Rebase to version 2.4.50

Resolves: #1742285
2020-06-05 11:57:25 +02:00 · 2020-06-05 11:57:25 +02:00 · 9d8fa89777
commit 9d8fa89777
parent 54bacfed35
7 changed files with 45 additions and 326 deletions
--- a/.gitignore
+++ b/.gitignore
@ -18,3 +18,4 @@
 /openldap-2.4.45.tgz
 /openldap-2.4.46.tgz
 /openldap-2.4.47.tgz
+/openldap-2.4.50.tgz
--- a/openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
+++ b/openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch
@ -0,0 +1,36 @@
+From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001
+From: Quanah Gibson-Mount <quanah@openldap.org>
+Date: Tue, 28 Apr 2020 20:49:53 +0000
+Subject: [PATCH] ITS#8650 - Fix Debug usage to follow RE24 format
+
+---
+ libraries/libldap/tls2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index c1f15cbc1..ebe5bf125 100644
+--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
+@@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 			} else if ( sb->sb_trans_needs_write ) {
+ 				wr=1;
+ 			}
+-			Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
+-					wr ? "write": "read" );
+			Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
+					wr ? "write": "read", 0, 0 );
+ 
+ 			/* This is mostly copied from result.c:wait4msg(), should
+ 			 * probably be moved into a separate function */
+@@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 			start_time_tv.tv_sec = curr_time_tv.tv_sec;
+ 			start_time_tv.tv_usec = curr_time_tv.tv_usec;
+ 			tv = tv0;
+-			Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
+			Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
+ 				(void *)ld, (long) tv.tv_sec, (long) tv.tv_usec );
+ 			ret = ldap_int_poll( ld, sd, &tv, wr);
+ 			if ( ret < 0 ) {
+-- 
+2.25.4
+
--- a/openldap-ldapi-sasl.patch
+++ b/openldap-ldapi-sasl.patch
@ -1,55 +0,0 @@
-From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 7 May 2013 17:02:57 +0200
-Subject: [PATCH] LDAPI SASL fix
-
-Resolves: #960222
---
- libraries/libldap/cyrus.c | 19 ++++++++++++++++---
- 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
-
-diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
-index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c
-+++ b/libraries/libldap/cyrus.c
-@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
- 	struct berval	ccred = BER_BVNULL;
- 	int saslrc, rc;
- 	unsigned credlen;
-+	char my_hostname[HOST_NAME_MAX + 1];
-+	int free_saslhost = 0;
- 
- 	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
- 		mechs ? mechs : "<null>", 0, 0 );
-@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
- 
- 			/* If we don't need to canonicalize just use the host
- 			 * from the LDAP URI.
-+			 * Always use the result of gethostname() for LDAPI.
- 			 */
-			if ( nocanon )
-+			if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
-+			    strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
-+				rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
-+				if (rc == 0) {
-+					saslhost = my_hostname;
-+				} else {
-+					saslhost = "localhost";
-+				}
-+			} else if ( nocanon )
- 				saslhost = ld->ld_defconn->lconn_server->lud_host;
-			else 
-+			else {
- 				saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
- 				"localhost" );
-+				free_saslhost = 1;
-+			}
- 			rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
-			if ( !nocanon )
-+			if ( free_saslhost )
- 				LDAP_FREE( saslhost );
- 		}
- 
-- 
-1.7.11.7
-
--- a/openldap-openssl-ITS7595-Add-EC-support-1.patch
+++ b/openldap-openssl-ITS7595-Add-EC-support-1.patch
@ -1,227 +0,0 @@
-ITS#7595 Add Elliptic Curve support for OpenSSL
-
-Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
-Author:    Howard Chu <hyc@openldap.org>
-Date:      Sat Sep 7 09:47:19 2013 -0700
-
-diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
-index 9c72e8296..2311c3096 100644
--- a/doc/man/man5/slapd-config.5
-+++ b/doc/man/man5/slapd-config.5
-@@ -922,6 +922,13 @@ are not used.
- When using Mozilla NSS these parameters are always generated randomly
- so this directive is ignored.
- .TP
-+.B olcTLSECName: <name>
-+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
-+ephemeral key exchange.  This is required to enable ECDHE algorithms in
-+OpenSSL.  This option is not used with GnuTLS; the curves may be
-+chosen in the GnuTLS ciphersuite specification. This option is also
-+ignored for Mozilla NSS.
-+.TP
- .B olcTLSProtocolMin: <major>[.<minor>]
- Specifies minimum SSL/TLS protocol version that will be negotiated.
- If the server doesn't support at least that version,
-diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
-index f504adcf9..ef03e0ad8 100644
--- a/doc/man/man5/slapd.conf.5
-+++ b/doc/man/man5/slapd.conf.5
-@@ -1153,6 +1153,13 @@ are not used.
- When using Mozilla NSS these parameters are always generated randomly
- so this directive is ignored.
- .TP
-+.B TLSECName <name>
-+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
-+ephemeral key exchange.  This is required to enable ECDHE algorithms in
-+OpenSSL.  This option is not used with GnuTLS; the curves may be
-+chosen in the GnuTLS ciphersuite specification. This option is also
-+ignored for Mozilla NSS.
-+.TP
- .B TLSProtocolMin <major>[.<minor>]
- Specifies minimum SSL/TLS protocol version that will be negotiated.
- If the server doesn't support at least that version,
-diff --git a/include/ldap.h b/include/ldap.h
-index c245651c2..0964a193e 100644
--- a/include/ldap.h
-+++ b/include/ldap.h
-@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
- #define LDAP_OPT_X_TLS_NEWCTX		0x600f
- #define LDAP_OPT_X_TLS_CRLFILE		0x6010	/* GNUtls only */
- #define LDAP_OPT_X_TLS_PACKAGE		0x6011
-+#define LDAP_OPT_X_TLS_ECNAME		0x6012
- 
- #define LDAP_OPT_X_TLS_NEVER	0
- #define LDAP_OPT_X_TLS_HARD		1
-diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
-index 66e04ae80..db7193f4f 100644
--- a/libraries/libldap/ldap-int.h
-+++ b/libraries/libldap/ldap-int.h
-@@ -165,6 +165,7 @@ struct ldaptls {
- 	char		*lt_ciphersuite;
- 	char		*lt_crlfile;
- 	char		*lt_randfile;	/* OpenSSL only */
-+	char		*lt_ecname;		/* OpenSSL only */
- 	int		lt_protocol_min;
- };
- #endif
-@@ -250,6 +251,7 @@ struct ldapoptions {
- #define ldo_tls_certfile	ldo_tls_info.lt_certfile
- #define ldo_tls_keyfile	ldo_tls_info.lt_keyfile
- #define ldo_tls_dhfile	ldo_tls_info.lt_dhfile
-+#define ldo_tls_ecname	ldo_tls_info.lt_ecname
- #define ldo_tls_cacertfile	ldo_tls_info.lt_cacertfile
- #define ldo_tls_cacertdir	ldo_tls_info.lt_cacertdir
- #define ldo_tls_ciphersuite	ldo_tls_info.lt_ciphersuite
-diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
-index d25c190ea..0451b01af 100644
--- a/libraries/libldap/tls2.c
-+++ b/libraries/libldap/tls2.c
-@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
- 		LDAP_FREE( lo->ldo_tls_dhfile );
- 		lo->ldo_tls_dhfile = NULL;
- 	}
-+	if ( lo->ldo_tls_ecname ) {
-+		LDAP_FREE( lo->ldo_tls_ecname );
-+		lo->ldo_tls_ecname = NULL;
-+	}
- 	if ( lo->ldo_tls_cacertfile ) {
- 		LDAP_FREE( lo->ldo_tls_cacertfile );
- 		lo->ldo_tls_cacertfile = NULL;
-@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
- 		lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
- 		__atoe( lts.lt_dhfile );
- 	}
-+	if ( lts.lt_ecname ) {
-+		lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
-+		__atoe( lts.lt_ecname );
-+	}
- #endif
- 	lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
- 	if ( lo->ldo_tls_ctx == NULL ) {
-@@ -257,6 +265,7 @@ error_exit:
- 	LDAP_FREE( lts.lt_crlfile );
- 	LDAP_FREE( lts.lt_cacertdir );
- 	LDAP_FREE( lts.lt_dhfile );
-+	LDAP_FREE( lts.lt_ecname );
- #endif
- 	return rc;
- }
-@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
- 		*(char **)arg = lo->ldo_tls_dhfile ?
- 			LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
- 		break;
-+	case LDAP_OPT_X_TLS_ECNAME:
-+		*(char **)arg = lo->ldo_tls_ecname ?
-+			LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
-+		break;
- 	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
- 		*(char **)arg = lo->ldo_tls_crlfile ?
- 			LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
-@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
- 		if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
- 		lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
- 		return 0;
-+	case LDAP_OPT_X_TLS_ECNAME:
-+		if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
-+		lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
-+		return 0;
- 	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
- 		if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
- 		lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
-diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
-index f24060b7e..1370923af 100644
--- a/libraries/libldap/tls_o.c
-+++ b/libraries/libldap/tls_o.c
-@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
- 		return -1;
- 	}
- 
-	if ( lo->ldo_tls_dhfile ) {
-		DH *dh = NULL;
-+	if ( is_server && lo->ldo_tls_dhfile ) {
-+		DH *dh;
- 		BIO *bio;
-		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
- 
- 		if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
- 			Debug( LDAP_DEBUG_ANY,
-@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
- 		}
- 		BIO_free( bio );
- 		SSL_CTX_set_tmp_dh( ctx, dh );
-+		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
-+		DH_free( dh );
-+	}
-+
-+#ifdef SSL_OP_SINGLE_ECDH_USE
-+	if ( is_server && lo->ldo_tls_ecname ) {
-+		EC_KEY *ecdh;
-+
-+		int nid = OBJ_sn2nid( lt->lt_ecname );
-+		if ( nid == NID_undef ) {
-+			Debug( LDAP_DEBUG_ANY,
-+				"TLS: could not use EC name `%s'.\n",
-+				lo->ldo_tls_ecname,0,0);
-+			tlso_report_error();
-+			return -1;
-+		}
-+		ecdh = EC_KEY_new_by_curve_name( nid );
-+		if ( ecdh == NULL ) {
-+			Debug( LDAP_DEBUG_ANY,
-+				"TLS: could not generate key for EC name `%s'.\n",
-+				lo->ldo_tls_ecname,0,0);
-+			tlso_report_error();
-+			return -1;
-+		}
-+		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
-+		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
-+		EC_KEY_free( ecdh );
- 	}
-+#endif
- 
- 	if ( tlso_opt_trace ) {
- 		SSL_CTX_set_info_callback( ctx, tlso_info_cb );
-diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
-index 250f14100..8b1e4e582 100644
--- a/servers/slapd/bconfig.c
-+++ b/servers/slapd/bconfig.c
-@@ -194,6 +194,7 @@ enum {
- 	CFG_ACL_ADD,
- 	CFG_SYNC_SUBENTRY,
- 	CFG_LTHREADS,
-+	CFG_TLS_ECNAME,
- 
- 	CFG_LAST
- };
-@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
- #endif
- 		"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
- 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
-+	{ "TLSECName", NULL, 2, 2, 0,
-+#ifdef HAVE_TLS
-+		CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
-+#else
-+		ARG_IGNORED, NULL,
-+#endif
-+		"( OLcfgGlAt:96 NAME 'olcTLSECName' "
-+			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
- 	{ "TLSProtocolMin",	NULL, 2, 2, 0,
- #ifdef HAVE_TLS
- 		CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
-@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
- 		 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
- 		 "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
- 		 "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
-		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
-+		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
- 		 "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
- 		 "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
- 		 "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
-@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
- 	case CFG_TLS_CA_PATH:	flag = LDAP_OPT_X_TLS_CACERTDIR;	break;
- 	case CFG_TLS_CA_FILE:	flag = LDAP_OPT_X_TLS_CACERTFILE;	break;
- 	case CFG_TLS_DH_FILE:	flag = LDAP_OPT_X_TLS_DHFILE;	break;
-+	case CFG_TLS_ECNAME:	flag = LDAP_OPT_X_TLS_ECNAME;	break;
- #ifdef HAVE_GNUTLS
- 	case CFG_TLS_CRL_FILE:	flag = LDAP_OPT_X_TLS_CRLFILE;	break;
- #endif
--- a/openldap-openssl-ITS7595-Add-EC-support-2.patch
+++ b/openldap-openssl-ITS7595-Add-EC-support-2.patch
@ -1,34 +0,0 @@
-ITS#7595 don't try to use EC if OpenSSL lacks it
-
-Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
-Author: Howard Chu <hyc@openldap.org>
-Date: Sun Sep 8 06:32:23 2013 -0700
-
-diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
-index 1a81bc625..71c2b055c 100644
--- a/libraries/libldap/tls_o.c
-+++ b/libraries/libldap/tls_o.c
-@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
- 		DH_free( dh );
- 	}
- 
-#ifdef SSL_OP_SINGLE_ECDH_USE
- 	if ( is_server && lo->ldo_tls_ecname ) {
-+#ifdef OPENSSL_NO_EC
-+		Debug( LDAP_DEBUG_ANY,
-+			"TLS: Elliptic Curves not supported.\n", 0,0,0 );
-+		return -1;
-+#else
- 		EC_KEY *ecdh;
- 
- 		int nid = OBJ_sn2nid( lt->lt_ecname );
-@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
- 		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
- 		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
- 		EC_KEY_free( ecdh );
-	}
- #endif
-+	}
- 
- 	if ( tlso_opt_trace ) {
- 		SSL_CTX_set_info_callback( ctx, tlso_info_cb );
--- a/openldap.spec
+++ b/openldap.spec
@ -4,8 +4,8 @@
 %global check_password_version 1.1

 Name: openldap
-Version: 2.4.47
-Release: 5%{?dist}
+Version: 2.4.50
+Release: 1%{?dist}
 Summary: LDAP support libraries
 License: OpenLDAP
 URL: http://www.openldap.org/
@ -32,11 +32,8 @@ Patch17: openldap-allop-overlay.patch
 # the proper fix is to link all perl modules against libperl
 # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
-# ldapi sasl fix pending upstream inclusion
-Patch20: openldap-ldapi-sasl.patch
-Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
-Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
 Patch24: openldap-openssl-manpage-defaultCA.patch
+Patch25: openldap-ITS-8650-Fix-Debug-usage-to-follow-RE24-format.patch

 # check-password module specific patches
 Patch90: check-password-makefile.patch
@ -113,10 +110,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch5 -p1
 %patch17 -p1
 %patch19 -p1
-%patch20 -p1
-%patch22 -p1
-%patch23 -p1
 %patch24 -p1
+%patch25 -p1

 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -486,6 +481,9 @@ exit 0
 %{_mandir}/man3/*

 %changelog
+* Wed Jun 17 2020 Matus Honek <mhonek@redhat.com> - 2.4.50-1
+- Rebase to version 2.4.50 (#1742285)
+
 * Tue Jun 16 2020 Tom Stellard <tstellar@redhat.com> - 2.4.47-5
 - Spec file cleanups
 - Add BuildRequres: gcc [1]
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (ltb-project-openldap-ppolicy-check-password-1.1.tar.gz) = f3384a164ce5db488908cf6380bad8500b800b09d12a8f04e1b6ccb6f6af6ab3971fcdbe4acca7a1b6d16b408a11065c2b1ab2497863fe07d3c28262b0f6776e
-SHA512 (openldap-2.4.47.tgz) = d424079e34207e3d24383a2bea70a07ded40714982a6767174d2b2cb208cd94feab5ef12157accae915b8e404e5773a7547aaef65f06b44dc3cc09c6a64d5a11
+SHA512 (openldap-2.4.50.tgz) = f528043ff9de36f7b65d8816c9a9c24f0ac400041b2969965178ee6eae62c92a11af33a0a883e4954e5fff98a0738a9f9aa2faf5b385d21974754e045aab31ae