo
 | ||||||
|  |  valsort.la : valsort.lo | ||||||
|  |  	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) | ||||||
|  |   | ||||||
|  | +smbk5pwd.lo : smbk5pwd.c
 | ||||||
|  | +	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
 | ||||||
|  | +
 | ||||||
|  | +smbk5pwd.la : smbk5pwd.lo
 | ||||||
|  | +	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
 | ||||||
|  | +
 | ||||||
|  |  install-local:	$(PROGRAMS) | ||||||
|  |  	@if test -n "$?" ; then \ | ||||||
|  |  		$(MKDIR) $(DESTDIR)$(moduledir); \ | ||||||
|  | -- 
 | ||||||
|  | 1.7.10.4 | ||||||
|  | 
 | ||||||
| @ -0,0 +1,41 @@ | |||||||
|  | From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de> | ||||||
|  | Date: Tue, 18 May 2010 17:47:05 +0200 | ||||||
|  | Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. | ||||||
|  | 
 | ||||||
|  | Proof of concept for fixing http://bugs.debian.org/327585 | ||||||
|  | (patch ported from freeradius bug http://bugs.debian.org/416266) | ||||||
|  | 
 | ||||||
|  | Resolves: #960048 | ||||||
|  | ---
 | ||||||
|  | --- openldap/servers/slapd/module.c.orig	2010-05-18 17:42:04.000000000 +0200
 | ||||||
|  | +++ openldap/servers/slapd/module.c	2010-05-18 17:45:46.000000000 +0200
 | ||||||
|  | @@ -117,6 +117,20 @@
 | ||||||
|  |  	return -1;	/* not found */ | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | +static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
 | ||||||
|  | +{
 | ||||||
|  | +	lt_dlhandle handle = 0;
 | ||||||
|  | +	lt_dladvise advise;
 | ||||||
|  | +
 | ||||||
|  | +	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
 | ||||||
|  | +			&& !lt_dladvise_global (&advise))
 | ||||||
|  | +		handle = lt_dlopenadvise (filename, advise);
 | ||||||
|  | +
 | ||||||
|  | +	lt_dladvise_destroy (&advise);
 | ||||||
|  | +
 | ||||||
|  | +	return handle;
 | ||||||
|  | +}
 | ||||||
|  | +
 | ||||||
|  |  int module_load(const char* file_name, int argc, char *argv[]) | ||||||
|  |  { | ||||||
|  |  	module_loaded_t *module; | ||||||
|  | @@ -180,7 +194,7 @@
 | ||||||
|  |  	 * to calling Debug. This is because Debug is a macro that expands | ||||||
|  |  	 * into multiple function calls. | ||||||
|  |  	 */ | ||||||
|  | -	if ((module->lib = lt_dlopenext(file)) == NULL) {
 | ||||||
|  | +	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
 | ||||||
|  |  		error = lt_dlerror(); | ||||||
|  |  #ifdef HAVE_EBCDIC | ||||||
|  |  		strcpy( ebuf, error ); | ||||||
							
								
								
									
										2177
									
								
								openldap.spec
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2177
									
								
								openldap.spec
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										158
									
								
								slapd.ldif
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										158
									
								
								slapd.ldif
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,158 @@ | |||||||
|  | # | ||||||
|  | # See slapd-config(5) for details on configuration options. | ||||||
|  | # This file should NOT be world readable. | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | dn: cn=config | ||||||
|  | objectClass: olcGlobal | ||||||
|  | cn: config | ||||||
|  | # | ||||||
|  | # TLS settings | ||||||
|  | # | ||||||
|  | # When no CA certificates are specified the Shared System Certificates | ||||||
|  | # are in use. In order to have these available along with the ones specified | ||||||
|  | # by oclTLSCACertificatePath one has to include them explicitly: | ||||||
|  | #olcTLSCACertificateFile: /etc/pki/tls/cert.pem | ||||||
|  | # | ||||||
|  | # Private cert and key are not pregenerated. | ||||||
|  | #olcTLSCertificateFile: | ||||||
|  | #olcTLSCertificateKeyFile: | ||||||
|  | # | ||||||
|  | # System-wide Crypto Policies provide up to date cipher suite which should | ||||||
|  | # be used unless one needs a finer grinded selection of ciphers. Hence, the | ||||||
|  | # PROFILE=SYSTEM value represents the default behavior which is in place | ||||||
|  | # when no explicit setting is used. (see openssl-ciphers(1) for more info) | ||||||
|  | #olcTLSCipherSuite: PROFILE=SYSTEM | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | # | ||||||
|  | # Do not enable referrals until AFTER you have a working directory | ||||||
|  | # service AND an understanding of referrals. | ||||||
|  | # | ||||||
|  | #olcReferral: ldap://root.openldap.org | ||||||
|  | # | ||||||
|  | # Sample security restrictions | ||||||
|  | #	Require integrity protection (prevent hijacking) | ||||||
|  | #	Require 112-bit (3DES or better) encryption for updates | ||||||
|  | #	Require 64-bit encryption for simple bind | ||||||
|  | # | ||||||
|  | #olcSecurity: ssf=1 update_ssf=112 simple_bind=64 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | # | ||||||
|  | # Load dynamic backend modules: | ||||||
|  | # - modulepath is architecture dependent value (32/64-bit system) | ||||||
|  | # - back_sql.la backend requires openldap-servers-sql package | ||||||
|  | # - dyngroup.la and dynlist.la cannot be used at the same time | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | #dn: cn=module,cn=config | ||||||
|  | #objectClass: olcModuleList | ||||||
|  | #cn: module | ||||||
|  | #olcModulepath:	/usr/lib/openldap | ||||||
|  | #olcModulepath:	/usr/lib64/openldap | ||||||
|  | #olcModuleload: accesslog.la | ||||||
|  | #olcModuleload: auditlog.la | ||||||
|  | #olcModuleload: back_dnssrv.la | ||||||
|  | #olcModuleload: back_ldap.la | ||||||
|  | #olcModuleload: back_mdb.la | ||||||
|  | #olcModuleload: back_meta.la | ||||||
|  | #olcModuleload: back_null.la | ||||||
|  | #olcModuleload: back_passwd.la | ||||||
|  | #olcModuleload: back_relay.la | ||||||
|  | #olcModuleload: back_shell.la | ||||||
|  | #olcModuleload: back_sock.la | ||||||
|  | #olcModuleload: collect.la | ||||||
|  | #olcModuleload: constraint.la | ||||||
|  | #olcModuleload: dds.la | ||||||
|  | #olcModuleload: deref.la | ||||||
|  | #olcModuleload: dyngroup.la | ||||||
|  | #olcModuleload: dynlist.la | ||||||
|  | #olcModuleload: memberof.la | ||||||
|  | #olcModuleload: pcache.la | ||||||
|  | #olcModuleload: ppolicy.la | ||||||
|  | #olcModuleload: refint.la | ||||||
|  | #olcModuleload: retcode.la | ||||||
|  | #olcModuleload: rwm.la | ||||||
|  | #olcModuleload: seqmod.la | ||||||
|  | #olcModuleload: smbk5pwd.la | ||||||
|  | #olcModuleload: sssvlv.la | ||||||
|  | #olcModuleload: syncprov.la | ||||||
|  | #olcModuleload: translucent.la | ||||||
|  | #olcModuleload: unique.la | ||||||
|  | #olcModuleload: valsort.la | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | # | ||||||
|  | # Schema settings | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | dn: cn=schema,cn=config | ||||||
|  | objectClass: olcSchemaConfig | ||||||
|  | cn: schema | ||||||
|  | 
 | ||||||
|  | include: file:///etc/openldap/schema/core.ldif | ||||||
|  | 
 | ||||||
|  | # | ||||||
|  | # Frontend settings | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | dn: olcDatabase=frontend,cn=config | ||||||
|  | objectClass: olcDatabaseConfig | ||||||
|  | olcDatabase: frontend | ||||||
|  | # | ||||||
|  | # Sample global access control policy: | ||||||
|  | #	Root DSE: allow anyone to read it | ||||||
|  | #	Subschema (sub)entry DSE: allow anyone to read it | ||||||
|  | #	Other DSEs: | ||||||
|  | #		Allow self write access | ||||||
|  | #		Allow authenticated users read access | ||||||
|  | #		Allow anonymous users to authenticate | ||||||
|  | # | ||||||
|  | #olcAccess: to dn.base="" by * read | ||||||
|  | #olcAccess: to dn.base="cn=Subschema" by * read | ||||||
|  | #olcAccess: to * | ||||||
|  | #	by self write | ||||||
|  | #	by users read | ||||||
|  | #	by anonymous auth | ||||||
|  | # | ||||||
|  | # if no access controls are present, the default policy | ||||||
|  | # allows anyone and everyone to read anything but restricts | ||||||
|  | # updates to rootdn.  (e.g., "access to * by * read") | ||||||
|  | # | ||||||
|  | # rootdn can always read and write EVERYTHING! | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | # | ||||||
|  | # Configuration database | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | dn: olcDatabase=config,cn=config | ||||||
|  | objectClass: olcDatabaseConfig | ||||||
|  | olcDatabase: config | ||||||
|  | olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c | ||||||
|  |  n=auth" manage by * none | ||||||
|  | 
 | ||||||
|  | # | ||||||
|  | # Server status monitoring | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | dn: olcDatabase=monitor,cn=config | ||||||
|  | objectClass: olcDatabaseConfig | ||||||
|  | olcDatabase: monitor | ||||||
|  | olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c | ||||||
|  |  n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none | ||||||
|  | 
 | ||||||
|  | # | ||||||
|  | # Backend database definitions | ||||||
|  | # | ||||||
|  | 
 | ||||||
|  | dn: olcDatabase=mdb,cn=config | ||||||
|  | objectClass: olcDatabaseConfig | ||||||
|  | objectClass: olcMdbConfig | ||||||
|  | olcDatabase: mdb | ||||||
|  | olcSuffix: dc=my-domain,dc=com | ||||||
|  | olcRootDN: cn=Manager,dc=my-domain,dc=com | ||||||
|  | olcDbDirectory:	/var/lib/ldap | ||||||
|  | olcDbIndex: objectClass eq,pres | ||||||
|  | olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub | ||||||
							
								
								
									
										17
									
								
								slapd.service
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								slapd.service
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,17 @@ | |||||||
|  | [Unit] | ||||||
|  | Description=OpenLDAP Server Daemon | ||||||
|  | After=syslog.target network-online.target | ||||||
|  | Documentation=man:slapd | ||||||
|  | Documentation=man:slapd-config | ||||||
|  | Documentation=man:slapd-hdb | ||||||
|  | Documentation=man:slapd-mdb | ||||||
|  | Documentation=file:///usr/share/doc/openldap-servers/guide.html | ||||||
|  | 
 | ||||||
|  | [Service] | ||||||
|  | Type=forking | ||||||
|  | ExecStartPre=/usr/libexec/openldap/check-config.sh | ||||||
|  | ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///" | ||||||
|  | 
 | ||||||
|  | [Install] | ||||||
|  | WantedBy=multi-user.target | ||||||
|  | Alias=openldap.service | ||||||
							
								
								
									
										2
									
								
								slapd.tmpfiles
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								slapd.tmpfiles
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,2 @@ | |||||||
|  | # openldap runtime directory for slapd.arg and slapd.pid | ||||||
|  | d /var/run/openldap 0755 ldap ldap - | ||||||
							
								
								
									
										2
									
								
								sources
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								sources
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,2 @@ | |||||||
|  | SHA512 (ltb-project-openldap-ppolicy-check-password-1.1.tar.gz) = f3384a164ce5db488908cf6380bad8500b800b09d12a8f04e1b6ccb6f6af6ab3971fcdbe4acca7a1b6d16b408a11065c2b1ab2497863fe07d3c28262b0f6776e | ||||||
|  | SHA512 (openldap-2.4.46.tgz) = eef39d43f04aa09c657a1422cefef060fe00368559ae40d0d97536c08ebeaaa1ab06207b3f121ba6afcde54abdc550027c3505e5217e5fd47ae6f8c001260186 | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user