rpms/openldap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

new upstream release (2.4.32)

Browse Source
This commit is contained in:
Jan Vcelak 2012-08-01 13:39:25 +02:00
parent c736adad77
commit 6304a48a54
10 changed files with 16 additions and 323 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@
/openldap-2.4.29.tgz /openldap-2.4.29.tgz
/openldap-2.4.30.tgz /openldap-2.4.30.tgz
/openldap-2.4.31.tgz /openldap-2.4.31.tgz
/openldap-2.4.32.tgz

27
openldap-cve-nss-cipher-suite-ignored.patch
View File

@ -1,27 +0,0 @@
MozNSS: cipher suite selection by name may be ignored
Author: Tim Strobell <tim.strobell.ctr@nrl.navy.mil>
Upstream ITS: #7289
Upstream commit: 4b6bd2c600a79960409499f43a818aa0ca9fe463
Resolves: #825875 (CVE-2012-2668)
---
libraries/libldap/tls_m.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 4c18360..d71fec7 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -624,7 +624,7 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
} else {
for (i=0; i<ciphernum; i++) {
if (!strcmp(ciphers_def[i].ossl_name, cipher) &&
- cipher_list[1] != -1)
+ cipher_list[i] != -1)
cipher_list[i] = action;
}
}
--
1.7.10.4

56
openldap-nss-allow-ca-dbdir-pemfile.patch
View File

@ -1,56 +0,0 @@
MozNSS: allow CA certdb together with PEM CA bundle file
Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
database and TLS_CACERT was set to a PEM bundle file with CA
certificates, the PEM file content was not loaded.
With this patch and the same settings, OpenLDAP can verify certificates
which are signed by CAs stored both in certdb and PEM bundle file.
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #819536
Upstream ITS: #7276
---
libraries/libldap/tls_m.c | 16 +++++++++++++---
1 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 50c03dd..23d843c 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg )
ctx->tc_initctx = initctx;
#endif
+ }
+
+ if ( errcode || lt->lt_cacertfile ) {
/* initialize the PEM module */
LDAP_MUTEX_LOCK( &tlsm_init_mutex );
if ( tlsm_init_pem_module() ) {
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
- errcode = PORT_GetError();
+ int pem_errcode = PORT_GetError();
Debug( LDAP_DEBUG_ANY,
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
- return -1;
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+
+ if ( errcode ) /* PEM is required */
+ return -1;
+
+ } else if ( !errcode ) {
+ tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL );
}
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+ }
+ if ( errcode ) {
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
will be a value other than 1 - print an error message so that the
--
1.7.7.6

31
openldap-nss-clean-memory-for-token-pin.patch
View File

@ -1,31 +0,0 @@
MozNSS: read pin from file file can cause infinite loop
The buffer allocated for reading password file has to be initialized
with zeros, or we need to append zero at the end of the file. Otherwise
we might read unitialized memory and consider it to be a password.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7291
Upstream commit: 00d0e162720b8cf03b9e5428892158f0768db9a6
Resolves: #829317
---
libraries/libldap/tls_m.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index d71fec7..2e755eb 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -786,7 +786,7 @@ tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx)
}
/* create a buffer to hold the file contents */
- if ( !( contents = PR_MALLOC( file_info.size + 1 ) ) ) {
+ if ( !( contents = PR_CALLOC( file_info.size + 1 ) ) ) {
PRErrorCode errcode = PR_GetError();
Debug( LDAP_DEBUG_ANY,
"TLS: could not alloc a buffer for contents of pin file %s - error %d:%s.\n",
--
1.7.10.4

35
openldap-nss-dont-overwrite-verify-cert-error.patch
View File

@ -1,35 +0,0 @@
MozNSS: do not overwrite error in tlsm_verify_cert
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #810462
Upstream ITS: #7287
Upstream commit: dc3842fca318f00da20a8be1cfb5d690ccc7d482
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index b608551..4c18360 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1019,6 +1019,10 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
is self issued */
if ( ( node->error == SEC_ERROR_CA_CERT_INVALID ) &&
tlsm_cert_is_self_issued( node->cert ) ) {
+
+ PRErrorCode orig_error = PR_GetError();
+ PRInt32 orig_oserror = PR_GetOSError();
+
CERTBasicConstraints basicConstraint;
SECStatus rv = tlsm_get_basic_constraint_extension( node->cert, &basicConstraint );
if ( ( rv == SECSuccess ) && ( basicConstraint.isCA == PR_FALSE ) ) {
@@ -1032,6 +1036,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
"TLS: certificate [%s] is not valid - CA cert is not valid\n",
name, 0, 0 );
}
+
+ PR_SetError(orig_error, orig_oserror);
+
} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
Debug( debug_level,
"TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
--
1.7.10.4

99
openldap-nss-ignore-untrusted-issuer-server-cert.patch
View File

@ -1,99 +0,0 @@
MozNSS: ignore untrusted issuer error when veryfing server cert
(Untrusted issuer error can apper with self-signed PEM certificates.)
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #842022
Upstream ITS: #7331
---
libraries/libldap/tls_m.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 4b5727b..f37da06 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -992,14 +992,15 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
static SECStatus
tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
- PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
+ PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
+ PRBool ignore_issuer )
{
CERTVerifyLog verifylog;
SECStatus ret = SECSuccess;
const char *name;
int debug_level = LDAP_DEBUG_ANY;
- if ( errorToIgnore == -1 ) {
+ if ( warn_only ) {
debug_level = LDAP_DEBUG_TRACE;
}
@@ -1063,7 +1064,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
PR_SetError(orig_error, orig_oserror);
- } else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
+ } else if ( warn_only || ( ignore_issuer && (
+ node->error == SEC_ERROR_UNKNOWN_ISSUER ||
+ node->error == SEC_ERROR_UNTRUSTED_ISSUER )
+ ) ) {
+ ret = SECSuccess;
Debug( debug_level,
"TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
@@ -1084,8 +1089,6 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
if ( ret == SECSuccess ) {
Debug( LDAP_DEBUG_TRACE,
"TLS: certificate [%s] is valid\n", name, 0, 0 );
- } else if ( errorToIgnore == -1 ) {
- ret = SECSuccess;
}
return ret;
@@ -1098,15 +1101,11 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
SECStatus ret = SECSuccess;
CERTCertificate *peercert = SSL_PeerCertificate( fd );
- int errorToIgnore = 0;
tlsm_ctx *ctx = (tlsm_ctx *)arg;
- if (ctx && ctx->tc_warn_only )
- errorToIgnore = -1;
-
ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
SSL_RevealPinArg( fd ),
- checksig, certUsage, errorToIgnore );
+ checksig, certUsage, ctx->tc_warn_only, PR_FALSE );
CERT_DestroyCertificate( peercert );
return ret;
@@ -1815,7 +1814,6 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
SECCertificateUsage certUsage;
PRBool checkSig;
SECStatus status;
- int errorToIgnore;
void *pin_arg;
if (tlsm_ctx_load_private_key(ctx))
@@ -1824,13 +1822,9 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
pin_arg = SSL_RevealPinArg(ctx->tc_model);
certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient;
checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE;
- if ( ctx->tc_warn_only )
- errorToIgnore = -1;
- else
- errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */
status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg,
- checkSig, certUsage, errorToIgnore );
+ checkSig, certUsage, ctx->tc_warn_only, PR_TRUE );
return status == SECSuccess ? 0 : -1;
}
--
1.7.11.2

19
openldap-smbk5pwd-overlay.patch
View File

@ -3,7 +3,7 @@ Compile smbk5pwd together with other overlays.
Author: Jan Šafránek <jsafrane@redhat.com> Author: Jan Šafránek <jsafrane@redhat.com>
Resolves: #550895 Resolves: #550895
Update to link against OpenSSL, avoid to compile with unsupported backend. Update to link against OpenSSL
Author: Jan Vcelak <jvcelak@redhat.com> Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #841560 Resolves: #841560
@ -57,23 +57,6 @@ index 3af20e8..ef73663 100644
install-local: $(PROGRAMS) install-local: $(PROGRAMS)
@if test -n "$?" ; then \ @if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \ $(MKDIR) $(DESTDIR)$(moduledir); \
diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
index d4d7f6f..37f55da 100644
--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
+++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
@@ -68,9 +68,11 @@ static ObjectClass *oc_krb5KDCEntry;
#ifdef HAVE_GNUTLS
#include <gcrypt.h>
typedef unsigned char DES_cblock[8];
-#else
+#elif HAVE_OPENSSL
#include <openssl/des.h>
#include <openssl/md4.h>
+#else
+#error Unsupported crypto backend.
#endif
#include "ldap_utf8.h"
-- --
1.7.10.4 1.7.10.4

37
openldap-tls-unbind-shutdown-order.patch
View File

@ -1,37 +0,0 @@
unbind: free socket prior to destroying TLS context
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #808464
Upstream ITS: #7241
Upstream commit: 221531b31a02c162c60c7d4491169855454c1ee0
---
libraries/libldap/unbind.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libraries/libldap/unbind.c b/libraries/libldap/unbind.c
index 35a92a8..82bc12d 100644
--- a/libraries/libldap/unbind.c
+++ b/libraries/libldap/unbind.c
@@ -129,6 +129,9 @@ ldap_ld_free(
ld->ld_abandoned = NULL;
}
LDAP_MUTEX_UNLOCK( &ld->ld_res_mutex );
+
+ ber_sockbuf_free( ld->ld_sb );
+
LDAP_MUTEX_LOCK( &ld->ld_ldopts_mutex );
/* final close callbacks */
@@ -217,8 +220,6 @@ ldap_ld_free(
}
LDAP_MUTEX_UNLOCK( &ld->ld_ldopts_mutex );
- ber_sockbuf_free( ld->ld_sb );
-
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_destroy( &ld->ld_msgid_mutex );
ldap_pvt_thread_mutex_destroy( &ld->ld_conn_mutex );
--
1.7.10.4

32
openldap.spec
View File

@ -7,8 +7,8 @@
%global systemctl_bin /usr/bin/systemctl %global systemctl_bin /usr/bin/systemctl
Name: openldap Name: openldap
Version: 2.4.31 Version: 2.4.32
Release: 7%{?dist} Release: 1%{?dist}
Summary: LDAP support libraries Summary: LDAP support libraries
Group: System Environment/Daemons Group: System Environment/Daemons
License: OpenLDAP License: OpenLDAP
@ -39,15 +39,7 @@ Patch7: openldap-dns-priority.patch
Patch8: openldap-syncrepl-unset-tls-options.patch Patch8: openldap-syncrepl-unset-tls-options.patch
Patch9: openldap-constraint-count.patch Patch9: openldap-constraint-count.patch
Patch10: openldap-man-sasl-nocanon.patch Patch10: openldap-man-sasl-nocanon.patch
Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch Patch11: openldap-ai-addrconfig.patch
Patch12: openldap-tls-unbind-shutdown-order.patch
Patch13: openldap-nss-dont-overwrite-verify-cert-error.patch
Patch14: openldap-nss-clean-memory-for-token-pin.patch
Patch15: openldap-cve-nss-cipher-suite-ignored.patch
Patch16: openldap-nss-default-cipher-suite-always-selected.patch
Patch17: openldap-nss-multiple-tls-contexts.patch
Patch18: openldap-ai-addrconfig.patch
Patch19: openldap-nss-ignore-untrusted-issuer-server-cert.patch
# Fedora specific patches # Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch Patch100: openldap-autoconf-pkgconfig-nss.patch
@ -161,14 +153,6 @@ ln -s %{_includedir}/nspr4 include/nspr
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch101 -p1 %patch101 -p1
@ -626,6 +610,16 @@ exit 0
%{evolution_connector_prefix}/ %{evolution_connector_prefix}/
%changelog %changelog
* Wed Aug 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-1
- new upstream release
+ library: double free, SASL handling
+ tools: read SASL_NOCANON from config file
+ slapd: config index renumbering, duplicate error response
+ backends: various fixes in mdb, bdb/hdb, ldap
+ accesslog, syncprov: fix memory leaks in with replication
+ sha2: portability, thread safety, support SSHA256,384,512
+ documentation fixes
* Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7 * Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7
- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022) - fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)

2
sources
View File

@ -1 +1 @@
804c6cb5698db30b75ad0ff1c25baefd openldap-2.4.31.tgz 6a3e85cf61860ca5e8a1eba6753dd9d0 openldap-2.4.32.tgz