rpms/openldap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

new upstream release (2.4.33)

Browse Source
This commit is contained in:
Jan Vcelak 2012-10-11 11:47:24 +02:00
parent 5568103a57
commit 587944c9e6
10 changed files with 5105 additions and 7458 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -3,3 +3,4 @@
/openldap-2.4.30.tgz
/openldap-2.4.31.tgz
/openldap-2.4.32.tgz
/openldap-2.4.33.tgz

12
openldap-autoconf-pkgconfig-nss.patch
View File

@ -3,14 +3,14 @@ Use pkg-config for Mozilla NSS library detection
Author: Jan Vcelak <jvcelak@redhat.com>
---
configure.in | 20 +++++---------------
1 file changed, 5 insertions(+), 15 deletions(-)
configure.in | 22 +++++-----------------
1 file changed, 5 insertions(+), 17 deletions(-)
diff --git a/configure.in b/configure.in
index f0f8d99..2a9cfb4 100644
index ecffe30..2a9cfb4 100644
--- a/configure.in
+++ b/configure.in
@@ -1223,26 +1223,16 @@ if test $ol_link_tls = no ; then
@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
fi
fi
@ -35,7 +35,9 @@ index f0f8d99..2a9cfb4 100644
- [define if you have MozNSS])
- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
- else
- if test $ol_with_tls = moznss ; then
- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
- fi
+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
+ TLS_LIBS="$MOZNSS_LIBS"
+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
@ -43,5 +45,5 @@ index f0f8d99..2a9cfb4 100644
fi
fi
--
1.7.10.4
1.7.11.7

12109
openldap-workaround-m4-858274.patch → openldap-autoreconf.patch
View File

File diff suppressed because it is too large Load Diff

203
openldap-constraint-count.patch
View File

@ -1,203 +0,0 @@
Fix count constraint when using multiple modifications
Constraint overlay doesn't take into account multiple modifications when using
count.
Example: If count for 'description' attribute is set e.g. to 2, the following
results in a constraint violation:
dn: cn=usr2, dc=my-domain,dc=com
add: description
description: d1
description: d2
description: d3-viol
However, this passes:
dn: cn=usr2, dc=my-domain,dc=com
add: description
description: d1
-
add: description
description: d2
-
add: description
description: d3
This patch fixes the behavior in case multiple modifications are used.
Author: Jan Synacek <jsynacek@redhat.com>
Upstream ITS: #7168
Upstream commit: bb8112c382c24db25b175459e340ce248fe25563
Resolves: #742163
---
servers/slapd/overlays/constraint.c | 117 ++++++++++++++++++++++++-----------
1 file changed, 80 insertions(+), 37 deletions(-)
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
index e6a9267..538d383 100644
--- a/servers/slapd/overlays/constraint.c
+++ b/servers/slapd/overlays/constraint.c
@@ -838,6 +838,68 @@ add_violation:
static int
+constraint_check_count_violation( Modifications *m, Entry *target_entry, constraint *cp )
+{
+ BerVarray b = NULL;
+ unsigned ce = 0;
+ unsigned ca;
+ int j;
+
+ for ( j = 0; cp->ap[j]; j++ ) {
+ ca = 0;
+
+ /* Get this attribute count */
+ if ( target_entry )
+ ce = constraint_count_attr( target_entry, cp->ap[j] );
+
+ for( ; m; m = m->sml_next ) {
+ if ( cp->ap[j] == m->sml_desc ) {
+ switch ( m->sml_op ) {
+ case LDAP_MOD_DELETE:
+ if (( b = m->sml_values ) == NULL || b[0].bv_val == NULL ) {
+ ce = 0;
+ }
+ else {
+ /* No need to check for values' validity. Invalid values
+ * cause the whole transaction to die anyway. */
+ for ( ca = 0; b[ca].bv_val; ++ca );
+ ce -= ca;
+ }
+ break;
+
+ case LDAP_MOD_ADD:
+ if (( b = m->sml_values ) == NULL || b[0].bv_val == NULL )
+ continue;
+
+ for ( ca = 0; b[ca].bv_val; ++ca );
+ ce += ca;
+ break;
+
+ case LDAP_MOD_REPLACE:
+ if (( b = m->sml_values ) == NULL || b[0].bv_val == NULL )
+ continue;
+
+ for ( ca = 0; b[ca].bv_val; ++ca );
+ ce = ca;
+ break;
+
+ default:
+ /* impossible! assert? */
+ return 1;
+ }
+
+ Debug(LDAP_DEBUG_TRACE,
+ "==> constraint_check_count_violation ce = %u, "
+ "ca = %u, cp->count = %lu\n",
+ ce, ca, (unsigned long) cp->count);
+ }
+ }
+ }
+
+ return ( ce > cp->count );
+}
+
+static int
constraint_update( Operation *op, SlapReply *rs )
{
slap_overinst *on = (slap_overinst *) op->o_bd->bd_info;
@@ -850,6 +912,8 @@ constraint_update( Operation *op, SlapReply *rs )
struct berval rsv = BER_BVC("modify breaks constraint");
int rc;
char *msg = NULL;
+ int is_v;
+ int first = 1;
if (get_relax(op)) {
return SLAP_CB_CONTINUE;
@@ -880,10 +944,12 @@ constraint_update( Operation *op, SlapReply *rs )
/* Do we need to count attributes? */
for(cp = c; cp; cp = cp->ap_next) {
if (cp->count != 0 || cp->set || cp->restrict_lud != 0) {
- op->o_bd = on->on_info->oi_origdb;
- rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
- op->o_bd = be;
-
+ if (first) {
+ op->o_bd = on->on_info->oi_origdb;
+ rc = be_entry_get_rw( op, &op->o_req_ndn, NULL, NULL, 0, &target_entry );
+ op->o_bd = be;
+ first = 0;
+ }
if (rc != 0 || target_entry == NULL) {
Debug(LDAP_DEBUG_TRACE,
"==> constraint_update rc = %d DN=\"%s\"%s\n",
@@ -893,7 +959,16 @@ constraint_update( Operation *op, SlapReply *rs )
rc = LDAP_CONSTRAINT_VIOLATION;
goto mod_violation;
}
- break;
+
+ is_v = constraint_check_count_violation(m, target_entry, cp);
+
+ Debug(LDAP_DEBUG_TRACE,
+ "==> constraint_update is_v: %d\n", is_v, 0, 0);
+
+ if (is_v) {
+ rc = LDAP_CONSTRAINT_VIOLATION;
+ goto mod_violation;
+ }
}
}
@@ -912,10 +987,6 @@ constraint_update( Operation *op, SlapReply *rs )
if ((( b = m->sml_values ) == NULL ) || (b[0].bv_val == NULL))
continue;
- /* Get this attribute count, if needed */
- if (target_entry)
- ce = constraint_count_attr(target_entry, m->sml_desc);
-
for(cp = c; cp; cp = cp->ap_next) {
int j;
for (j = 0; cp->ap[j]; j++) {
@@ -929,34 +1000,6 @@ constraint_update( Operation *op, SlapReply *rs )
continue;
}
- if (cp->count != 0) {
- unsigned ca;
-
- if (m->sml_op == LDAP_MOD_DELETE)
- ce = 0;
-
- for (ca = 0; b[ca].bv_val; ++ca);
-
- Debug(LDAP_DEBUG_TRACE,
- "==> constraint_update ce = %u, "
- "ca = %u, cp->count = %lu\n",
- ce, ca, (unsigned long) cp->count);
-
- if (m->sml_op == LDAP_MOD_ADD) {
- if (ca + ce > cp->count) {
- rc = LDAP_CONSTRAINT_VIOLATION;
- goto mod_violation;
- }
- }
- if (m->sml_op == LDAP_MOD_REPLACE) {
- if (ca > cp->count) {
- rc = LDAP_CONSTRAINT_VIOLATION;
- goto mod_violation;
- }
- ce = ca;
- }
- }
-
/* DELETE are to be ignored beyond this point */
if (( m->sml_op & LDAP_MOD_OP ) == LDAP_MOD_DELETE)
continue;
--
1.7.10.4

35
openldap-nss-certs-from-certdb-fallback-pem.patch
View File

@ -1,27 +1,34 @@
MozNSS: load certificates from certdb, fallback to PEM
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS certificate database, the backend assumed that
the certificate is always located in the certificate database. This assumption might be wrong. This patch makes the
library to try to load the certificate from NSS database and fallback to PEM file if unsuccessfull.
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.
This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7389
Resolves: #857455
---
libraries/libldap/tls_m.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 7ebcd24..634f9d9 100644
index 61d71d4..49a3f8f 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key(tlsm_ctx *ctx)
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
/* prefer unlocked key, then key from opened certdb, then any other */
if (unlocked_key)
if ( unlocked_key )
ctx->tc_private_key = unlocked_key;
- else if (ctx->tc_certdb_slot)
- else if ( ctx->tc_certdb_slot )
+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
ctx->tc_private_key = PK11_FindKeyByDERCert(ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg);
ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
else
ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
@@ -1906,8 +1906,6 @@ tlsm_deferred_init( void *arg )
ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
@@ -1900,8 +1900,6 @@ tlsm_deferred_init( void *arg )
}
return -1;
}
@ -30,7 +37,7 @@ index 7ebcd24..634f9d9 100644
}
NSS_SetDomesticPolicy();
@@ -2360,15 +2358,9 @@ tlsm_deferred_ctx_init( void *arg )
@@ -2354,15 +2352,9 @@ tlsm_deferred_ctx_init( void *arg )
/* set up our cert and key, if any */
if ( lt->lt_certfile ) {
@ -48,8 +55,8 @@ index 7ebcd24..634f9d9 100644
+ if ( ctx->tc_certdb ) {
char *tmp_certname;
if (tlsm_is_tokenname_certnick(lt->lt_certfile)) {
@@ -2388,9 +2380,24 @@ tlsm_deferred_ctx_init( void *arg )
if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
@@ -2382,9 +2374,24 @@ tlsm_deferred_ctx_init( void *arg )
Debug( LDAP_DEBUG_ANY,
"TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
@ -76,5 +83,5 @@ index 7ebcd24..634f9d9 100644
if ( lt->lt_keyfile ) {
--
1.7.11.4
1.7.11.7

31
openldap-nss-ignore-certdb-sql-prefix.patch
View File

@ -1,31 +0,0 @@
MozNSS: ignore certdb 'sql:' prefix when testing existence of the directory
If the certdb uses newer SQL format, the certificate directory name starts with 'sql:'. This prefix has to be ignored
when testing certificate directory existence.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7388
Resolves: #857373
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 61d71d4..80fa4f1 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1643,7 +1643,13 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
return;
}
- prc = PR_GetFileInfo( certdir, &prfi );
+ /* ignore sql: prefix if provided */
+ if ( strncmp( "sql:", certdir, 4 ) == 0 ) {
+ prc = PR_GetFileInfo( certdir + 4, &prfi );
+ } else {
+ prc = PR_GetFileInfo( certdir, &prfi );
+ }
+
/* if certdir exists (file or directory) then it cannot specify a prefix */
if ( prc == PR_SUCCESS ) {
return;
--
1.7.11.4

47
openldap-nss-ignore-certdb-type-prefix.patch Normal file
View File

@ -0,0 +1,47 @@
MozNSS: ignore certdb database type prefix when checking existence of the directory
If the certdb is specified including the database type prefix (e.g.
sql:, dbm:), the prefix has to be ignored when checking the
certificate directory existence.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7388
Resolves: #857373
---
libraries/libldap/tls_m.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 49a3f8f..5ee21a2 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
{
char sep = PR_GetDirectorySeparator();
char *ptr = NULL;
+ char *chkpath = NULL;
struct PRFileInfo prfi;
PRStatus prc;
@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
return;
}
- prc = PR_GetFileInfo( certdir, &prfi );
+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
+ chkpath = strchr( certdir, ':' );
+ if ( chkpath != NULL ) {
+ chkpath += 1;
+ } else {
+ chkpath = certdir;
+ }
+
/* if certdir exists (file or directory) then it cannot specify a prefix */
+ prc = PR_GetFileInfo( chkpath, &prfi );
if ( prc == PR_SUCCESS ) {
return;
}
--
1.7.11.7

81
openldap-nss-prefer-unlocked-key.patch
View File

@ -1,81 +0,0 @@
MozNSS: prefer authenticated slot when getting private key
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7359
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index f37da06..5022efb 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -901,7 +901,7 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx)
* capability the server would have to be started in foreground mode
* if using an encrypted key.
*/
- if ( ctx->tc_pin_file ) {
+ if ( ctx && ctx->tc_pin_file ) {
pwdstr = tlsm_get_pin_from_file( token_name, ctx );
if (retry && pwdstr != NULL)
return NULL;
@@ -990,6 +990,38 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
return is_self_issued;
}
+/*
+ * The private key for used certificate can be already unlocked by other
+ * thread or library. Find the unlocked key if possible.
+ */
+static SECKEYPrivateKey *
+tlsm_find_unlocked_key(tlsm_ctx *ctx, void *pin_arg)
+{
+ SECKEYPrivateKey *result = NULL;
+
+ PK11SlotList *slots = PK11_GetAllSlotsForCert(ctx->tc_certificate, NULL);
+ if (!slots) {
+ PRErrorCode errcode = PR_GetError();
+ Debug(LDAP_DEBUG_ANY,
+ "TLS: cannot get all slots for certificate '%s' (error %d: %s)",
+ tlsm_ctx_subject_name(ctx), errcode,
+ PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT));
+ return result;
+ }
+
+ PK11SlotListElement *le;
+ for (le = slots->head; le && !result; le = le->next) {
+ PK11SlotInfo *slot = le->slot;
+ if (!PK11_IsLoggedIn(slot, NULL))
+ continue;
+
+ result = PK11_FindKeyByDERCert(slot, ctx->tc_certificate, pin_arg);
+ }
+
+ PK11_FreeSlotList(slots);
+ return result;
+}
+
static SECStatus
tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
@@ -1303,7 +1335,19 @@ tlsm_ctx_load_private_key(tlsm_ctx *ctx)
void *pin_arg = SSL_RevealPinArg(ctx->tc_model);
- ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
+ SECKEYPrivateKey *unlocked_key = tlsm_find_unlocked_key(ctx, pin_arg);
+ Debug(LDAP_DEBUG_ANY,
+ "TLS: %s unlocked certificate for certificate '%s'.\n",
+ unlocked_key ? "found" : "no", tlsm_ctx_subject_name(ctx), 0);
+
+ /* prefer unlocked key, then key from opened certdb, then any other */
+ if (unlocked_key)
+ ctx->tc_private_key = unlocked_key;
+ else if (ctx->tc_certdb_slot)
+ ctx->tc_private_key = PK11_FindKeyByDERCert(ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg);
+ else
+ ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
+
if (!ctx->tc_private_key) {
PRErrorCode errcode = PR_GetError();
Debug(LDAP_DEBUG_ANY,
--
1.7.11.4

42
openldap.spec
View File

@ -7,8 +7,8 @@
%global systemctl_bin /usr/bin/systemctl
Name: openldap
Version: 2.4.32
Release: 3%{?dist}
Version: 2.4.33
Release: 1%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@ -37,26 +37,22 @@ Patch5: openldap-ldaprc-currentdir.patch
Patch6: openldap-userconfig-setgid.patch
Patch7: openldap-dns-priority.patch
Patch8: openldap-syncrepl-unset-tls-options.patch
Patch9: openldap-constraint-count.patch
Patch10: openldap-man-sasl-nocanon.patch
Patch11: openldap-ai-addrconfig.patch
Patch12: openldap-nss-prefer-unlocked-key.patch
Patch13: openldap-nss-allow-certname-with-token-name.patch
Patch14: openldap-nss-update-list-of-ciphers.patch
Patch15: openldap-tls-no-reuse-of-tls_session.patch
Patch16: openldap-nss-regex-search-hashed-cacert-dir.patch
Patch17: openldap-nss-ignore-certdb-sql-prefix.patch
Patch18: openldap-nss-certs-from-certdb-fallback-pem.patch
Patch9: openldap-man-sasl-nocanon.patch
Patch10: openldap-ai-addrconfig.patch
Patch11: openldap-nss-update-list-of-ciphers.patch
Patch12: openldap-tls-no-reuse-of-tls_session.patch
Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
Patch14: openldap-nss-ignore-certdb-type-prefix.patch
Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
# Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch
Patch101: openldap-fedora-systemd.patch
Patch102: openldap-workaround-m4-858274.patch
Patch101: openldap-autoreconf.patch
Patch102: openldap-fedora-systemd.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
BuildRequires: autoconf
BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl
# smbk5pwd overlay:
@ -143,9 +139,7 @@ pushd openldap-%{version}
# use pkg-config for Mozilla NSS library
%patch100 -p1
# workaround for m4 bug #858274
#AUTOMAKE=/bin/true autoreconf --install --force
%patch102 -p1
%patch101 -p1
# alternative include paths for Mozilla NSS
ln -s %{_includedir}/nss3 include/nss
@ -167,11 +161,8 @@ ln -s %{_includedir}/nspr4 include/nspr
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch101 -p1
%patch102 -p1
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -627,6 +618,13 @@ exit 0
%{evolution_connector_prefix}/
%changelog
* Thu Oct 11 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-1
- new upstream release:
+ slapd: ACLs, syncrepl
+ backends: locking and memory management in MDB
+ manpages: slapo-refint
- patch update: MozNSS certificate database in SQL format cannot be used (#860317)
* Fri Sep 14 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-3
- fix: some TLS ciphers cannot be enabled (#852338)
- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476)

2
sources
View File

@ -1 +1 @@
6a3e85cf61860ca5e8a1eba6753dd9d0 openldap-2.4.32.tgz
5adae44897647c15ce5abbff313bc85a openldap-2.4.33.tgz