new upstream release (2.4.32)

2012-08-01 13:39:25 +02:00 · 2012-08-01 13:39:25 +02:00 · 6304a48a54
commit 6304a48a54
parent c736adad77
10 changed files with 16 additions and 323 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /openldap-2.4.29.tgz
 /openldap-2.4.30.tgz
 /openldap-2.4.31.tgz
+/openldap-2.4.32.tgz
--- a/openldap-cve-nss-cipher-suite-ignored.patch
+++ b/openldap-cve-nss-cipher-suite-ignored.patch
@ -1,27 +0,0 @@
-MozNSS: cipher suite selection by name may be ignored
-
-Author: Tim Strobell <tim.strobell.ctr@nrl.navy.mil>
-Upstream ITS: #7289
-Upstream commit: 4b6bd2c600a79960409499f43a818aa0ca9fe463
-Resolves: #825875 (CVE-2012-2668)
-
---
- libraries/libldap/tls_m.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index 4c18360..d71fec7 100644
--- a/libraries/libldap/tls_m.c
-+++ b/libraries/libldap/tls_m.c
-@@ -624,7 +624,7 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
- 			} else {
- 				for (i=0; i<ciphernum; i++) {
- 					if (!strcmp(ciphers_def[i].ossl_name, cipher) &&
-						cipher_list[1] != -1)
-+						cipher_list[i] != -1)
- 						cipher_list[i] = action;
- 				}
- 			}
-- 
-1.7.10.4
-
--- a/openldap-nss-allow-ca-dbdir-pemfile.patch
+++ b/openldap-nss-allow-ca-dbdir-pemfile.patch
@ -1,56 +0,0 @@
-MozNSS: allow CA certdb together with PEM CA bundle file
-
-Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
-database and TLS_CACERT was set to a PEM bundle file with CA
-certificates, the PEM file content was not loaded.
-
-With this patch and the same settings, OpenLDAP can verify certificates
-which are signed by CAs stored both in certdb and PEM bundle file.
-
-Author: Jan Vcelak <jvcelak@redhat.com>
-Resolves: #819536
-Upstream ITS: #7276
-
---
- libraries/libldap/tls_m.c |   16 +++++++++++++---
- 1 files changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index 50c03dd..23d843c 100644
--- a/libraries/libldap/tls_m.c
-+++ b/libraries/libldap/tls_m.c
-@@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg )
- 			ctx->tc_initctx = initctx;
- #endif
- 
-+		}
-+
-+		if ( errcode || lt->lt_cacertfile ) {
- 			/* initialize the PEM module */
- 			LDAP_MUTEX_LOCK( &tlsm_init_mutex );
- 			if ( tlsm_init_pem_module() ) {
- 				LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
-				errcode = PORT_GetError();
-+				int pem_errcode = PORT_GetError();
- 				Debug( LDAP_DEBUG_ANY,
- 					   "TLS: could not initialize moznss PEM module - error %d:%s.\n",
-					   errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
-				return -1;
-+					   pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
-+
-+				if ( errcode ) /* PEM is required */
-+					return -1;
-+
-+			} else if ( !errcode ) {
-+				tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL );
- 			}
- 			LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
-+		}
- 
-+		if ( errcode ) {
- 			if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
- 				/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode 
- 				   will be a value other than 1 - print an error message so that the
-- 
-1.7.7.6
-
--- a/openldap-nss-clean-memory-for-token-pin.patch
+++ b/openldap-nss-clean-memory-for-token-pin.patch
@ -1,31 +0,0 @@
-MozNSS: read pin from file file can cause infinite loop
-
-The buffer allocated for reading password file has to be initialized
-with zeros, or we need to append zero at the end of the file. Otherwise
-we might read unitialized memory and consider it to be a password.
-
-Author: Jan Vcelak <jvcelak@redhat.com>
-Upstream ITS: #7291
-Upstream commit: 00d0e162720b8cf03b9e5428892158f0768db9a6
-Resolves: #829317
-
---
- libraries/libldap/tls_m.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index d71fec7..2e755eb 100644
--- a/libraries/libldap/tls_m.c
-+++ b/libraries/libldap/tls_m.c
-@@ -786,7 +786,7 @@ tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx)
- 	}
- 
- 	/* create a buffer to hold the file contents */
-	if ( !( contents = PR_MALLOC( file_info.size + 1 ) ) ) {
-+	if ( !( contents = PR_CALLOC( file_info.size + 1 ) ) ) {
- 		PRErrorCode errcode = PR_GetError();
- 		Debug( LDAP_DEBUG_ANY,
- 		       "TLS: could not alloc a buffer for contents of pin file %s - error %d:%s.\n",
-- 
-1.7.10.4
-
--- a/openldap-nss-dont-overwrite-verify-cert-error.patch
+++ b/openldap-nss-dont-overwrite-verify-cert-error.patch
@ -1,35 +0,0 @@
-MozNSS: do not overwrite error in tlsm_verify_cert
-
-Author: Jan Vcelak <jvcelak@redhat.com>
-Resolves: #810462
-Upstream ITS: #7287
-Upstream commit: dc3842fca318f00da20a8be1cfb5d690ccc7d482
-
-diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index b608551..4c18360 100644
--- a/libraries/libldap/tls_m.c
-+++ b/libraries/libldap/tls_m.c
-@@ -1019,6 +1019,10 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
- 				   is self issued */
- 				if ( ( node->error == SEC_ERROR_CA_CERT_INVALID ) &&
- 					 tlsm_cert_is_self_issued( node->cert ) ) {
-+
-+					PRErrorCode orig_error = PR_GetError();
-+					PRInt32 orig_oserror = PR_GetOSError();
-+
- 					CERTBasicConstraints basicConstraint;
- 					SECStatus rv = tlsm_get_basic_constraint_extension( node->cert, &basicConstraint );
- 					if ( ( rv == SECSuccess ) && ( basicConstraint.isCA == PR_FALSE ) ) {
-@@ -1032,6 +1036,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
- 							   "TLS: certificate [%s] is not valid - CA cert is not valid\n",
- 							   name, 0, 0 );
- 					}
-+
-+					PR_SetError(orig_error, orig_oserror);
-+
- 				} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
- 					Debug( debug_level,
- 						   "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
-- 
-1.7.10.4
-
--- a/openldap-nss-ignore-untrusted-issuer-server-cert.patch
+++ b/openldap-nss-ignore-untrusted-issuer-server-cert.patch
@ -1,99 +0,0 @@
-MozNSS: ignore untrusted issuer error when veryfing server cert
-
-(Untrusted issuer error can apper with self-signed PEM certificates.)
-
-Author: Jan Vcelak <jvcelak@redhat.com>
-Resolves: #842022
-Upstream ITS: #7331
-
---
- libraries/libldap/tls_m.c | 26 ++++++++++----------------
- 1 file changed, 10 insertions(+), 16 deletions(-)
-
-diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
-index 4b5727b..f37da06 100644
--- a/libraries/libldap/tls_m.c
-+++ b/libraries/libldap/tls_m.c
-@@ -992,14 +992,15 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
- 
- static SECStatus
- tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
-				 PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
-+				 PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
-+				 PRBool ignore_issuer )
- {
- 	CERTVerifyLog verifylog;
- 	SECStatus ret = SECSuccess;
- 	const char *name;
- 	int debug_level = LDAP_DEBUG_ANY;
- 
-	if ( errorToIgnore == -1 ) {
-+	if ( warn_only ) {
- 		debug_level = LDAP_DEBUG_TRACE;
- 	}
- 
-@@ -1063,7 +1064,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
- 
- 					PR_SetError(orig_error, orig_oserror);
- 
-				} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
-+				} else if ( warn_only || ( ignore_issuer && (
-+					node->error == SEC_ERROR_UNKNOWN_ISSUER ||
-+					node->error == SEC_ERROR_UNTRUSTED_ISSUER )
-+				) ) {
-+					ret = SECSuccess;
- 					Debug( debug_level,
- 						   "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
- 						   name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
-@@ -1084,8 +1089,6 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
- 	if ( ret == SECSuccess ) {
- 		Debug( LDAP_DEBUG_TRACE,
- 			   "TLS: certificate [%s] is valid\n", name, 0, 0 );
-	} else if ( errorToIgnore == -1 ) {
-		ret = SECSuccess;
- 	}
- 
- 	return ret;
-@@ -1098,15 +1101,11 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
- 	SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
- 	SECStatus ret = SECSuccess;
- 	CERTCertificate *peercert = SSL_PeerCertificate( fd );
-	int errorToIgnore = 0;
- 	tlsm_ctx *ctx = (tlsm_ctx *)arg;
- 
-	if (ctx && ctx->tc_warn_only )
-		errorToIgnore = -1;
-
- 	ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
- 							SSL_RevealPinArg( fd ),
-							checksig, certUsage, errorToIgnore );
-+							checksig, certUsage, ctx->tc_warn_only, PR_FALSE );
- 	CERT_DestroyCertificate( peercert );
- 
- 	return ret;
-@@ -1815,7 +1814,6 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
- 	SECCertificateUsage certUsage;
- 	PRBool checkSig;
- 	SECStatus status;
-	int errorToIgnore;
- 	void *pin_arg;
- 
- 	if (tlsm_ctx_load_private_key(ctx))
-@@ -1824,13 +1822,9 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
- 	pin_arg = SSL_RevealPinArg(ctx->tc_model);
- 	certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient;
- 	checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE;
-	if ( ctx->tc_warn_only )
-		errorToIgnore = -1;
-	else
-		errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */
- 
- 	status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg,
-							   checkSig, certUsage, errorToIgnore );
-+							   checkSig, certUsage, ctx->tc_warn_only, PR_TRUE );
- 
- 	return status == SECSuccess ? 0 : -1;
- }
-- 
-1.7.11.2
-
--- a/openldap-smbk5pwd-overlay.patch
+++ b/openldap-smbk5pwd-overlay.patch
@ -3,7 +3,7 @@ Compile smbk5pwd together with other overlays.
 Author: Jan Šafránek <jsafrane@redhat.com>
 Resolves: #550895

-Update to link against OpenSSL, avoid to compile with unsupported backend.
+Update to link against OpenSSL

 Author: Jan Vcelak <jvcelak@redhat.com>
 Resolves: #841560
@ -57,23 +57,6 @@ index 3af20e8..ef73663 100644
 install-local:	$(PROGRAMS)
 	@if test -n "$?" ; then \
 		$(MKDIR) $(DESTDIR)$(moduledir); \
-diff --git a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
-index d4d7f6f..37f55da 100644
--- a/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
-+++ b/contrib/slapd-modules/smbk5pwd/smbk5pwd.c
-@@ -68,9 +68,11 @@ static ObjectClass *oc_krb5KDCEntry;
- #ifdef HAVE_GNUTLS
- #include <gcrypt.h>
- typedef unsigned char DES_cblock[8];
-#else
-+#elif HAVE_OPENSSL
- #include <openssl/des.h>
- #include <openssl/md4.h>
-+#else
-+#error Unsupported crypto backend.
- #endif
- #include "ldap_utf8.h"
- 
 -- 
 1.7.10.4

--- a/openldap-tls-unbind-shutdown-order.patch
+++ b/openldap-tls-unbind-shutdown-order.patch
@ -1,37 +0,0 @@
-unbind: free socket prior to destroying TLS context
-
-Author: Jan Vcelak <jvcelak@redhat.com>
-Resolves: #808464
-Upstream ITS: #7241
-Upstream commit: 221531b31a02c162c60c7d4491169855454c1ee0
-
---
- libraries/libldap/unbind.c |    5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/libraries/libldap/unbind.c b/libraries/libldap/unbind.c
-index 35a92a8..82bc12d 100644
--- a/libraries/libldap/unbind.c
-+++ b/libraries/libldap/unbind.c
-@@ -129,6 +129,9 @@ ldap_ld_free(
- 		ld->ld_abandoned = NULL;
- 	}
- 	LDAP_MUTEX_UNLOCK( &ld->ld_res_mutex );
-+
-+	ber_sockbuf_free( ld->ld_sb );
-+
- 	LDAP_MUTEX_LOCK( &ld->ld_ldopts_mutex );
- 
- 	/* final close callbacks */
-@@ -217,8 +220,6 @@ ldap_ld_free(
- 	}
- 	LDAP_MUTEX_UNLOCK( &ld->ld_ldopts_mutex );
- 
-	ber_sockbuf_free( ld->ld_sb );   
-   
- #ifdef LDAP_R_COMPILE
- 	ldap_pvt_thread_mutex_destroy( &ld->ld_msgid_mutex );
- 	ldap_pvt_thread_mutex_destroy( &ld->ld_conn_mutex );
-- 
-1.7.10.4
-
--- a/openldap.spec
+++ b/openldap.spec
@ -7,8 +7,8 @@
 %global systemctl_bin /usr/bin/systemctl

 Name: openldap
-Version: 2.4.31
-Release: 7%{?dist}
+Version: 2.4.32
+Release: 1%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@ -39,15 +39,7 @@ Patch7: openldap-dns-priority.patch
 Patch8: openldap-syncrepl-unset-tls-options.patch
 Patch9: openldap-constraint-count.patch
 Patch10: openldap-man-sasl-nocanon.patch
-Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch
-Patch12: openldap-tls-unbind-shutdown-order.patch
-Patch13: openldap-nss-dont-overwrite-verify-cert-error.patch
-Patch14: openldap-nss-clean-memory-for-token-pin.patch
-Patch15: openldap-cve-nss-cipher-suite-ignored.patch
-Patch16: openldap-nss-default-cipher-suite-always-selected.patch
-Patch17: openldap-nss-multiple-tls-contexts.patch
-Patch18: openldap-ai-addrconfig.patch
-Patch19: openldap-nss-ignore-untrusted-issuer-server-cert.patch
+Patch11: openldap-ai-addrconfig.patch

 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
@ -161,14 +153,6 @@ ln -s %{_includedir}/nspr4 include/nspr
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1

 %patch101 -p1

@ -626,6 +610,16 @@ exit 0
 %{evolution_connector_prefix}/

 %changelog
+* Wed Aug 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-1
+- new upstream release
+  + library: double free, SASL handling
+  + tools: read SASL_NOCANON from config file
+  + slapd: config index renumbering, duplicate error response
+  + backends: various fixes in mdb, bdb/hdb, ldap
+  + accesslog, syncprov: fix memory leaks in with replication
+  + sha2: portability, thread safety, support SSHA256,384,512
+  + documentation fixes
+
 * Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7
 - fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)

--- a/2
+++ b/2
@ -1 +1 @@
-804c6cb5698db30b75ad0ff1c25baefd  openldap-2.4.31.tgz
+6a3e85cf61860ca5e8a1eba6753dd9d0  openldap-2.4.32.tgz