import openldap-2.4.57-8.el9

This commit is contained in:
CentOS Sources 2021-11-03 20:16:55 -04:00 committed by Stepan Oksanichenko
commit 848c149d61
34 changed files with 8930 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
SOURCES/openldap-2.4.57.tgz

2
.openldap.metadata Normal file
View File

@ -0,0 +1,2 @@
444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
1cffa70a3ea8545948041fd113f8f53bc24d6d87 SOURCES/openldap-2.4.57.tgz

View File

@ -0,0 +1,41 @@
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
@@ -13,22 +13,11 @@
#
CONFIG=/etc/openldap/check_password.conf
-OPT=-g -O2 -Wall -fpic \
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
- -DCONFIG_FILE="\"$(CONFIG)\"" \
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
-DDEBUG
-# Where to find the OpenLDAP headers.
-#
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
-
-# Where to find the CrackLib headers.
-#
-CRACK_INC=
-
-INCS=$(LDAP_INC) $(CRACK_INC)
-
LDAP_LIB=-lldap_r -llber
# Comment out this line if you do NOT want to use the cracklib.
@@ -45,10 +34,10 @@
all: check_password
check_password.o:
- $(CC) $(OPT) -c $(INCS) check_password.c
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
check_password: clean check_password.o
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
install: check_password
cp -f check_password.so ../../../usr/lib/openldap/modules/

View File

@ -0,0 +1,321 @@
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
@@ -10,7 +10,7 @@
#include <slap.h>
#ifdef HAVE_CRACKLIB
-#include "crack.h"
+#include <crack.h>
#endif
#if defined(DEBUG)
@@ -34,18 +34,77 @@
#define PASSWORD_TOO_SHORT_SZ \
"Password for dn=\"%s\" is too short (%d/6)"
#define PASSWORD_QUALITY_SZ \
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
#define BAD_PASSWORD_SZ \
"Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator"
typedef int (*validator) (char*);
-static int read_config_file (char *);
+static int read_config_file ();
static validator valid_word (char *);
static int set_quality (char *);
static int set_cracklib (char *);
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+struct config_entry {
+ char* key;
+ char* value;
+ char* def_value;
+} config_entries[] = { { "minPoints", NULL, "3"},
+ { "useCracklib", NULL, "1"},
+ { "minUpper", NULL, "0"},
+ { "minLower", NULL, "0"},
+ { "minDigit", NULL, "0"},
+ { "minPunct", NULL, "0"},
+ { NULL, NULL, NULL }};
+
+int get_config_entry_int(char* entry) {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ char* key = centry[i].key;
+ while (key != NULL) {
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
+ if ( centry[i].value == NULL ) {
+ return atoi(centry[i].def_value);
+ }
+ else {
+ return atoi(centry[i].value);
+ }
+ }
+ i++;
+ key = centry[i].key;
+ }
+
+ return -1;
+}
+
+void dealloc_config_entries() {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ while (centry[i].key != NULL) {
+ if ( centry[i].value != NULL ) {
+ ber_memfree(centry[i].value);
+ }
+ i++;
+ }
+}
+
+char* chomp(char *s)
+{
+ char* t = ber_memalloc(strlen(s)+1);
+ strncpy (t,s,strlen(s)+1);
+
+ if ( t[strlen(t)-1] == '\n' ) {
+ t[strlen(t)-1] = '\0';
+ }
+
+ return t;
+}
+
static int set_quality (char *value)
{
#if defined(DEBUG)
@@ -84,12 +143,12 @@
char * parameter;
validator dealer;
} list[] = { { "minPoints", set_quality },
- { "useCracklib", set_cracklib },
- { "minUpper", set_digit },
- { "minLower", set_digit },
- { "minDigit", set_digit },
- { "minPunct", set_digit },
- { NULL, NULL } };
+ { "useCracklib", set_cracklib },
+ { "minUpper", set_digit },
+ { "minLower", set_digit },
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
int index = 0;
#if defined(DEBUG)
@@ -98,7 +157,7 @@
while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
- strcmp(list[index].parameter, word) == 0) {
+ strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG)
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
#endif
@@ -114,13 +173,15 @@
return NULL;
}
-static int read_config_file (char *keyWord)
+static int read_config_file ()
{
FILE * config;
char * line;
int returnValue = -1;
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
+ line = ber_memcalloc(260, sizeof(char));
+
+ if ( line == NULL ) {
return returnValue;
}
@@ -133,6 +194,8 @@
return returnValue;
}
+ returnValue = 0;
+
while (fgets(line, 256, config) != NULL) {
char *start = line;
char *word, *value;
@@ -145,23 +208,40 @@
while (isspace(*start) && isascii(*start)) start++;
- if (! isascii(*start))
+ /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) {
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+#endif
continue;
+ }
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
- if ((value = strtok(NULL, " \t")) == NULL)
- continue;
+ if( isascii(*start)) {
+
+ struct config_entry* centry = config_entries;
+ int i = 0;
+ char* keyWord = centry[i].key;
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
#endif
- returnValue = (*dealer)(value);
+ centry[i].value = chomp(value);
+ break;
+ }
+ i++;
+ keyWord = centry[i].key;
+ }
+ }
}
}
-
fclose(config);
ber_memfree(line);
+
return returnValue;
}
@@ -170,7 +250,7 @@
if (curlen < nextlen + MEMORY_MARGIN) {
#if defined(DEBUG)
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
- curlen, nextlen + MEMORY_MARGIN);
+ curlen, nextlen + MEMORY_MARGIN);
#endif
ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN;
@@ -180,7 +260,7 @@
return curlen;
}
- int
+int
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
{
@@ -210,20 +290,22 @@
nLen = strlen (pPasswd);
if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail;
}
- /* Read config file */
- minQuality = read_config_file("minPoints");
+ if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ }
- useCracklib = read_config_file("useCracklib");
- minUpper = read_config_file("minUpper");
- minLower = read_config_file("minLower");
- minDigit = read_config_file("minDigit");
- minPunct = read_config_file("minPunct");
+ minQuality = get_config_entry_int("minPoints");
+ useCracklib = get_config_entry_int("useCracklib");
+ minUpper = get_config_entry_int("minUpper");
+ minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct");
/** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and
@@ -232,8 +314,6 @@
for ( i = 0; i < nLen; i++ ) {
- if ( nQuality >= minQuality ) break;
-
if ( islower (pPasswd[i]) ) {
minLower--;
if ( !nLower && (minLower < 1)) {
@@ -279,12 +359,23 @@
}
}
- if ( nQuality < minQuality ) {
+ /*
+ * If you have a required field, then it should be required in the strength
+ * checks.
+ */
+
+ if (
+ (minLower > 0 ) ||
+ (minUpper > 0 ) ||
+ (minDigit > 0 ) ||
+ (minPunct > 0 ) ||
+ (nQuality < minQuality)
+ ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_QUALITY_SZ) +
- strlen(pEntry->e_name.bv_val) + 2);
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
- nQuality, minQuality);
+ nQuality, minQuality);
goto fail;
}
@@ -306,7 +397,7 @@
for ( j = 0; j < 3; j++ ) {
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
- CRACKLIB_DICTPATH, ext[j]);
+ CRACKLIB_DICTPATH, ext[j]);
if (( fp = fopen ( filename, "r")) == NULL ) {
@@ -326,9 +417,9 @@
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(BAD_PASSWORD_SZ) +
- strlen(pEntry->e_name.bv_val) +
- strlen(r));
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail;
}
@@ -342,15 +433,15 @@
}
#endif
-
+ dealloc_config_entries();
*ppErrStr = strdup ("");
ber_memfree(szErrStr);
return (LDAP_SUCCESS);
fail:
+ dealloc_config_entries();
*ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr);
return (EXIT_FAILURE);
}
-

28
SOURCES/ldap.conf Normal file
View File

@ -0,0 +1,28 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on

91
SOURCES/libexec-check-config.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
function check_config_syntax()
{
retcode=0
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
if [ $? -ne 0 ]; then
error "Checking configuration file failed:"
cat $tmp_slaptest >&2
retcode=1
fi
rm $tmp_slaptest
return $retcode
}
function check_certs_perms()
{
retcode=0
for cert in `certificates`; do
run_as_ldap "/usr/bin/test -e \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' was not found." "$cert"
retcoder=1
continue
fi
run_as_ldap "/usr/bin/test -r \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' is not readable." "$cert"
retcode=1
fi
done
return $retcode
}
function check_db_perms()
{
retcode=0
for dbdir in `databases`; do
[ -d "$dbdir" ] || continue
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
if [ $? -ne 0 ]; then
error "Read/write permissions for DB file '%s' are required." "$dbfile"
retcode=1
fi
done
done
return $retcode
}
function check_everything()
{
retcode=0
check_config_syntax || retcode=1
# TODO: need support for Mozilla NSS, disabling temporarily
#check_certs_perms || retcode=1
check_db_perms || retcode=1
return $retcode
}
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this script."
exit 4
fi
load_sysconfig
if [ -n "$SLAPD_CONFIG_DIR" ]; then
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
else
check_everything
exit $?
fi
fi
if [ -n "$SLAPD_CONFIG_FILE" ]; then
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
else
error "Warning: Usage of a configuration file is obsolete!"
check_everything
exit $?
fi
fi
exit 1

134
SOURCES/libexec-functions Normal file
View File

@ -0,0 +1,134 @@
# Author: Jan Vcelak <jvcelak@redhat.com>
SLAPD_USER=
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=
function default_config()
{
SLAPD_USER=ldap
SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
}
function parse_config_options()
{
user=
config_file=
config_dir=
while getopts :u:f:F: opt; do
case "$opt" in
u)
user="$OPTARG"
;;
f)
config_file="$OPTARG"
;;
F)
config_dir="$OPTARG"
;;
esac
done
if [ -n "$user" ]; then
SLAPD_USER="$user"
fi
if [ -n "$config_dir" ]; then
SLAPD_CONFIG_DIR="$config_dir"
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
elif [ -n "$config_file" ]; then
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_FILE="$config_file"
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
fi
}
function uses_new_config()
{
[ -n "$SLAPD_CONFIG_DIR" ]
return $?
}
function run_as_ldap()
{
/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
return $?
}
function ldif_unbreak()
{
sed ':a;N;s/\n //;ta;P;D'
}
function ldif_value()
{
sed 's/^[^:]*: //'
}
function databases_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c \
-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
ldif_unbreak | \
grep '^olcDbDirectory: ' | \
ldif_value
}
function databases_old()
{
awk 'begin { database="" }
$1 == "database" { database=$2 }
$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
"$SLAPD_CONFIG_FILE"
}
function certificates_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
ldif_unbreak | \
grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
ldif_value
}
function certificates_old()
{
awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
"$SLAPD_CONFIG_FILE"
}
function certificates()
{
uses_new_config && certificates_new || certificates_old
}
function databases()
{
uses_new_config && databases_new || databases_old
}
function error()
{
format="$1\n"; shift
printf "$format" $@ >&2
}
function load_sysconfig()
{
[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
. "$SLAPD_SYSCONFIG_FILE"
[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
}
default_config

40
SOURCES/libexec-upgrade-db.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this command."
exit 4
fi
load_sysconfig
retcode=0
for dbdir in `databases`; do
upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
# skip uninitialized database
[ -z "$bdb_files"] || continue
printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
# perform the update
for command in \
"/usr/bin/db_recover -v -h \"$dbdir\"" \
"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
; do
printf "Executing: %s\n" "$command" &>>$upgrade_log
run_as_ldap "$command" &>>$upgrade_log
result=$?
printf "Exit code: %d\n" $result >>"$upgrade_log"
if [ $result -ne 0 ]; then
printf "Upgrade failed: %d\n" $result
retcode=1
fi
done
done
exit $retcode

View File

@ -0,0 +1,20 @@
use AI_ADDRCONFIG if defined in the environment
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7326
Resolves: #835013
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index b31e05d..fa361ab 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
memset( &hints, '\0', sizeof(hints) );
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
+#ifdef AI_ADDRCONFIG
hints.ai_flags = AI_ADDRCONFIG;
#endif
hints.ai_family = ldap_int_inet4or6;

View File

@ -0,0 +1,40 @@
Compile AllOp together with other overlays.
Author: Matus Honek <mhonek@redhat.com>
Resolves: #1319782
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
translucent.c \
unique.c \
valsort.c \
- smbk5pwd.c
+ smbk5pwd.c \
+ allop.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
smbk5pwd.la : smbk5pwd.lo
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+allop.lo : allop.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+allop.la : allop.lo
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \

View File

@ -0,0 +1,291 @@
From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 26 Aug 2013 23:31:48 -0700
Subject: [PATCH] Add channel binding support
Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.
---
include/ldap_pvt.h | 1 +
libraries/libldap/cyrus.c | 22 ++++++++++++++++++++++
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/ldap-tls.h | 2 ++
libraries/libldap/tls2.c | 7 +++++++
libraries/libldap/tls_g.c | 7 +++++++
libraries/libldap/tls_m.c | 7 +++++++
libraries/libldap/tls_o.c | 16 ++++++++++++++++
servers/slapd/connection.c | 8 ++++++++
servers/slapd/sasl.c | 18 ++++++++++++++++++
servers/slapd/slap.h | 1 +
11 files changed, 90 insertions(+)
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 716c1a90f..61c620785 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -420,6 +420,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
LDAPDN_rewrite_dummy *func, unsigned flags ));
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
+LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
LDAP_END_DECL
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 4c0089d5d..3171d56a3 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -360,6 +360,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
lc->lconn_sasl_sockctx = NULL;
lc->lconn_sasl_authctx = NULL;
}
+ if( lc->lconn_sasl_cbind ) {
+ ldap_memfree( lc->lconn_sasl_cbind );
+ lc->lconn_sasl_cbind = NULL;
+ }
return LDAP_SUCCESS;
}
@@ -492,6 +496,24 @@ ldap_int_sasl_bind(
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
LDAP_FREE( authid.bv_val );
+#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
+ {
+ char cbinding[64];
+ struct berval cbv = { sizeof(cbinding), cbinding };
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
+ sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
+ cbv.bv_len);
+ cb->name = "ldap";
+ cb->critical = 0;
+ cb->data = (char *)(cb+1);
+ cb->len = cbv.bv_len;
+ memcpy( cb->data, cbv.bv_val, cbv.bv_len );
+ sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
+ SASL_CHANNEL_BINDING, cb );
+ ld->ld_defconn->lconn_sasl_cbind = cb;
+ }
+ }
+#endif
}
#endif
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 98ad4dc05..397894271 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -308,6 +308,7 @@ typedef struct ldap_conn {
#ifdef HAVE_CYRUS_SASL
void *lconn_sasl_authctx; /* context for bind */
void *lconn_sasl_sockctx; /* for security layer */
+ void *lconn_sasl_cbind; /* for channel binding */
#endif
#ifdef HAVE_GSSAPI
void *lconn_gss_ctx; /* gss_ctx_id_t */
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index c8a27112f..0ecf81ab9 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
+typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
typedef void (TI_thr_init)(void);
@@ -64,6 +65,7 @@ typedef struct tls_impl {
TI_session_dn *ti_session_peer_dn;
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
+ TI_session_unique *ti_session_unique;
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 82ca5272c..13d734362 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1013,6 +1013,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
return rc;
}
+
+int
+ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
+{
+ tls_session *session = s;
+ return tls_imp->ti_session_unique( session, buf, is_server );
+}
#endif /* HAVE_TLS */
int
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 3b72cd2a1..b78c12086 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -669,6 +669,12 @@ tlsg_session_strength( tls_session *session )
return gnutls_cipher_get_key_size( c ) * 8;
}
+static int
+tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
+{
+ return 0;
+}
+
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
@@ -925,6 +931,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_peer_dn,
tlsg_session_chkhost,
tlsg_session_strength,
+ tlsg_session_unique,
&tlsg_sbio,
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 43fbae4bc..c64f4c176 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2874,6 +2874,12 @@ tlsm_session_strength( tls_session *session )
return rc ? 0 : keySize;
}
+static int
+tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
+{
+ return 0;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -3302,6 +3308,7 @@ tls_impl ldap_int_tls_impl = {
tlsm_session_peer_dn,
tlsm_session_chkhost,
tlsm_session_strength,
+ tlsm_session_unique,
&tlsm_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index a13f11fb5..f741a461f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -846,6 +846,21 @@ tlso_session_strength( tls_session *sess )
return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
}
+static int
+tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
+{
+ tlso_session *s = (tlso_session *)sess;
+
+ /* Usually the client sends the finished msg. But if the
+ * session was resumed, the server sent the msg.
+ */
+ if (SSL_session_reused(s) ^ !is_server)
+ buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);
+ else
+ buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);
+ return buf->bv_len;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -1363,6 +1378,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_peer_dn,
tlso_session_chkhost,
tlso_session_strength,
+ tlso_session_unique,
&tlso_sbio,
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 44c3fc63d..0602fdceb 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -406,6 +406,7 @@ Connection * connection_init(
c->c_sasl_sockctx = NULL;
c->c_sasl_extra = NULL;
c->c_sasl_bindop = NULL;
+ c->c_sasl_cbind = NULL;
c->c_sb = ber_sockbuf_alloc( );
@@ -451,6 +452,7 @@ Connection * connection_init(
assert( c->c_sasl_sockctx == NULL );
assert( c->c_sasl_extra == NULL );
assert( c->c_sasl_bindop == NULL );
+ assert( c->c_sasl_cbind == NULL );
assert( c->c_currentber == NULL );
assert( c->c_writewaiter == 0);
assert( c->c_writers == 0);
@@ -1428,6 +1430,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
+ {
+ char cbinding[64];
+ struct berval cbv = { sizeof(cbinding), cbinding };
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
+ slap_sasl_cbinding( c, &cbv );
+ }
} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
slapd_set_write( s, 1 );
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 5144170d1..258cd5407 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1389,6 +1389,21 @@ int slap_sasl_external(
return LDAP_SUCCESS;
}
+int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
+{
+#ifdef SASL_CHANNEL_BINDING
+ sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
+ cb->name = "ldap";
+ cb->critical = 0;
+ cb->data = (char *)(cb+1);
+ cb->len = cbv->bv_len;
+ memcpy( cb->data, cbv->bv_val, cbv->bv_len );
+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
+ conn->c_sasl_cbind = cb;
+#endif
+ return LDAP_SUCCESS;
+}
+
int slap_sasl_reset( Connection *conn )
{
return LDAP_SUCCESS;
@@ -1454,6 +1469,9 @@ int slap_sasl_close( Connection *conn )
free( conn->c_sasl_extra );
conn->c_sasl_extra = NULL;
+ free( conn->c_sasl_cbind );
+ conn->c_sasl_cbind = NULL;
+
#elif defined(SLAP_BUILTIN_SASL)
SASL_CTX *ctx = conn->c_sasl_authctx;
if( ctx ) {
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 7581967be..ad797d752 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -2910,6 +2910,7 @@ struct Connection {
void *c_sasl_authctx; /* SASL authentication context */
void *c_sasl_sockctx; /* SASL security layer context */
void *c_sasl_extra; /* SASL session extra stuff */
+ void *c_sasl_cbind; /* SASL channel binding */
Operation *c_sasl_bindop; /* set to current op if it's a bind */
#ifdef LDAP_X_TXN
--
2.29.2

View File

@ -0,0 +1,236 @@
From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 27 Apr 2020 23:24:16 -0700
Subject: [PATCH] Convert test077 to LDIF config
---
tests/data/slapd-sasl-gssapi.conf | 65 ------------------
tests/scripts/defines.sh | 1 -
tests/scripts/test077-sasl-gssapi | 108 ++++++++++++++++++++++++++++--
3 files changed, 103 insertions(+), 71 deletions(-)
delete mode 100644 tests/data/slapd-sasl-gssapi.conf
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
deleted file mode 100644
index 611fc7097..000000000
--- a/tests/data/slapd-sasl-gssapi.conf
+++ /dev/null
@@ -1,65 +0,0 @@
-# stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-#
-include @SCHEMADIR@/core.schema
-include @SCHEMADIR@/cosine.schema
-#
-include @SCHEMADIR@/corba.schema
-include @SCHEMADIR@/java.schema
-include @SCHEMADIR@/inetorgperson.schema
-include @SCHEMADIR@/misc.schema
-include @SCHEMADIR@/nis.schema
-include @SCHEMADIR@/openldap.schema
-#
-include @SCHEMADIR@/duaconf.schema
-include @SCHEMADIR@/dyngroup.schema
-
-#
-pidfile @TESTDIR@/slapd.1.pid
-argsfile @TESTDIR@/slapd.1.args
-
-# SSL configuration
-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
-
-#
-rootdse @DATADIR@/rootdse.ldif
-
-#mod#modulepath ../servers/slapd/back-@BACKEND@/
-#mod#moduleload back_@BACKEND@.la
-#monitormod#modulepath ../servers/slapd/back-monitor/
-#monitormod#moduleload back_monitor.la
-
-
-#######################################################################
-# database definitions
-#######################################################################
-
-database @BACKEND@
-suffix "dc=example,dc=com"
-rootdn "cn=Manager,dc=example,dc=com"
-rootpw secret
-#~null~#directory @TESTDIR@/db.1.a
-#indexdb#index objectClass eq
-#indexdb#index mail eq
-#ndb#dbname db_1_a
-#ndb#include @DATADIR@/ndb.conf
-
-#monitor#database monitor
-
-sasl-realm @KRB5REALM@
-sasl-host localhost
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 78dc1f8ae..76c85b442 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -108,7 +108,6 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
TLSCONF=$DATADIR/slapd-tls.conf
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
GLUECONF=$DATADIR/slapd-glue.conf
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index bde9006ca..322df60a4 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
exit 0
fi
-mkdir -p $TESTDIR $DBDIR1
+CONFDIR=$TESTDIR/slapd.d
+CONFLDIF=$TESTDIR/slapd.ldif
+
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
+$SLAPPASSWD -g -n >$CONFIGPWF
echo "Starting KDC for SASL/GSSAPI tests..."
. $SRCDIR/scripts/setup_kdc.sh
-echo "Running slapadd to build slapd database..."
-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+echo "Configuring slapd..."
+cat > $CONFLDIF <<EOF
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcSaslHost: localhost
+olcSaslRealm: $KRB5REALM
+olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
+olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
+olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file://$ABS_SCHEMADIR/core.ldif
+
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcRootPW:< file://$TESTDIR/configpw
+
+EOF
+$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
@@ -38,7 +63,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
@@ -141,6 +166,79 @@ else
fi
fi
+if test $WITH_TLS = no ; then
+ echo "TLS support not available, skipping channe-binding test"
+elif test $HAVE_SASL_GSS_CBIND = no ; then
+ echo "SASL has no channel-binding support in GSSAPI, test skipped"
+else
+ echo "Testing SASL/GSSAPI with SASL_CBINDING..."
+
+ for acb in "none" "tls-unique" "tls-endpoint" ; do
+
+ echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
+ $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+replace: olcSaslCBinding
+olcSaslCBinding: ${acb}
+EOF
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
+ for icb in "none" "tls-unique" "tls-endpoint" ; do
+
+ # The gnutls implemantation of "tls-unique" seems broken
+ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
+ if test $WITH_TLS_TYPE == gnutls ; then
+ continue
+ fi
+ fi
+
+ fail="no"
+ if test $icb != $acb -a $acb != "none" ; then
+ # This currently fails in MIT, but it is planned to be
+ # fixed not to fail like in heimdal - avoid testing.
+ if test $icb = "none" ; then
+ continue
+ fi
+ # Otherwise unmatching bindings are expected to fail.
+ fail="yes"
+ fi
+
+ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
+ echo -ne "(client: ${icb},\tserver: ${acb}): "
+
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ -o SASL_CBINDING=$icb > $TESTOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ if test $fail = "no" ; then
+ echo "test failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+ elif test $fail = "yes" ; then
+ echo "failed: command succeeded unexpectedly."
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+ fi
+
+ echo "success"
+ RC=0
+ done
+ done
+fi
+
+
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
--
2.29.2

View File

@ -0,0 +1,39 @@
From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Sun, 26 Apr 2020 11:40:23 -0700
Subject: [PATCH] Fix slaptest in test077
The libtool wrapper scripts lose argv[0] when exec'ing the real binary.
In the CI Docker container, where the build runs as root, this was
actually starting a real slapd on the default port.
Outside Docker, running as a non-root user, this slapd would just fail
to start, and wouldn't convert the config either.
Using "slapd -Tt" fixes the issue but also prints a warning from
slaptest since the database hasn't been initialized yet.
Dynamic config isn't actually used in this test script, so let's just
run slapd off the config file directly.
---
tests/scripts/test077-sasl-gssapi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index 64abe16fe..bde9006ca 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -24,9 +24,6 @@ fi
mkdir -p $TESTDIR $DBDIR1
cp -r $DATADIR/tls $TESTDIR
-cd $TESTWD
-
-
echo "Starting KDC for SASL/GSSAPI tests..."
. $SRCDIR/scripts/setup_kdc.sh
--
2.29.2

View File

@ -0,0 +1,220 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 10 Sep 2013 04:26:51 -0700
Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT
retrieve peer cert for an active TLS session
---
doc/man/man3/ldap_get_option.3 | 8 ++++++++
include/ldap.h | 1 +
libraries/libldap/ldap-tls.h | 2 ++
libraries/libldap/tls2.c | 24 ++++++++++++++++++++++++
libraries/libldap/tls_g.c | 19 +++++++++++++++++++
libraries/libldap/tls_m.c | 17 +++++++++++++++++
libraries/libldap/tls_o.c | 16 ++++++++++++++++
7 files changed, 87 insertions(+)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index eb3f25b33..7546875f5 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -744,6 +744,14 @@ A non-zero value pointed to by
.BR invalue
tells the library to create a context for a server.
.TP
+.B LDAP_OPT_X_TLS_PEERCERT
+Gets the peer's certificate in DER format from an established TLS session.
+.BR outvalue
+must be
+.BR "struct berval *" ,
+and the data it returns needs to be freed by the caller using
+.BR ldap_memfree (3).
+.TP
.B LDAP_OPT_X_TLS_PROTOCOL_MIN
Sets/gets the minimum protocol version.
.BR invalue
diff --git a/include/ldap.h b/include/ldap.h
index 389441031..88bfcabf8 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a
+#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index 0ecf81ab9..103004fa7 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
+typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
typedef void (TI_thr_init)(void);
@@ -66,6 +67,7 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
TI_session_unique *ti_session_unique;
+ TI_session_peercert *ti_session_peercert;
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 13d734362..ad09ba39b 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -705,6 +705,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_CONNECT_ARG:
*(void **)arg = lo->ldo_tls_connect_arg;
break;
+ case LDAP_OPT_X_TLS_PEERCERT: {
+ void *sess = NULL;
+ struct berval *bv = arg;
+ bv->bv_len = 0;
+ bv->bv_val = NULL;
+ if ( ld != NULL ) {
+ LDAPConn *conn = ld->ld_defconn;
+ if ( conn != NULL ) {
+ Sockbuf *sb = conn->lconn_sb;
+ sess = ldap_pvt_tls_sb_ctx( sb );
+ if ( sess != NULL )
+ return ldap_pvt_tls_get_peercert( sess, bv );
+ }
+ }
+ break;
+ }
+
default:
return -1;
}
@@ -1020,6 +1037,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
tls_session *session = s;
return tls_imp->ti_session_unique( session, buf, is_server );
}
+
+int
+ldap_pvt_tls_get_peercert( void *s, struct berval *der )
+{
+ tls_session *session = s;
+ return tls_imp->ti_session_peercert( session, der );
+}
#endif /* HAVE_TLS */
int
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index b78c12086..26d9f99ce 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -675,6 +675,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
+static int
+tlsg_session_peercert( tls_session *sess, struct berval *der )
+{
+ tlsg_session *s = (tlsg_session *)sess;
+ const gnutls_datum_t *peer_cert_list;
+ unsigned int list_size;
+
+ peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
+ if (!peer_cert_list)
+ return -1;
+ der->bv_len = peer_cert_list[0].size;
+ der->bv_val = LDAP_MALLOC( der->bv_len );
+ if (!der->bv_val)
+ return -1;
+ memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
+ return 0;
+}
+
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
@@ -932,6 +950,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_chkhost,
tlsg_session_strength,
tlsg_session_unique,
+ tlsg_session_peercert,
&tlsg_sbio,
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index c64f4c176..d35a803de 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2880,6 +2880,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
+static int
+tlsm_session_peercert( tls_session *sess, struct berval *der )
+{
+ tlsm_session *s = (tlsm_session *)sess;
+ CERTCertificate *cert;
+ cert = SSL_PeerCertificate( s );
+ if (!cert)
+ return -1;
+ der->bv_len = cert->derCert.len;
+ der->bv_val = LDAP_MALLOC( der->bv_len );
+ if (!der->bv_val)
+ return -1;
+ memcpy( der->bv_val, cert->derCert.data, der->bv_len );
+ return 0;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -3309,6 +3325,7 @@ tls_impl ldap_int_tls_impl = {
tlsm_session_chkhost,
tlsm_session_strength,
tlsm_session_unique,
+ tlsm_session_peercert,
&tlsm_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f741a461f..157923289 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -861,6 +861,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
return buf->bv_len;
}
+static int
+tlso_session_peercert( tls_session *sess, struct berval *der )
+{
+ tlso_session *s = (tlso_session *)sess;
+ unsigned char *ptr;
+ X509 *x = SSL_get_peer_certificate(s);
+ der->bv_len = i2d_X509(x, NULL);
+ der->bv_val = LDAP_MALLOC(der->bv_len);
+ if ( !der->bv_val )
+ return -1;
+ ptr = der->bv_val;
+ i2d_X509(x, &ptr);
+ return 0;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -1379,6 +1394,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_chkhost,
tlso_session_strength,
tlso_session_unique,
+ tlso_session_peercert,
&tlso_sbio,
--
2.29.2

View File

@ -0,0 +1,70 @@
From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>
Date: Fri, 15 Jun 2018 15:12:28 +0100
Subject: [PATCH] ITS#8573 Add missing URI variables for tests
---
tests/scripts/conf.sh | 18 ++++++++++++++++++
tests/scripts/defines.sh | 7 +++++++
2 files changed, 25 insertions(+)
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index 9a33d88e9..2a859d89d 100755
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -74,6 +74,24 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s;@PORT4@;${PORT4};" \
-e "s;@PORT5@;${PORT5};" \
-e "s;@PORT6@;${PORT6};" \
+ -e "s;@SURI1@;${SURI1};" \
+ -e "s;@SURI2@;${SURI2};" \
+ -e "s;@SURI3@;${SURI3};" \
+ -e "s;@SURI4@;${SURI4};" \
+ -e "s;@SURI5@;${SURI5};" \
+ -e "s;@SURI6@;${SURI6};" \
+ -e "s;@URIP1@;${URIP1};" \
+ -e "s;@URIP2@;${URIP2};" \
+ -e "s;@URIP3@;${URIP3};" \
+ -e "s;@URIP4@;${URIP4};" \
+ -e "s;@URIP5@;${URIP5};" \
+ -e "s;@URIP6@;${URIP6};" \
+ -e "s;@SURIP1@;${SURIP1};" \
+ -e "s;@SURIP2@;${SURIP2};" \
+ -e "s;@SURIP3@;${SURIP3};" \
+ -e "s;@SURIP4@;${SURIP4};" \
+ -e "s;@SURIP5@;${SURIP5};" \
+ -e "s;@SURIP6@;${SURIP6};" \
-e "s/@SASL_MECH@/${SASL_MECH}/" \
-e "s;@TESTDIR@;${TESTDIR};" \
-e "s;@TESTWD@;${TESTWD};" \
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 8f7c7b853..26dab1bae 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -221,16 +221,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
URI3="ldap://${LOCALHOST}:$PORT3/"
URIP3="ldap://${LOCALIP}:$PORT3/"
URI4="ldap://${LOCALHOST}:$PORT4/"
+URIP4="ldap://${LOCALIP}:$PORT4/"
URI5="ldap://${LOCALHOST}:$PORT5/"
+URIP5="ldap://${LOCALIP}:$PORT5/"
URI6="ldap://${LOCALHOST}:$PORT6/"
+URIP6="ldap://${LOCALIP}:$PORT6/"
SURI1="ldaps://${LOCALHOST}:$PORT1/"
SURIP1="ldaps://${LOCALIP}:$PORT1/"
SURI2="ldaps://${LOCALHOST}:$PORT2/"
SURIP2="ldaps://${LOCALIP}:$PORT2/"
SURI3="ldaps://${LOCALHOST}:$PORT3/"
+SURIP3="ldaps://${LOCALIP}:$PORT3/"
SURI4="ldaps://${LOCALHOST}:$PORT4/"
+SURIP4="ldaps://${LOCALIP}:$PORT4/"
SURI5="ldaps://${LOCALHOST}:$PORT5/"
+SURIP5="ldaps://${LOCALIP}:$PORT5/"
SURI6="ldaps://${LOCALHOST}:$PORT6/"
+SURIP6="ldaps://${LOCALIP}:$PORT6/"
# LDIF
LDIF=$DATADIR/test.ldif
--
2.29.2

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,582 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 14 Jun 2018 16:14:15 +0100
Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option
---
clients/tools/common.c | 15 ++-
doc/devel/args | 2 +-
doc/man/man1/ldapcompare.1 | 9 +-
doc/man/man1/ldapdelete.1 | 9 +-
doc/man/man1/ldapexop.1 | 9 +-
doc/man/man1/ldapmodify.1 | 9 +-
doc/man/man1/ldapmodrdn.1 | 9 +-
doc/man/man1/ldappasswd.1 | 9 +-
doc/man/man1/ldapsearch.1 | 9 +-
doc/man/man1/ldapwhoami.1 | 13 ++-
doc/man/man8/slapcat.8 | 2 +-
include/ldap_pvt.h | 5 +
libraries/libldap/init.c | 231 ++++++++++++++++++++++---------------
servers/slapd/slapcommon.c | 5 +-
14 files changed, 200 insertions(+), 136 deletions(-)
diff --git a/clients/tools/common.c b/clients/tools/common.c
index 39db70b93..d5c3491fc 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -351,9 +351,9 @@ N_(" -I use SASL Interactive mode\n"),
N_(" -n show what would be done but don't actually do it\n"),
N_(" -N do not use reverse DNS to canonicalize SASL host name\n"),
N_(" -O props SASL security properties\n"),
-N_(" -o <opt>[=<optparam>] general options\n"),
+N_(" -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
+N_(" ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
-N_(" ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
N_(" -p port port on LDAP server\n"),
N_(" -Q use SASL Quiet mode\n"),
N_(" -R realm SASL realm\n"),
@@ -785,6 +785,11 @@ tool_args( int argc, char **argv )
if ( (cvalue = strchr( control, '=' )) != NULL ) {
*cvalue++ = '\0';
}
+ for ( next=control; *next; next++ ) {
+ if ( *next == '-' ) {
+ *next = '_';
+ }
+ }
if ( strcasecmp( control, "nettimeout" ) == 0 ) {
if( nettimeout.tv_sec != -1 ) {
@@ -814,7 +819,7 @@ tool_args( int argc, char **argv )
exit( EXIT_FAILURE );
}
- } else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) {
+ } else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) {
if ( cvalue == 0 ) {
ldif_wrap = LDIF_LINE_WIDTH;
@@ -825,13 +830,13 @@ tool_args( int argc, char **argv )
unsigned int u;
if ( lutil_atou( &u, cvalue ) ) {
fprintf( stderr,
- _("Unable to parse ldif-wrap=\"%s\"\n"), cvalue );
+ _("Unable to parse ldif_wrap=\"%s\"\n"), cvalue );
exit( EXIT_FAILURE );
}
ldif_wrap = (ber_len_t)u;
}
- } else {
+ } else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) {
fprintf( stderr, "Invalid general option name: %s\n",
control );
usage();
diff --git a/doc/devel/args b/doc/devel/args
index 7805eff1c..31c22f948 100644
--- a/doc/devel/args
+++ b/doc/devel/args
@@ -27,7 +27,7 @@ ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy
-h host
-n no-op
-N no (SASLprep) normalization of simple bind password
- -o general options (currently nettimeout and ldif-wrap only)
+ -o general libldap options (plus ldif_wrap and nettimeout for backwards comp.)
-p port
-v verbose
-V version
diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
index 667815a26..de90498db 100644
--- a/doc/man/man1/ldapcompare.1
+++ b/doc/man/man1/ldapcompare.1
@@ -186,13 +186,14 @@ Compare extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
index 9e7036230..872424a65 100644
--- a/doc/man/man1/ldapdelete.1
+++ b/doc/man/man1/ldapdelete.1
@@ -192,13 +192,14 @@ Delete extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
index 5f5ae7aae..96a7c514e 100644
--- a/doc/man/man1/ldapexop.1
+++ b/doc/man/man1/ldapexop.1
@@ -189,13 +189,14 @@ Specify general extensions. \'!\' indicates criticality.
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index f884c5bfb..90f813506 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -255,13 +255,14 @@ Modify extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
index fa9eac627..900ba7e0e 100644
--- a/doc/man/man1/ldapmodrdn.1
+++ b/doc/man/man1/ldapmodrdn.1
@@ -186,13 +186,14 @@ Modrdn extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
index d3f45b082..bf273fb25 100644
--- a/doc/man/man1/ldappasswd.1
+++ b/doc/man/man1/ldappasswd.1
@@ -188,13 +188,14 @@ Passwd Modify extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
index 196179232..901e56043 100644
--- a/doc/man/man1/ldapsearch.1
+++ b/doc/man/man1/ldapsearch.1
@@ -332,13 +332,14 @@ Search extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
index b684de54a..79864c729 100644
--- a/doc/man/man1/ldapwhoami.1
+++ b/doc/man/man1/ldapwhoami.1
@@ -143,13 +143,18 @@ WhoAmI extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
+.B -o
+option that can be passed here, check
+.BR ldap.conf (5)
+for details.
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
index d05cfa643..24c8f03ea 100644
--- a/doc/man/man8/slapcat.8
+++ b/doc/man/man8/slapcat.8
@@ -149,7 +149,7 @@ Possible generic options/values are:
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
- ldif-wrap={no|<n>}
+ ldif_wrap={no|<n>}
.in
\fIn\fP is the number of columns allowed for the LDIF output
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 61c620785..c586a95b5 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -321,6 +321,11 @@ struct ldapmsg;
LDAP_F ( int ) ldap_pvt_discard LDAP_P((
struct ldap *ld, ber_int_t msgid ));
+/* init.c */
+LDAP_F( int )
+ldap_pvt_conf_option LDAP_P((
+ char *cmd, char *opt, int userconf ));
+
/* messages.c */
LDAP_F( BerElement * )
ldap_get_message_ber LDAP_P((
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 182ef7d7e..746824fbd 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -148,6 +148,141 @@ static const struct ol_attribute {
#define MAX_LDAP_ATTR_LEN sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL")
#define MAX_LDAP_ENV_PREFIX_LEN 8
+static int
+ldap_int_conf_option(
+ struct ldapoptions *gopts,
+ char *cmd, char *opt, int userconf )
+{
+ int i;
+
+ for(i=0; attrs[i].type != ATTR_NONE; i++) {
+ void *p;
+
+ if( !userconf && attrs[i].useronly ) {
+ continue;
+ }
+
+ if(strcasecmp(cmd, attrs[i].name) != 0) {
+ continue;
+ }
+
+ switch(attrs[i].type) {
+ case ATTR_BOOL:
+ if((strcasecmp(opt, "on") == 0)
+ || (strcasecmp(opt, "yes") == 0)
+ || (strcasecmp(opt, "true") == 0))
+ {
+ LDAP_BOOL_SET(gopts, attrs[i].offset);
+
+ } else {
+ LDAP_BOOL_CLR(gopts, attrs[i].offset);
+ }
+
+ break;
+
+ case ATTR_INT: {
+ char *next;
+ long l;
+ p = &((char *) gopts)[attrs[i].offset];
+ l = strtol( opt, &next, 10 );
+ if ( next != opt && next[ 0 ] == '\0' ) {
+ * (int*) p = l;
+ }
+ } break;
+
+ case ATTR_KV: {
+ const struct ol_keyvalue *kv;
+
+ for(kv = attrs[i].data;
+ kv->key != NULL;
+ kv++) {
+
+ if(strcasecmp(opt, kv->key) == 0) {
+ p = &((char *) gopts)[attrs[i].offset];
+ * (int*) p = kv->value;
+ break;
+ }
+ }
+ } break;
+
+ case ATTR_STRING:
+ p = &((char *) gopts)[attrs[i].offset];
+ if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
+ * (char**) p = LDAP_STRDUP(opt);
+ break;
+ case ATTR_OPTION:
+ ldap_set_option( NULL, attrs[i].offset, opt );
+ break;
+ case ATTR_SASL:
+#ifdef HAVE_CYRUS_SASL
+ ldap_int_sasl_config( gopts, attrs[i].offset, opt );
+#endif
+ break;
+ case ATTR_GSSAPI:
+#ifdef HAVE_GSSAPI
+ ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
+#endif
+ break;
+ case ATTR_TLS:
+#ifdef HAVE_TLS
+ ldap_int_tls_config( NULL, attrs[i].offset, opt );
+#endif
+ break;
+ case ATTR_OPT_TV: {
+ struct timeval tv;
+ char *next;
+ tv.tv_usec = 0;
+ tv.tv_sec = strtol( opt, &next, 10 );
+ if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
+ }
+ } break;
+ case ATTR_OPT_INT: {
+ long l;
+ char *next;
+ l = strtol( opt, &next, 10 );
+ if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
+ int v = (int)l;
+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
+ }
+ } break;
+ }
+
+ break;
+ }
+
+ if ( attrs[i].type == ATTR_NONE ) {
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: "
+ "unknown option '%s'",
+ cmd, 0, 0 );
+ return 1;
+ }
+
+ return 0;
+}
+
+int
+ldap_pvt_conf_option(
+ char *cmd, char *opt, int userconf )
+{
+ struct ldapoptions *gopts;
+ int rc = LDAP_OPT_ERROR;
+
+ /* Get pointer to global option structure */
+ gopts = LDAP_INT_GLOBAL_OPT();
+ if (NULL == gopts) {
+ return LDAP_NO_MEMORY;
+ }
+
+ if ( gopts->ldo_valid != LDAP_INITIALIZED ) {
+ ldap_int_initialize(gopts, NULL);
+ if ( gopts->ldo_valid != LDAP_INITIALIZED )
+ return LDAP_LOCAL_ERROR;
+ }
+
+ return ldap_int_conf_option( gopts, cmd, opt, userconf );
+}
+
static void openldap_ldap_init_w_conf(
const char *file, int userconf )
{
@@ -213,101 +348,7 @@ static void openldap_ldap_init_w_conf(
while(isspace((unsigned char)*start)) start++;
opt = start;
- for(i=0; attrs[i].type != ATTR_NONE; i++) {
- void *p;
-
- if( !userconf && attrs[i].useronly ) {
- continue;
- }
-
- if(strcasecmp(cmd, attrs[i].name) != 0) {
- continue;
- }
-
- switch(attrs[i].type) {
- case ATTR_BOOL:
- if((strcasecmp(opt, "on") == 0)
- || (strcasecmp(opt, "yes") == 0)
- || (strcasecmp(opt, "true") == 0))
- {
- LDAP_BOOL_SET(gopts, attrs[i].offset);
-
- } else {
- LDAP_BOOL_CLR(gopts, attrs[i].offset);
- }
-
- break;
-
- case ATTR_INT: {
- char *next;
- long l;
- p = &((char *) gopts)[attrs[i].offset];
- l = strtol( opt, &next, 10 );
- if ( next != opt && next[ 0 ] == '\0' ) {
- * (int*) p = l;
- }
- } break;
-
- case ATTR_KV: {
- const struct ol_keyvalue *kv;
-
- for(kv = attrs[i].data;
- kv->key != NULL;
- kv++) {
-
- if(strcasecmp(opt, kv->key) == 0) {
- p = &((char *) gopts)[attrs[i].offset];
- * (int*) p = kv->value;
- break;
- }
- }
- } break;
-
- case ATTR_STRING:
- p = &((char *) gopts)[attrs[i].offset];
- if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
- * (char**) p = LDAP_STRDUP(opt);
- break;
- case ATTR_OPTION:
- ldap_set_option( NULL, attrs[i].offset, opt );
- break;
- case ATTR_SASL:
-#ifdef HAVE_CYRUS_SASL
- ldap_int_sasl_config( gopts, attrs[i].offset, opt );
-#endif
- break;
- case ATTR_GSSAPI:
-#ifdef HAVE_GSSAPI
- ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
-#endif
- break;
- case ATTR_TLS:
-#ifdef HAVE_TLS
- ldap_int_tls_config( NULL, attrs[i].offset, opt );
-#endif
- break;
- case ATTR_OPT_TV: {
- struct timeval tv;
- char *next;
- tv.tv_usec = 0;
- tv.tv_sec = strtol( opt, &next, 10 );
- if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
- }
- } break;
- case ATTR_OPT_INT: {
- long l;
- char *next;
- l = strtol( opt, &next, 10 );
- if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
- int v = (int)l;
- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
- }
- } break;
- }
-
- break;
- }
+ ldap_int_conf_option( gopts, cmd, opt, userconf );
}
fclose(fp);
diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
index 01574af1e..a62c69581 100644
--- a/servers/slapd/slapcommon.c
+++ b/servers/slapd/slapcommon.c
@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode )
break;
}
- } else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) {
+ } else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) ||
+ ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) {
switch ( tool ) {
case SLAPCAT:
if ( strcasecmp( p, "no" ) == 0 ) {
@@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode )
} else {
unsigned int u;
if ( lutil_atou( &u, p ) ) {
- Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 );
+ Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 );
return -1;
}
ldif_wrap = (ber_len_t)u;
--
2.29.2

View File

@ -0,0 +1,631 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Apr 2020 16:10:48 +0300
Subject: [PATCH] ITS#9189 rework sasl-cbinding support
Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
defaults to "none".
Add "tls-endpoint" binding type implementing "tls-server-end-point" from
RCF 5929, which is compatible with Windows.
Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
---
doc/man/man3/ldap_get_option.3 | 16 ++++++
doc/man/man5/ldap.conf.5 | 3 +
doc/man/man5/slapd-config.5 | 4 ++
doc/man/man5/slapd.conf.5 | 3 +
include/ldap.h | 5 ++
include/ldap_pvt.h | 5 ++
libraries/libldap/cyrus.c | 101 +++++++++++++++++++++++++++++----
libraries/libldap/init.c | 1 +
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/ldap-tls.h | 2 +
libraries/libldap/tls2.c | 7 +++
libraries/libldap/tls_g.c | 59 +++++++++++++++++++
libraries/libldap/tls_o.c | 45 +++++++++++++++
servers/slapd/bconfig.c | 11 +++-
servers/slapd/config.c | 1 +
servers/slapd/connection.c | 9 +--
servers/slapd/proto-slap.h | 4 +-
servers/slapd/sasl.c | 27 ++++++---
18 files changed, 274 insertions(+), 30 deletions(-)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index 7546875f5..e953900ce 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -557,6 +557,22 @@ must be a
.BR "char **" .
Its content needs to be freed by the caller using
.BR ldap_memfree (3).
+.B LDAP_OPT_X_SASL_CBINDING
+Sets/gets the channel-binding type to use in SASL,
+one of
+.BR LDAP_OPT_X_SASL_CBINDING_NONE
+(the default),
+.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE
+the "tls-unique" type from RCF 5929.
+.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT
+the "tls-server-end-point" from RCF 5929, compatible with Windows.
+.BR invalue
+must be
+.BR "const int *" ;
+.BR outvalue
+must be
+.BR "int *" .
+.TP
.SH TCP OPTIONS
The TCP options are OpenLDAP specific.
Mainly intended for use with Linux, they may not be portable.
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index adf134899..29810fc9f 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -286,6 +286,9 @@ size allowed. 0 disables security layers. The default is 65536.
.TP
.B SASL_NOCANON <on/true/yes/off/false/no>
Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
+.TP
+.B SASL_CBINDING <none/tls-unique/tls-endpoint>
+The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
.SH GSSAPI OPTIONS
If OpenLDAP is built with Generic Security Services Application Programming Interface support,
there are more options you can specify.
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 0dddfdb6c..8c987d8c1 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -699,6 +699,10 @@ Used to specify the fully qualified domain name used for SASL processing.
.B olcSaslRealm: <realm>
Specify SASL realm. Default is empty.
.TP
+.B olcSaslCbinding: none | tls-unique | tls-endpoint
+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
+Default is none.
+.TP
.B olcSaslSecProps: <properties>
Used to specify Cyrus SASL security properties.
The
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 0071072b1..203ab988e 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -893,6 +893,9 @@ The
property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.TP
+.B sasl\-cbinding none | tls-unique | tls-endpoint
+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
+.TP
.B schemadn <dn>
Specify the distinguished name for the subschema subentry that
controls the entries on this server. The default is "cn=Subschema".
diff --git a/include/ldap.h b/include/ldap.h
index 88bfcabf8..e8ac968a9 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -180,6 +180,10 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_SASL_CBINDING_NONE 0
+#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE 1
+#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT 2
+
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100
#define LDAP_OPT_X_SASL_REALM 0x6101
@@ -195,6 +199,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_SASL_NOCANON 0x610b
#define LDAP_OPT_X_SASL_USERNAME 0x610c /* read-only */
#define LDAP_OPT_X_SASL_GSS_CREDS 0x610d
+#define LDAP_OPT_X_SASL_CBINDING 0x610e
/* OpenLDAP GSSAPI options */
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index c586a95b5..b71552ec5 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void));
LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex));
LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex));
LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex));
+
+LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg ));
+LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type,
+ int is_server ));
#endif /* HAVE_CYRUS_SASL */
struct sockbuf; /* avoid pulling in <lber.h> */
@@ -426,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
LDAPDN_rewrite_dummy *func, unsigned flags ));
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
+LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server ));
LDAP_END_DECL
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 3171d56a3..081e3cea5 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -368,6 +368,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
return LDAP_SUCCESS;
}
+int ldap_pvt_sasl_cbinding_parse( const char *arg )
+{
+ int i = -1;
+
+ if ( strcasecmp(arg, "none") == 0 )
+ i = LDAP_OPT_X_SASL_CBINDING_NONE;
+ else if ( strcasecmp(arg, "tls-unique") == 0 )
+ i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE;
+ else if ( strcasecmp(arg, "tls-endpoint") == 0 )
+ i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT;
+
+ return i;
+}
+
+void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server )
+{
+#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS)
+ char unique_prefix[] = "tls-unique:";
+ char endpoint_prefix[] = "tls-server-end-point:";
+ char cbinding[ 64 ];
+ struct berval cbv = { 64, cbinding };
+ void *cb_data; /* used since cb->data is const* */
+ sasl_channel_binding_t *cb;
+ char *prefix;
+ int plen;
+
+ switch (type) {
+ case LDAP_OPT_X_SASL_CBINDING_NONE:
+ return NULL;
+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
+ if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server ))
+ return NULL;
+ prefix = unique_prefix;
+ plen = sizeof(unique_prefix) -1;
+ break;
+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
+ if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server ))
+ return NULL;
+ prefix = endpoint_prefix;
+ plen = sizeof(endpoint_prefix) -1;
+ break;
+ default:
+ return NULL;
+ }
+
+ cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len );
+ cb->len = plen + cbv.bv_len;
+ cb->data = cb_data = cb+1;
+ memcpy( cb_data, prefix, plen );
+ memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len );
+ cb->name = "ldap";
+ cb->critical = 0;
+
+ return cb;
+#else
+ return NULL;
+#endif
+}
+
int
ldap_int_sasl_bind(
LDAP *ld,
@@ -497,17 +556,12 @@ ldap_int_sasl_bind(
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
LDAP_FREE( authid.bv_val );
#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
- {
- char cbinding[64];
- struct berval cbv = { sizeof(cbinding), cbinding };
- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
- sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
- cbv.bv_len);
- cb->name = "ldap";
- cb->critical = 0;
- cb->data = (char *)(cb+1);
- cb->len = cbv.bv_len;
- memcpy( cb->data, cbv.bv_val, cbv.bv_len );
+ if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) {
+ void *cb;
+ cb = ldap_pvt_sasl_cbinding( ssl,
+ ld->ld_options.ldo_sasl_cbinding,
+ 0 );
+ if ( cb != NULL ) {
sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
SASL_CHANNEL_BINDING, cb );
ld->ld_defconn->lconn_sasl_cbind = cb;
@@ -930,12 +984,20 @@ int ldap_pvt_sasl_secprops(
int
ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
{
- int rc;
+ int rc, i;
switch( option ) {
case LDAP_OPT_X_SASL_SECPROPS:
rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
if( rc == LDAP_SUCCESS ) return 0;
+ break;
+ case LDAP_OPT_X_SASL_CBINDING:
+ i = ldap_pvt_sasl_cbinding_parse( arg );
+ if ( i >= 0 ) {
+ lo->ldo_sasl_cbinding = i;
+ return 0;
+ }
+ break;
}
return -1;
@@ -1041,6 +1103,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
/* this option is write only */
return -1;
+ case LDAP_OPT_X_SASL_CBINDING:
+ *(int *)arg = ld->ld_options.ldo_sasl_cbinding;
+ break;
+
#ifdef SASL_GSS_CREDS
case LDAP_OPT_X_SASL_GSS_CREDS: {
sasl_conn_t *ctx;
@@ -1142,6 +1208,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
return sc == LDAP_SUCCESS ? 0 : -1;
}
+ case LDAP_OPT_X_SASL_CBINDING:
+ if ( !arg ) return -1;
+ switch( *(int *) arg ) {
+ case LDAP_OPT_X_SASL_CBINDING_NONE:
+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
+ ld->ld_options.ldo_sasl_cbinding = *(int *) arg;
+ return 0;
+ }
+ return -1;
+
#ifdef SASL_GSS_CREDS
case LDAP_OPT_X_SASL_GSS_CREDS: {
sasl_conn_t *ctx;
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 746824fbd..0c4b6237e 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -113,6 +113,7 @@ static const struct ol_attribute {
offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
{0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS},
{0, ATTR_BOOL, "SASL_NOCANON", NULL, LDAP_BOOL_SASL_NOCANON},
+ {0, ATTR_SASL, "SASL_CBINDING", NULL, LDAP_OPT_X_SASL_CBINDING},
#endif
#ifdef HAVE_GSSAPI
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 397894271..08d4b4a92 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -276,6 +276,7 @@ struct ldapoptions {
/* SASL Security Properties */
struct sasl_security_properties ldo_sasl_secprops;
+ int ldo_sasl_cbinding;
#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
#else
#define LDAP_LDO_SASL_NULLARG
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index 103004fa7..77975bb6c 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
+typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server);
typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
typedef void (TI_thr_init)(void);
@@ -67,6 +68,7 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
TI_session_unique *ti_session_unique;
+ TI_session_endpoint *ti_session_endpoint;
TI_session_peercert *ti_session_peercert;
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 8b1fee748..f74af7d1d 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1041,6 +1041,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
return tls_imp->ti_session_unique( session, buf, is_server );
}
+int
+ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server )
+{
+ tls_session *session = s;
+ return tls_imp->ti_session_endpoint( session, buf, is_server );
+}
+
int
ldap_pvt_tls_get_peercert( void *s, struct berval *der )
{
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 26d9f99ce..52dfcd3ab 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -675,6 +675,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
+static int
+tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
+{
+ tlsg_session *s = (tlsg_session *)sess;
+ const gnutls_datum_t *cert_data;
+ gnutls_x509_crt_t server_cert;
+ gnutls_digest_algorithm_t md;
+ int sign_algo, md_len, rc;
+
+ if ( is_server )
+ cert_data = gnutls_certificate_get_ours( s->session );
+ else
+ cert_data = gnutls_certificate_get_peers( s->session, NULL );
+
+ if ( cert_data == NULL )
+ return 0;
+
+ rc = gnutls_x509_crt_init( &server_cert );
+ if ( rc != GNUTLS_E_SUCCESS )
+ return 0;
+
+ rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER );
+ if ( rc != GNUTLS_E_SUCCESS ) {
+ gnutls_x509_crt_deinit( server_cert );
+ return 0;
+ }
+
+ sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert );
+ gnutls_x509_crt_deinit( server_cert );
+ if ( sign_algo <= GNUTLS_SIGN_UNKNOWN )
+ return 0;
+
+ md = gnutls_sign_get_hash_algorithm( sign_algo );
+ if ( md == GNUTLS_DIG_UNKNOWN )
+ return 0;
+
+ /* See RFC 5929 */
+ switch (md) {
+ case GNUTLS_DIG_NULL:
+ case GNUTLS_DIG_MD2:
+ case GNUTLS_DIG_MD5:
+ case GNUTLS_DIG_SHA1:
+ md = GNUTLS_DIG_SHA256;
+ }
+
+ md_len = gnutls_hash_get_len( md );
+ if ( md_len == 0 || md_len > buf->bv_len )
+ return 0;
+
+ rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val );
+ if ( rc != GNUTLS_E_SUCCESS )
+ return 0;
+
+ buf->bv_len = md_len;
+
+ return md_len;
+}
+
static int
tlsg_session_peercert( tls_session *sess, struct berval *der )
{
@@ -950,6 +1008,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_chkhost,
tlsg_session_strength,
tlsg_session_unique,
+ tlsg_session_endpoint,
tlsg_session_peercert,
&tlsg_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 157923289..8ede11572 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -861,6 +861,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
return buf->bv_len;
}
+static int
+tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
+{
+ tlso_session *s = (tlso_session *)sess;
+ const EVP_MD *md;
+ unsigned int md_len;
+ X509 *cert;
+
+ if ( buf->bv_len < EVP_MAX_MD_SIZE )
+ return 0;
+
+ if ( is_server )
+ cert = SSL_get_certificate( s );
+ else
+ cert = SSL_get_peer_certificate( s );
+
+ if ( cert == NULL )
+ return 0;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
+#else
+ md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
+#endif
+
+ /* See RFC 5929 */
+ if ( md == NULL ||
+ md == EVP_md_null() ||
+#ifndef OPENSSL_NO_MD2
+ md == EVP_md2() ||
+#endif
+ md == EVP_md4() ||
+ md == EVP_md5() ||
+ md == EVP_sha1() )
+ md = EVP_sha256();
+
+ if ( !X509_digest( cert, md, buf->bv_val, &md_len ))
+ return 0;
+
+ buf->bv_len = md_len;
+
+ return md_len;
+}
+
static int
tlso_session_peercert( tls_session *sess, struct berval *der )
{
@@ -1394,6 +1438,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_chkhost,
tlso_session_strength,
tlso_session_unique,
+ tlso_session_endpoint,
tlso_session_peercert,
&tlso_sbio,
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 3188ccfbe..8c4ccb860 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -569,6 +569,15 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "sasl-cbinding", NULL, 2, 2, 0,
+#ifdef HAVE_CYRUS_SASL
+ ARG_STRING, &sasl_cbinding,
+#else
+ ARG_IGNORED, NULL,
+#endif
+ "( OLcfgGlAt:100 NAME 'olcSaslCBinding' "
+ "EQUALITY caseIgnoreMatch "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "sasl-host", "host", 2, 2, 0,
#ifdef HAVE_CYRUS_SASL
ARG_STRING|ARG_UNIQUE, &sasl_host,
@@ -820,7 +829,7 @@ static ConfigOCs cf_ocs[] = {
"olcPluginLogFile $ olcReadOnly $ olcReferral $ "
"olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
"olcRootDSE $ "
- "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
+ "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
"olcSecurity $ olcServerID $ olcSizeLimit $ "
"olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
"olcTCPBuffer $ "
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 5108da696..77dd3c1ae 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -73,6 +73,7 @@ char *global_host = NULL;
struct berval global_host_bv = BER_BVNULL;
char *global_realm = NULL;
char *sasl_host = NULL;
+char *sasl_cbinding = NULL;
char **default_passwd_hash = NULL;
struct berval default_search_base = BER_BVNULL;
struct berval default_search_nbase = BER_BVNULL;
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 0602fdceb..d074009e4 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -1430,12 +1430,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
- {
- char cbinding[64];
- struct berval cbv = { sizeof(cbinding), cbinding };
- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
- slap_sasl_cbinding( c, &cbv );
- }
+
+ slap_sasl_cbinding( c, ssl );
+
} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
slapd_set_write( s, 1 );
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index de1cabf32..9b52760bd 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1657,8 +1657,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
slap_ssf_t ssf, /* relative strength of external security */
struct berval *authid ); /* asserted authenication id */
-LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
- struct berval *cbv );
+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl );
LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
@@ -2039,6 +2038,7 @@ LDAP_SLAPD_V (char *) global_host;
LDAP_SLAPD_V (struct berval) global_host_bv;
LDAP_SLAPD_V (char *) global_realm;
LDAP_SLAPD_V (char *) sasl_host;
+LDAP_SLAPD_V (char *) sasl_cbinding;
LDAP_SLAPD_V (char *) slap_sasl_auxprops;
LDAP_SLAPD_V (char **) default_passwd_hash;
LDAP_SLAPD_V (int) lber_debug;
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 258cd5407..c14e8a628 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1203,6 +1203,8 @@ int slap_sasl_destroy( void )
#endif
free( sasl_host );
sasl_host = NULL;
+ free( sasl_cbinding );
+ sasl_cbinding = NULL;
return 0;
}
@@ -1389,17 +1391,24 @@ int slap_sasl_external(
return LDAP_SUCCESS;
}
-int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
+int slap_sasl_cbinding( Connection *conn, void *ssl )
{
#ifdef SASL_CHANNEL_BINDING
- sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
- cb->name = "ldap";
- cb->critical = 0;
- cb->data = (char *)(cb+1);
- cb->len = cbv->bv_len;
- memcpy( cb->data, cbv->bv_val, cbv->bv_len );
- sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
- conn->c_sasl_cbind = cb;
+ void *cb;
+ int i;
+
+ if ( sasl_cbinding == NULL )
+ return LDAP_SUCCESS;
+
+ i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding );
+ if ( i < 0 )
+ return LDAP_SUCCESS;
+
+ cb = ldap_pvt_sasl_cbinding( ssl, i, 1 );
+ if ( cb != NULL ) {
+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
+ conn->c_sasl_cbind = cb;
+ }
#endif
return LDAP_SUCCESS;
}
--
2.29.2

View File

@ -0,0 +1,45 @@
From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 18 Apr 2020 16:30:03 +0200
Subject: [PATCH] ITS#9189 add channel-bindings tests
---
tests/scripts/test068-sasl-tls-external | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
index dcbc50fd4..ee112cf98 100755
--- a/tests/scripts/test068-sasl-tls-external
+++ b/tests/scripts/test068-sasl-tls-external
@@ -88,6 +88,28 @@ else
echo "success"
fi
+# Exercise channel-bindings code in builds without SASL support
+for cb in "none" "tls-unique" "tls-endpoint" ; do
+
+ echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
+
+ $LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ -o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \
+ -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \
+ -o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \
+ > $TESTOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $PID
+ exit $RC
+ else
+ echo "success"
+ fi
+done
+
+
test $KILLSERVERS != no && kill -HUP $KILLPIDS
if test $RC != 0 ; then
--
2.29.2

View File

@ -0,0 +1,27 @@
From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 23 Apr 2020 22:47:32 +0200
Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in
LDAP_LDO_SASL_NULLARG
Reported-by: Ryan Tandy @ryan
---
libraries/libldap/ldap-int.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 08d4b4a92..8c7f1e5c1 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -277,7 +277,7 @@ struct ldapoptions {
/* SASL Security Properties */
struct sasl_security_properties ldo_sasl_secprops;
int ldo_sasl_cbinding;
-#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
+#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0
#else
#define LDAP_LDO_SASL_NULLARG
#endif
--
2.29.2

View File

@ -0,0 +1,28 @@
From d548ab15e0d615524c403440c01a9748bfcac87d Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 28 Apr 2020 16:33:41 +0100
Subject: [PATCH] ITS#9215 fix for glibc again
---
libraries/libldap_r/thr_posix.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libraries/libldap_r/thr_posix.c b/libraries/libldap_r/thr_posix.c
index e4b435707..62f94ca16 100644
--- a/libraries/libldap_r/thr_posix.c
+++ b/libraries/libldap_r/thr_posix.c
@@ -18,6 +18,11 @@
#if defined( HAVE_PTHREADS )
+#ifdef __GLIBC__
+#undef _FEATURES_H
+#define _XOPEN_SOURCE 500 /* For pthread_setconcurrency() on glibc */
+#endif
+
#include <ac/errno.h>
#ifdef REPLACE_BROKEN_YIELD
--
2.31.1

View File

@ -0,0 +1,64 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Tue, 19 Feb 2019 10:26:39 +0000
Subject: [PATCH] Make prototypes available where needed
---
libraries/libldap/tls2.c | 3 +++
servers/slapd/config.c | 1 +
servers/slapd/proto-slap.h | 4 ++++
3 files changed, 8 insertions(+)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index ad09ba39b..8b1fee748 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -76,6 +76,9 @@ static oid_name oids[] = {
#ifdef HAVE_TLS
+LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in ));
+LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der ));
+
void
ldap_pvt_tls_ctx_free ( void *c )
{
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index bd68a2421..5108da696 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -48,6 +48,7 @@
#endif
#include "lutil.h"
#include "lutil_ldap.h"
+#include "ldif.h"
#include "config.h"
#ifdef _WIN32
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 7f8e604fa..de1cabf32 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -739,6 +739,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
slap_bindconf *bc, LDAP *ld ));
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
+LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk ));
LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ));
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
const char *fname, int lineno, int argc, char **argv ));
@@ -1656,6 +1657,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
slap_ssf_t ssf, /* relative strength of external security */
struct berval *authid ); /* asserted authenication id */
+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
+ struct berval *cbv );
+
LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
--
2.29.2

View File

@ -0,0 +1,526 @@
From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Tue, 30 Oct 2018 15:42:35 +0000
Subject: [PATCH] Update keys to RSA 4096
---
tests/data/tls/ca/certs/testsuiteCA.crt | 133 ++++++++++++++++--
tests/data/tls/ca/private/testsuiteCA.key | 64 +++++++--
.../tls/certs/bjensen@mailgw.example.com.crt | 44 ++++--
tests/data/tls/certs/localhost.crt | 44 ++++--
tests/data/tls/conf/openssl.cnf | 2 +-
tests/data/tls/create-crt.sh | 9 +-
.../private/bjensen@mailgw.example.com.key | 64 +++++++--
tests/data/tls/private/localhost.key | 64 +++++++--
8 files changed, 336 insertions(+), 88 deletions(-)
diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt
index 7458e7461..62c88acca 100644
--- a/tests/data/tls/ca/certs/testsuiteCA.crt
+++ b/tests/data/tls/ca/certs/testsuiteCA.crt
@@ -1,16 +1,121 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
+ Validity
+ Not Before: Oct 30 15:29:02 2018 GMT
+ Not After : Nov 13 15:29:02 2519 GMT
+ Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (4096 bit)
+ Modulus:
+ 00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81:
+ 97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24:
+ 62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5:
+ 9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6:
+ 66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88:
+ 5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af:
+ 59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8:
+ 15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75:
+ f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57:
+ cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9:
+ 65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c:
+ 6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4:
+ 64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd:
+ df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3:
+ 61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87:
+ e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af:
+ aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3:
+ 0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7:
+ d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4:
+ 33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d:
+ fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8:
+ 48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85:
+ 26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96:
+ be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39:
+ a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f:
+ f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84:
+ 66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac:
+ fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a:
+ 27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b:
+ a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66:
+ e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22:
+ ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82:
+ 76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df:
+ ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32:
+ 4d:11:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
+ X509v3 Authority Key Identifier:
+ keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5:
+ 37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08:
+ e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41:
+ 8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6:
+ a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93:
+ d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06:
+ 92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e:
+ d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a:
+ 0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5:
+ bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab:
+ a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8:
+ 92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76:
+ 0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63:
+ a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74:
+ ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe:
+ 37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee:
+ 7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94:
+ 4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e:
+ d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e:
+ 35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83:
+ 91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe:
+ cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d:
+ b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83:
+ c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07:
+ 7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a:
+ 7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98:
+ ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d:
+ 2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c:
+ 6f:1c:c4:a9:28:e1:3d:4d
-----BEGIN CERTIFICATE-----
-MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv
-bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0
-NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
-MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB
-UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd
-rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb
-lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL
-6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU
-7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB
-SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/
-wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws
-ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q
-aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==
+MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB
+UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4
+MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG
+A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM
+E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz
+xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf
+t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7
+Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ
+Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq
+Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S
+9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq
+rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq
+t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm
+9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz
+I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd
+BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI
+1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS
+04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI
+HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z
+UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J
+wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF
+gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3
+R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb
+q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0
+juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc
+3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR
+IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0=
-----END CERTIFICATE-----
diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key
index 2e14d7033..01a6614c1 100644
--- a/tests/data/tls/ca/private/testsuiteCA.key
+++ b/tests/data/tls/ca/private/testsuiteCA.key
@@ -1,16 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ
-WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc
-338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/
-dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg
-O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf
-7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn
-rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f
-wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk
-AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l
-vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9
-27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X
-KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N
-I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL
-+b2qljWeZbGH
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm
+JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI
+xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU
+x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB
+XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq
+NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt
+Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu
+bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T
++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL
+wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM
+MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3
+0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f
+vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki
+uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y
+Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ
+/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B
+DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6
+pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS
+KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q
+/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3
+H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM
+Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM
+QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP
++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY
+7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs
+cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux
+nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg
+p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN
+nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX
+qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb
+JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn
+b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6
+lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ
+O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq
+P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn
+L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF
+D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si
+yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw
+vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP
+39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5
+qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q
+XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM
+PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp
+DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp
+mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk
+hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c
+zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9
+16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO
+WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y
+yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY=
-----END PRIVATE KEY-----
diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
index 93e3a0d39..eb0fc693f 100644
--- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
@@ -1,16 +1,32 @@
-----BEGIN CERTIFICATE-----
-MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
-ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV
-BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD
-VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa
-YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
-MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg
-QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU
-U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL
-MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn
-wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f
-7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo
-4DnnYQBDnq48VORVX94=
+MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx
+MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM
+E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD
+DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl
+bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA
+7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg
+qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38
+kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN
+LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms
+CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR
+X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL
+twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI
+LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui
+cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4
+yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w
+CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB
+LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+
+7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH
+1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD
+ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS
+s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl
+U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o
+W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw
++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd
+hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw
+iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ
+nYsN5WfwDZrtG24dTotxVQ==
-----END CERTIFICATE-----
diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt
index 194cb119d..3aeae3c16 100644
--- a/tests/data/tls/certs/localhost.crt
+++ b/tests/data/tls/certs/localhost.crt
@@ -1,16 +1,32 @@
-----BEGIN CERTIFICATE-----
-MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
-ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE
-CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT
-dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4
-7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv
-8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A
-AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG
-8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl
-0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR
-GjeZB1FxqDGHjxBq2O828iejw28bSz4=
+MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx
+MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
+T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0
+ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA
+Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY
+VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac
+xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh
+ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm
+ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO
+hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P
+BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM
+26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn
+bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb
+Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
+AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY
+t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw
+0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9
+cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6
+6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq
+9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd
+GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn
+cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO
+qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW
+LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S
+keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf
+0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ==
-----END CERTIFICATE-----
diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf
index a3c8ad9f6..632cff11c 100644
--- a/tests/data/tls/conf/openssl.cnf
+++ b/tests/data/tls/conf/openssl.cnf
@@ -51,7 +51,7 @@ commonName = supplied
emailAddress = optional
[ req ]
-default_bits = 2048
+default_bits = @KEY_BITS@
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
index 8c33a24fe..739f8eaf1 100755
--- a/tests/data/tls/create-crt.sh
+++ b/tests/data/tls/create-crt.sh
@@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then
echo "OpenSSL command line binary not found, skipping..."
fi
+KEY_BITS=4096
+KEY_TYPE=rsa:$KEY_BITS
+
USAGE="$0 [-s] [-u <user@domain.com>]"
SERVER=0
USER=0
@@ -45,13 +48,13 @@ echo "00" > cruft/serial
touch cruft/index.txt
touch cruft/index.txt.attr
hn=$(hostname -f)
-sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf
+sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf > ./openssl.cnf
if [ $SERVER = 1 ]; then
rm -rf private/localhost.key certs/localhost.crt
$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \
- -newkey rsa:1024 -config ./openssl.cnf \
+ -newkey $KEY_TYPE -config ./openssl.cnf \
-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
-batch > /dev/null 2>&1
@@ -66,7 +69,7 @@ if [ $USER = 1 ]; then
rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr
$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \
- -newkey rsa:1024 -config ./openssl.cnf \
+ -newkey $KEY_TYPE -config ./openssl.cnf \
-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \
-batch >/dev/null 2>&1
diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key
index 5f4625fd7..e30e11586 100644
--- a/tests/data/tls/private/bjensen@mailgw.example.com.key
+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key
@@ -1,16 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2
-xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4
-9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z
-yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r
-oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e
-nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg
-xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra
-EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd
-9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/
-pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI
-tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ
-3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D
-tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg
-36Ixj3L+5H18
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7
+nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4
++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2
+Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI
+RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr
+W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x
+pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy
+hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV
+7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn
++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2
+GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg
+7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn
+MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd
+jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL
+1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft
+Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry
+wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM
+J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo
+ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H
+umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6
+wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/
+PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu
+5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb
+gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9
+67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX
+/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ
+VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4
+FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth
+UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP
+wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt
+Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY
+5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ
+EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ
+0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd
+MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf
++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI
+8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf
+p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw
+jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su
+QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik
+lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT
+UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD
+r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v
+YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR
+cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa
+mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu
+kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi
+Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO
+NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU
+dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx
-----END PRIVATE KEY-----
diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key
index 8a24f69f8..99cb512c4 100644
--- a/tests/data/tls/private/localhost.key
+++ b/tests/data/tls/private/localhost.key
@@ -1,16 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg
-ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM
-w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM
-brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij
-Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf
-2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ
-bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q
-1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf
-3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U
-VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7
-TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b
-iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP
-5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3
-b61hkjQZfbEg5cg=
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj
+TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3
+jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w
+WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW
+q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H
+Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT
+/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M
+Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU
+MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6
+lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA
+yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb
+qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm
+afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ
+JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e
+nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE
+bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5
+mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H
+Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt
++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc
+GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09
+j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG
+72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/
+eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+
+CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W
+LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW
+fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9
+6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64
+09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv
+pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR
+s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI
+Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU
+57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr
+uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ
+xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl
++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu
+XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI
+pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09
+6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms
+tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E
+FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc
+5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6
+OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI
+Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6
+MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA
+oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH
+xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU
+WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc
+p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6
+xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW
+bcnWV4XIPIMbouL4132Ove+GukJlPA==
-----END PRIVATE KEY-----
--
2.29.2

View File

@ -0,0 +1,487 @@
From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Apr 2020 16:19:05 +0300
Subject: [PATCH] auth: add SASL/GSSAPI tests
---
tests/data/krb5.conf | 32 ++++++
tests/data/slapd-sasl-gssapi.conf | 65 ++++++++++++
tests/scripts/conf.sh | 3 +
tests/scripts/defines.sh | 5 +
tests/scripts/setup_kdc.sh | 144 +++++++++++++++++++++++++++
tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++
6 files changed, 408 insertions(+)
create mode 100644 tests/data/krb5.conf
create mode 100644 tests/data/slapd-sasl-gssapi.conf
create mode 100755 tests/scripts/setup_kdc.sh
create mode 100755 tests/scripts/test077-sasl-gssapi
diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
new file mode 100644
index 000000000..739113742
--- /dev/null
+++ b/tests/data/krb5.conf
@@ -0,0 +1,32 @@
+[libdefaults]
+ default_realm = @KRB5REALM@
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ default_ccache_name = FILE://@TESTDIR@/ccache
+ #udp_preference_limit = 1
+[realms]
+ @KRB5REALM@ = {
+ kdc = @KDCHOST@:@KDCPORT@
+ acl_file = @TESTDIR@/kadm.acl
+ database_name = @TESTDIR@/kdc.db
+ key_stash_file = @TESTDIR@/kdc.stash
+ }
+[kdcdefaults]
+ kdc_ports = @KDCPORT@
+ kdc_tcp_ports = @KDCPORT@
+[logging]
+ kdc = FILE:@TESTDIR@/kdc.log
+ admin_server = FILE:@TESTDIR@/kadm.log
+ default = FILE:@TESTDIR@/krb5.log
+
+#Heimdal
+[kdc]
+ database = {
+ dbname = @TESTDIR@/kdc.db
+ realm = @KRB5REALM@
+ mkey_file = @TESTDIR@/kdc.stash
+ log_file = @TESTDIR@/kdc.log
+ acl_file = @TESTDIR@/kadm.acl
+ }
+[hdb]
+ db-dir = @TESTDIR@
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
new file mode 100644
index 000000000..611fc7097
--- /dev/null
+++ b/tests/data/slapd-sasl-gssapi.conf
@@ -0,0 +1,65 @@
+# stand-alone slapd config -- for testing (with indexing)
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+#
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+#
+include @SCHEMADIR@/corba.schema
+include @SCHEMADIR@/java.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/misc.schema
+include @SCHEMADIR@/nis.schema
+include @SCHEMADIR@/openldap.schema
+#
+include @SCHEMADIR@/duaconf.schema
+include @SCHEMADIR@/dyngroup.schema
+
+#
+pidfile @TESTDIR@/slapd.1.pid
+argsfile @TESTDIR@/slapd.1.args
+
+# SSL configuration
+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
+
+#
+rootdse @DATADIR@/rootdse.ldif
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database @BACKEND@
+suffix "dc=example,dc=com"
+rootdn "cn=Manager,dc=example,dc=com"
+rootpw secret
+#~null~#directory @TESTDIR@/db.1.a
+#indexdb#index objectClass eq
+#indexdb#index mail eq
+#ndb#dbname db_1_a
+#ndb#include @DATADIR@/ndb.conf
+
+#monitor#database monitor
+
+sasl-realm @KRB5REALM@
+sasl-host localhost
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index 2a859d89d..5b477ed93 100755
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -97,4 +97,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s;@TESTWD@;${TESTWD};" \
-e "s;@DATADIR@;${DATADIR};" \
-e "s;@SCHEMADIR@;${SCHEMADIR};" \
+ -e "s;@KRB5REALM@;${KRB5REALM};" \
+ -e "s;@KDCHOST@;${KDCHOST};" \
+ -e "s;@KDCPORT@;${KDCPORT};" \
-e "/^#/d"
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 26dab1bae..78dc1f8ae 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -108,6 +108,7 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
TLSCONF=$DATADIR/slapd-tls.conf
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
+SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
GLUECONF=$DATADIR/slapd-glue.conf
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
@@ -214,6 +215,7 @@ PORT3=`expr $BASEPORT + 3`
PORT4=`expr $BASEPORT + 4`
PORT5=`expr $BASEPORT + 5`
PORT6=`expr $BASEPORT + 6`
+KDCPORT=`expr $BASEPORT + 7`
URI1="ldap://${LOCALHOST}:$PORT1/"
URIP1="ldap://${LOCALIP}:$PORT1/"
URI2="ldap://${LOCALHOST}:$PORT2/"
@@ -239,6 +241,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
SURI6="ldaps://${LOCALHOST}:$PORT6/"
SURIP6="ldaps://${LOCALIP}:$PORT6/"
+KRB5REALM="K5.REALM"
+KDCHOST=$LOCALHOST
+
# LDIF
LDIF=$DATADIR/test.ldif
LDIFADD1=$DATADIR/do_add.1
diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
new file mode 100755
index 000000000..1cb784075
--- /dev/null
+++ b/tests/scripts/setup_kdc.sh
@@ -0,0 +1,144 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+export KRB5_TRACE=$TESTDIR/k5_trace
+export KRB5_CONFIG=$TESTDIR/krb5.conf
+export KRB5_KDC_PROFILE=$KRB5_CONFIG
+export KRB5_KTNAME=$TESTDIR/server.kt
+export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt
+export KRB5CCNAME=$TESTDIR/client.ccache
+
+KDCLOG=$TESTDIR/setup_kdc.log
+KSERVICE=ldap/$LOCALHOST
+KUSER=kuser
+
+. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG
+
+PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin
+
+echo "Trying Heimdal KDC..."
+
+kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1
+RC=$?
+if test $RC = 0 ; then
+
+ kstash --random-key > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kstash failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h"
+ kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin init failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 &
+else
+ echo "Trying MIT KDC..."
+
+ kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kdb5_util create failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: admin addprinc failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kadmin addprinc failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ krb5kdc -n > $KDCLOG 2>&1 &
+fi
+
+KDCPROC=$!
+sleep 1
+
+kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
+RC=$?
+if test $RC != 0 ; then
+ kill $KDCPROC
+ echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests"
+ exit 0
+fi
+
+pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
+RC=$?
+if test $RC != 0 ; then
+
+ saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
+ RC=$?
+ if test $RC != 0 ; then
+ kill $KDCPROC
+ echo "cyrus-sasl has no GSSAPI support, test skipped"
+ exit 0
+ fi
+fi
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
new file mode 100755
index 000000000..64abe16fe
--- /dev/null
+++ b/tests/scripts/test077-sasl-gssapi
@@ -0,0 +1,159 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+if test $WITH_SASL = no ; then
+ echo "SASL support not available, test skipped"
+ exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1
+cp -r $DATADIR/tls $TESTDIR
+
+cd $TESTWD
+
+
+echo "Starting KDC for SASL/GSSAPI tests..."
+. $SRCDIR/scripts/setup_kdc.sh
+
+echo "Running slapadd to build slapd database..."
+. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+ echo "slapadd failed ($RC)!"
+ kill $KDCPROC
+ exit $RC
+fi
+
+echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+ echo PID $PID
+ read foo
+fi
+KILLPIDS="$PID"
+
+sleep 1
+
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "" -H $URI1 \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting 5 seconds for slapd to start..."
+ sleep 5
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+grep GSSAPI $TESTOUT
+RC=$?
+if test $RC != 0 ; then
+ echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+echo -n "Using ldapwhoami with SASL/GSSAPI: "
+$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+else
+ echo "success"
+fi
+
+echo -n "Validating mapped SASL/GSSAPI ID: "
+echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
+RC=$?
+if test $RC != 0 ; then
+ echo "Comparison failed"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+else
+ echo "success"
+fi
+
+if test $WITH_TLS = no ; then
+ echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
+else
+ echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ > $TESTOUT 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ else
+ echo "success"
+ fi
+
+ echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ > $TESTOUT 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ else
+ echo "success"
+ fi
+fi
+
+kill $KDCPROC
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+if test $RC != 0 ; then
+ echo ">>>>> Test failed"
+else
+ echo ">>>>> Test succeeded"
+ RC=0
+fi
+
+test $KILLSERVERS != no && wait
+
+exit $RC
--
2.29.2

View File

@ -0,0 +1,137 @@
From a6d34ed8672a02b49bb286cbeb2d75a08bc0c085 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@rehdat.com>
Date: Thu, 1 Jul 2021 12:53:24 +0200
Subject: [PATCH] Fix Channel Binding tests
---
...s => test069-delta-multiprovider-starttls} | 24 +++++++++----------
...daps => test070-delta-multiprovider-ldaps} | 24 +++++++++----------
2 files changed, 24 insertions(+), 24 deletions(-)
rename tests/scripts/{test069-delta-multimaster-starttls => test069-delta-multiprovider-starttls} (96%)
rename tests/scripts/{test070-delta-multimaster-ldaps => test070-delta-multiprovider-ldaps} (96%)
diff --git a/tests/scripts/test069-delta-multimaster-starttls b/tests/scripts/test069-delta-multiprovider-starttls
similarity index 96%
rename from tests/scripts/test069-delta-multimaster-starttls
rename to tests/scripts/test069-delta-multiprovider-starttls
index 2dfbb30a1..01fed1e2c 100755
--- a/tests/scripts/test069-delta-multimaster-starttls
+++ b/tests/scripts/test069-delta-multiprovider-starttls
@@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2017 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -277,7 +277,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -301,7 +301,7 @@ THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
sleep 1
for i in 1 2 3; do
$LDAPSEARCH -S "" -b "$THEDN" -H $URI1 \
- -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
+ -s base '(objectClass=*)' entryCSN > "${PROVIDEROUT}.$i" 2>&1
RC=$?
if test $RC = 0 ; then
@@ -309,7 +309,7 @@ for i in 1 2 3; do
fi
if test $RC != 32 ; then
- echo "ldapsearch failed at slave ($RC)!"
+ echo "ldapsearch failed at replica ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
@@ -340,7 +340,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -555,7 +555,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
diff --git a/tests/scripts/test070-delta-multimaster-ldaps b/tests/scripts/test070-delta-multiprovider-ldaps
similarity index 96%
rename from tests/scripts/test070-delta-multimaster-ldaps
rename to tests/scripts/test070-delta-multiprovider-ldaps
index 1024640ef..37de9ddd0 100755
--- a/tests/scripts/test070-delta-multimaster-ldaps
+++ b/tests/scripts/test070-delta-multiprovider-ldaps
@@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2017 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -276,7 +276,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -300,7 +300,7 @@ THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
sleep 1
for i in 1 2 3; do
$LDAPSEARCH -S "" -b "$THEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $SURIP1 \
- -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
+ -s base '(objectClass=*)' entryCSN > "${PROVIDEROUT}.$i" 2>&1
RC=$?
if test $RC = 0 ; then
@@ -308,7 +308,7 @@ for i in 1 2 3; do
fi
if test $RC != 32 ; then
- echo "ldapsearch failed at slave ($RC)!"
+ echo "ldapsearch failed at replica ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
@@ -339,7 +339,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -552,7 +552,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
--
2.31.1

View File

@ -0,0 +1,73 @@
Various manual pages changes:
* removes LIBEXECDIR from slapd.8
* removes references to non-existing manpages (bz 624616)
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 3def6da..466c772 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
.BR ldap_add_ext (3),
.BR ldap_delete_ext (3),
.BR ldap_modify_ext (3),
-.BR ldap_modrdn_ext (3),
-.BR ldif (5).
+.BR ldif (5)
.SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cfde143..63592cb 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -317,6 +317,7 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index b739f4d..e2a1a00 100644
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
[\c
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd
+ slapd
.ft
.fi
.LP
@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP
--
1.8.1.4

View File

@ -0,0 +1,48 @@
Reference default system-wide CA certificates in manpages
OpenSSL, unless explicitly configured, uses system-wide default set of CA
certificates.
Author: Matus Honek <mhonek@redhat.com>
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
negotiates TLS by issuing the LDAP StartTLS operation.
+.LP
+When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
+is set, the system-wide default set of CA certificates is used.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -801,6 +801,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor
+\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1032,6 +1032,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor
+\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.

View File

@ -0,0 +1,33 @@
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
example if libldap needs to be initialized from within gethostbyXXXX() (which
actually happens if nss_ldap is used for hostname resolution and earlier
modules can't resolve the local host name), so use the reentrant versions of
the functions, even if we're not being compiled for use in libldap_r
Resolves: #179730
Author: Jeffery Layton <jlayton@redhat.com>
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
index 373c81c..a012062 100644
--- a/libraries/libldap/util-int.c
+++ b/libraries/libldap/util-int.c
@@ -52,8 +52,8 @@ extern int h_errno;
#ifndef LDAP_R_COMPILE
# undef HAVE_REENTRANT_FUNCTIONS
# undef HAVE_CTIME_R
-# undef HAVE_GETHOSTBYNAME_R
-# undef HAVE_GETHOSTBYADDR_R
+/* # undef HAVE_GETHOSTBYNAME_R */
+/* # undef HAVE_GETHOSTBYADDR_R */
#else
# include <ldap_pvt_thread.h>
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
#define BUFSTART (1024-32)
#define BUFMAX (32*1024-32)
-#if defined(LDAP_R_COMPILE)
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
static char *safe_realloc( char **buf, int len );
#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

View File

@ -0,0 +1,62 @@
Compile smbk5pwd together with other overlays.
Author: Jan Šafránek <jsafrane@redhat.com>
Resolves: #550895
Update to link against OpenSSL
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #841560
diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
index f20ad94..b6433ff 100644
--- a/contrib/slapd-modules/smbk5pwd/README
+++ b/contrib/slapd-modules/smbk5pwd/README
@@ -1,3 +1,8 @@
+******************************************************************************
+Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
+is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
+******************************************************************************
+
This directory contains a slapd overlay, smbk5pwd, that extends the
PasswordModify Extended Operation to update Kerberos keys and Samba
password hashes for an LDAP user.
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
index 3af20e8..ef73663 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
unique.c \
- valsort.c
+ valsort.c \
+ smbk5pwd.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+smbk5pwd.lo : smbk5pwd.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+smbk5pwd.la : smbk5pwd.lo
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
--
1.7.10.4

View File

@ -0,0 +1,41 @@
From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
Date: Tue, 18 May 2010 17:47:05 +0200
Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
Proof of concept for fixing http://bugs.debian.org/327585
(patch ported from freeradius bug http://bugs.debian.org/416266)
Resolves: #960048
---
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
@@ -117,6 +117,20 @@
return -1; /* not found */
}
+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
+{
+ lt_dlhandle handle = 0;
+ lt_dladvise advise;
+
+ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
+ && !lt_dladvise_global (&advise))
+ handle = lt_dlopenadvise (filename, advise);
+
+ lt_dladvise_destroy (&advise);
+
+ return handle;
+}
+
int module_load(const char* file_name, int argc, char *argv[])
{
module_loaded_t *module;
@@ -180,7 +194,7 @@
* to calling Debug. This is because Debug is a macro that expands
* into multiple function calls.
*/
- if ((module->lib = lt_dlopenext(file)) == NULL) {
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
error = lt_dlerror();
#ifdef HAVE_EBCDIC
strcpy( ebuf, error );

158
SOURCES/slapd.ldif Normal file
View File

@ -0,0 +1,158 @@
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
# TLS settings
#
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by oclTLSCACertificatePath one has to include them explicitly:
#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
#
# Private cert and key are not pregenerated.
#olcTLSCertificateFile:
#olcTLSCertificateKeyFile:
#
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#olcTLSCipherSuite: PROFILE=SYSTEM
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

17
SOURCES/slapd.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
[Install]
WantedBy=multi-user.target
Alias=openldap.service

2
SOURCES/slapd.tmpfiles Normal file
View File

@ -0,0 +1,2 @@
# openldap runtime directory for slapd.arg and slapd.pid
d /run/openldap 0755 ldap ldap -

2286
SPECS/openldap.spec Normal file

File diff suppressed because it is too large Load Diff