new upstream release (2.4.28)
- upstream changes: - server: support for delta-syncrepl in multi master replication - server: add experimental backend - MDB - server: dynamic configuration for passwd, perl, shell, sock, and sql backends - server: support passwords in APR1 - library: support for Wahl (draft) - a lot of bugfixes - remove patches which were merged upstream
This commit is contained in:
parent
0fcc2f2eb2
commit
ad3da8cc04
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
/openldap-2.4.26.tgz
|
/openldap-2.4.28.tgz
|
||||||
|
@ -1,81 +0,0 @@
|
|||||||
constraint overlay: fix config emit
|
|
||||||
|
|
||||||
Author: Pierangelo Masarati <ando@OpenLDAP.org>
|
|
||||||
Upstream ITS: #6986
|
|
||||||
Upstream commit: c0b669e14f4ef5b649f86bb3c1cc4ca76a00efa8
|
|
||||||
Resolves: #733067
|
|
||||||
|
|
||||||
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
|
|
||||||
index fcb2830..e6a9267 100644
|
|
||||||
--- a/servers/slapd/overlays/constraint.c
|
|
||||||
+++ b/servers/slapd/overlays/constraint.c
|
|
||||||
@@ -145,6 +145,8 @@ constraint_cf_gen( ConfigArgs *c )
|
|
||||||
char *tstr = NULL;
|
|
||||||
int quotes = 0;
|
|
||||||
int j;
|
|
||||||
+ size_t val;
|
|
||||||
+ char val_buf[SLAP_TEXT_BUFLEN] = { '\0' };
|
|
||||||
|
|
||||||
bv.bv_len = STRLENOF(" ");
|
|
||||||
for (j = 0; cp->ap[j]; j++) {
|
|
||||||
@@ -156,6 +158,7 @@ constraint_cf_gen( ConfigArgs *c )
|
|
||||||
|
|
||||||
if (cp->re) {
|
|
||||||
tstr = REGEX_STR;
|
|
||||||
+ quotes = 1;
|
|
||||||
} else if (cp->lud) {
|
|
||||||
tstr = URI_STR;
|
|
||||||
quotes = 1;
|
|
||||||
@@ -164,8 +167,10 @@ constraint_cf_gen( ConfigArgs *c )
|
|
||||||
quotes = 1;
|
|
||||||
} else if (cp->size) {
|
|
||||||
tstr = SIZE_STR;
|
|
||||||
+ val = cp->size;
|
|
||||||
} else if (cp->count) {
|
|
||||||
tstr = COUNT_STR;
|
|
||||||
+ val = cp->count;
|
|
||||||
}
|
|
||||||
|
|
||||||
bv.bv_len += strlen(tstr);
|
|
||||||
@@ -175,6 +180,15 @@ constraint_cf_gen( ConfigArgs *c )
|
|
||||||
bv.bv_len += cp->restrict_val.bv_len + STRLENOF(" restrict=\"\"");
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (cp->count || cp->size) {
|
|
||||||
+ int len = snprintf(val_buf, sizeof(val_buf), "%d", val);
|
|
||||||
+ if (len <= 0) {
|
|
||||||
+ /* error */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ bv.bv_len += len;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
s = bv.bv_val = ch_malloc(bv.bv_len + 1);
|
|
||||||
|
|
||||||
s = lutil_strncopy( s, cp->ap[0]->ad_cname.bv_val, cp->ap[0]->ad_cname.bv_len );
|
|
||||||
@@ -185,9 +199,13 @@ constraint_cf_gen( ConfigArgs *c )
|
|
||||||
*s++ = ' ';
|
|
||||||
s = lutil_strcopy( s, tstr );
|
|
||||||
*s++ = ' ';
|
|
||||||
- if ( quotes ) *s++ = '"';
|
|
||||||
- s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
|
|
||||||
- if ( quotes ) *s++ = '"';
|
|
||||||
+ if (cp->count || cp->size) {
|
|
||||||
+ s = lutil_strcopy( s, val_buf );
|
|
||||||
+ } else {
|
|
||||||
+ if ( quotes ) *s++ = '"';
|
|
||||||
+ s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
|
|
||||||
+ if ( quotes ) *s++ = '"';
|
|
||||||
+ }
|
|
||||||
if (cp->restrict_lud != NULL) {
|
|
||||||
s = lutil_strcopy( s, " restrict=\"" );
|
|
||||||
s = lutil_strncopy( s, cp->restrict_val.bv_val, cp->restrict_val.bv_len );
|
|
||||||
@@ -471,7 +489,7 @@ constraint_cf_gen( ConfigArgs *c )
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ber_str2bv(c->argv[argidx], 0, 1, &ap.restrict_val);
|
|
||||||
+ ber_str2bv(c->argv[argidx] + STRLENOF("restrict="), 0, 1, &ap.restrict_val);
|
|
||||||
|
|
||||||
} else {
|
|
||||||
/* cleanup */
|
|
@ -1,55 +0,0 @@
|
|||||||
one-byte buffer overflow in slapd
|
|
||||||
|
|
||||||
Resolves: #749324 (CVE-2011-4079)
|
|
||||||
Upstream ITS: #7059
|
|
||||||
Upstream commits: d0dd861 5072387
|
|
||||||
Author: Howard Chu <hyc@openldap.org>
|
|
||||||
|
|
||||||
diff -u
|
|
||||||
--- a/servers/slapd/schema_init.c
|
|
||||||
+++ b/servers/slapd/schema_init.c
|
|
||||||
@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
|
|
||||||
}
|
|
||||||
nvalue.bv_val[nvalue.bv_len] = '\0';
|
|
||||||
|
|
||||||
- } else {
|
|
||||||
+ } else if ( tmp.bv_len ) {
|
|
||||||
/* string of all spaces is treated as one space */
|
|
||||||
nvalue.bv_val[0] = ' ';
|
|
||||||
nvalue.bv_val[1] = '\0';
|
|
||||||
nvalue.bv_len = 1;
|
|
||||||
- }
|
|
||||||
+ } /* should never be entered with 0-length val */
|
|
||||||
|
|
||||||
*normalized = nvalue;
|
|
||||||
return LDAP_SUCCESS;
|
|
||||||
@@ -2331,13 +2331,18 @@ postalAddressNormalize(
|
|
||||||
}
|
|
||||||
lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
|
|
||||||
|
|
||||||
- normalized->bv_len = l;
|
|
||||||
+ normalized->bv_len = c = l;
|
|
||||||
|
|
||||||
- for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
|
|
||||||
+ for ( l = 0; l <= c; l++ ) {
|
|
||||||
/* NOTE: we directly normalize each line,
|
|
||||||
* without unescaping the values, since the special
|
|
||||||
* values '\24' ('$') and '\5C' ('\') are not affected
|
|
||||||
* by normalization */
|
|
||||||
+ if ( !lines[l].bv_len ) {
|
|
||||||
+ nlines[l].bv_len = 0;
|
|
||||||
+ nlines[l].bv_val = NULL;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
|
|
||||||
if ( rc != LDAP_SUCCESS ) {
|
|
||||||
rc = LDAP_INVALID_SYNTAX;
|
|
||||||
@@ -2350,7 +2355,7 @@ postalAddressNormalize(
|
|
||||||
normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
|
|
||||||
|
|
||||||
p = normalized->bv_val;
|
|
||||||
- for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
|
|
||||||
+ for ( l = 0; l <= c ; l++ ) {
|
|
||||||
p = lutil_strbvcopy( p, &nlines[l] );
|
|
||||||
*p++ = '$';
|
|
||||||
}
|
|
@ -1,29 +0,0 @@
|
|||||||
DDS overlay: fix TTL tolerance
|
|
||||||
|
|
||||||
olcDDStolerance setting had inverse effect and in fact was shortening entries real TTL
|
|
||||||
|
|
||||||
From cca0da2163f1ec83352d86015cf6b9b42b757dc7 Mon Sep 17 00:00:00 2001
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Upstream ITS: #7017
|
|
||||||
Resolves: #733069
|
|
||||||
|
|
||||||
---
|
|
||||||
servers/slapd/overlays/dds.c | 2 +-
|
|
||||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/servers/slapd/overlays/dds.c b/servers/slapd/overlays/dds.c
|
|
||||||
index 56d299f..661b309 100644
|
|
||||||
--- a/servers/slapd/overlays/dds.c
|
|
||||||
+++ b/servers/slapd/overlays/dds.c
|
|
||||||
@@ -156,7 +156,7 @@ dds_expire( void *ctx, dds_info_t *di )
|
|
||||||
op->ors_slimit = SLAP_NO_LIMIT;
|
|
||||||
op->ors_attrs = slap_anlist_no_attrs;
|
|
||||||
|
|
||||||
- expire = slap_get_time() + di->di_tolerance;
|
|
||||||
+ expire = slap_get_time() - di->di_tolerance;
|
|
||||||
ts.bv_val = tsbuf;
|
|
||||||
ts.bv_len = sizeof( tsbuf );
|
|
||||||
slap_timestamp( &expire, &ts );
|
|
||||||
--
|
|
||||||
1.7.6
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
|||||||
wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Resolves: #717722
|
|
||||||
|
|
||||||
---
|
|
||||||
doc/man/man3/ldap_sync.3 | 2 +-
|
|
||||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/doc/man/man3/ldap_sync.3 b/doc/man/man3/ldap_sync.3
|
|
||||||
index ef15085..e2c0880 100644
|
|
||||||
--- a/doc/man/man3/ldap_sync.3
|
|
||||||
+++ b/doc/man/man3/ldap_sync.3
|
|
||||||
@@ -20,7 +20,7 @@ OpenLDAP LDAP (libldap, \-lldap)
|
|
||||||
.LP
|
|
||||||
.BI "ldap_sync_t * ldap_sync_initialize(ldap_sync_t *" ls ");"
|
|
||||||
.LP
|
|
||||||
-.BI "int ldap_sync_destroy(ldap_sync_t *" ls ", int " freeit ");"
|
|
||||||
+.BI "void ldap_sync_destroy(ldap_sync_t *" ls ", int " freeit ");"
|
|
||||||
.LP
|
|
||||||
.BI "typedef int (*" ldap_sync_search_entry_f ")(ldap_sync_t *" ls ","
|
|
||||||
.RS
|
|
||||||
--
|
|
||||||
1.7.6
|
|
||||||
|
|
@ -1,31 +0,0 @@
|
|||||||
Errors in manual pages slapo-unique
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Resolves: #733070
|
|
||||||
|
|
||||||
diff --git a/doc/man/man5/slapo-unique.5 b/doc/man/man5/slapo-unique.5
|
|
||||||
index 85270d8..849ffe9 100644
|
|
||||||
--- a/doc/man/man5/slapo-unique.5
|
|
||||||
+++ b/doc/man/man5/slapo-unique.5
|
|
||||||
@@ -49,6 +49,12 @@ statements or
|
|
||||||
attributes will create independent domains, each with their own
|
|
||||||
independent lists of URIs and ignore/strict settings.
|
|
||||||
|
|
||||||
+Keywords
|
|
||||||
+.B strict
|
|
||||||
+and
|
|
||||||
+.B ignore
|
|
||||||
+have to be enclosed in quotes (") together with the URI.
|
|
||||||
+
|
|
||||||
The LDAP URI syntax is a subset of
|
|
||||||
.B RFC-4516,
|
|
||||||
and takes the form:
|
|
||||||
@@ -137,7 +143,7 @@ This legacy configuration parameter should be converted to a
|
|
||||||
.B unique_uri
|
|
||||||
parameter, as described above.
|
|
||||||
.TP
|
|
||||||
-.B unique_strict
|
|
||||||
+.B unique_strict <attribute...>
|
|
||||||
This legacy configuration parameter should be converted to a
|
|
||||||
.B strict
|
|
||||||
keyword prepended to a
|
|
@ -1,28 +0,0 @@
|
|||||||
memleak in tlsm_auth_cert_handler
|
|
||||||
|
|
||||||
In tlsm_auth_cert_handler, we get the peer's cert from the socket using
|
|
||||||
SSL_PeerCertificate. This value is allocated and/or cached. We must
|
|
||||||
destroy it using CERT_DestroyCertificate.
|
|
||||||
|
|
||||||
Author: Rich Megginson <rmeggins@redhat.com>
|
|
||||||
Upstream ITS: #6980
|
|
||||||
Upstream commit: d944920
|
|
||||||
Resolves: #717730
|
|
||||||
|
|
||||||
diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23.fix/libraries/libldap/tls_m.c
|
|
||||||
--- openldap-2.4.23/libraries/libldap/tls_m.c 2011-07-18 15:54:03.719226863 +0200
|
|
||||||
+++ openldap-2.4.23.fix/libraries/libldap/tls_m.c 2011-07-18 16:02:59.284531374 +0200
|
|
||||||
@@ -1034,10 +1034,12 @@ tlsm_auth_cert_handler(void *arg, PRFile
|
|
||||||
{
|
|
||||||
SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
|
|
||||||
SECStatus ret = SECSuccess;
|
|
||||||
+ CERTCertificate *peercert = SSL_PeerCertificate( fd );
|
|
||||||
|
|
||||||
- ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, SSL_PeerCertificate( fd ),
|
|
||||||
+ ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, peercert,
|
|
||||||
SSL_RevealPinArg( fd ),
|
|
||||||
checksig, certUsage, 0 );
|
|
||||||
+ CERT_DestroyCertificate( peercert );
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
@ -1,96 +0,0 @@
|
|||||||
Use mutex for connection handshake when using PEM nss
|
|
||||||
|
|
||||||
PEM nss is not thread safe when establishing the initial connection
|
|
||||||
using SSL_ForceHandshake. Create a new mutex - tlsm_pem_mutex - to
|
|
||||||
protect this function call.
|
|
||||||
The call to SSL_ConfigServerSessionIDCache() is not thread-safe - move it
|
|
||||||
to the init section and protect it with the init mutex.
|
|
||||||
|
|
||||||
Author: Rich Megginson <rmeggins@redhat.com>
|
|
||||||
Resolves: #701678
|
|
||||||
Upstream ITS: #7034
|
|
||||||
---
|
|
||||||
libraries/libldap/tls_m.c | 30 ++++++++++++++++++++++++------
|
|
||||||
1 files changed, 24 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index c85d322..9447db2 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -135,6 +135,7 @@ static int tlsm_init( void );
|
|
||||||
to wrap the mutex creation in a prcallonce
|
|
||||||
*/
|
|
||||||
static ldap_pvt_thread_mutex_t tlsm_init_mutex;
|
|
||||||
+static ldap_pvt_thread_mutex_t tlsm_pem_mutex;
|
|
||||||
static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
|
|
||||||
|
|
||||||
static PRStatus PR_CALLBACK
|
|
||||||
@@ -146,6 +147,12 @@ tlsm_thr_init_callonce( void )
|
|
||||||
return PR_FAILURE;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 );
|
|
||||||
+ return PR_FAILURE;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
return PR_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1728,6 +1735,14 @@ tlsm_deferred_init( void *arg )
|
|
||||||
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ if ( ctx->tc_is_server ) {
|
|
||||||
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
|
||||||
+ /* 0 means use the defaults here */
|
|
||||||
+ SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
|
|
||||||
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
#ifndef HAVE_NSS_INITCONTEXT
|
|
||||||
}
|
|
||||||
#endif /* HAVE_NSS_INITCONTEXT */
|
|
||||||
@@ -1941,6 +1956,7 @@ tlsm_destroy( void )
|
|
||||||
{
|
|
||||||
#ifdef LDAP_R_COMPILE
|
|
||||||
ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
|
|
||||||
+ ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex );
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2433,11 +2449,6 @@ tlsm_session_new ( tls_ctx * ctx, int is_server )
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ( is_server ) {
|
|
||||||
- /* 0 means use the defaults here */
|
|
||||||
- SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
rc = SSL_ResetHandshake( session, is_server );
|
|
||||||
if ( rc ) {
|
|
||||||
PRErrorCode err = PR_GetError();
|
|
||||||
@@ -2457,9 +2468,16 @@ static int
|
|
||||||
tlsm_session_accept_or_connect( tls_session *session, int is_accept )
|
|
||||||
{
|
|
||||||
tlsm_session *s = (tlsm_session *)session;
|
|
||||||
- int rc = SSL_ForceHandshake( s );
|
|
||||||
+ int rc;
|
|
||||||
const char *op = is_accept ? "accept" : "connect";
|
|
||||||
|
|
||||||
+ if ( pem_module ) {
|
|
||||||
+ LDAP_MUTEX_LOCK( &tlsm_pem_mutex );
|
|
||||||
+ }
|
|
||||||
+ rc = SSL_ForceHandshake( s );
|
|
||||||
+ if ( pem_module ) {
|
|
||||||
+ LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex );
|
|
||||||
+ }
|
|
||||||
if ( rc ) {
|
|
||||||
PRErrorCode err = PR_GetError();
|
|
||||||
rc = -1;
|
|
||||||
--
|
|
||||||
1.7.1
|
|
||||||
|
|
@ -1,217 +0,0 @@
|
|||||||
NSS_Init* functions are not thread safe
|
|
||||||
|
|
||||||
The NSS_InitContext et. al, and their corresponding shutdown functions,
|
|
||||||
are not thread safe. There can only be one thread at a time calling
|
|
||||||
these functions. Protect the calls with a mutex. Create the mutex
|
|
||||||
using a PR_CallOnce to ensure that the mutex is only created once and
|
|
||||||
not used before created. Move the registration of the nss shutdown
|
|
||||||
callback to also use a PR_CallOnce. Removed the call to
|
|
||||||
SSL_ClearSessionCache() because it is always called at shutdown, and we must
|
|
||||||
not call it more than once.
|
|
||||||
|
|
||||||
Resolves: #731112
|
|
||||||
Author: Rich Megginson <rmeggins@redhat.com>
|
|
||||||
Upstream ITS: #7022
|
|
||||||
---
|
|
||||||
libraries/libldap/tls_m.c | 98 +++++++++++++++++++++++++++++++++++++++++---
|
|
||||||
1 files changed, 91 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 997b3eb..30c8a76 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -130,9 +130,29 @@ static int tlsm_init( void );
|
|
||||||
|
|
||||||
#ifdef LDAP_R_COMPILE
|
|
||||||
|
|
||||||
+/* it doesn't seem guaranteed that a client will call
|
|
||||||
+ tlsm_thr_init in a non-threaded context - so we have
|
|
||||||
+ to wrap the mutex creation in a prcallonce
|
|
||||||
+*/
|
|
||||||
+static ldap_pvt_thread_mutex_t tlsm_init_mutex;
|
|
||||||
+static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
|
|
||||||
+
|
|
||||||
+static PRStatus PR_CALLBACK
|
|
||||||
+tlsm_thr_init_callonce( void )
|
|
||||||
+{
|
|
||||||
+ if ( ldap_pvt_thread_mutex_init( &tlsm_init_mutex ) ) {
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: could not create mutex for moznss initialization: %d\n", errno, 0, 0 );
|
|
||||||
+ return PR_FAILURE;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return PR_SUCCESS;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void
|
|
||||||
tlsm_thr_init( void )
|
|
||||||
{
|
|
||||||
+ ( void )PR_CallOnce( &tlsm_init_mutex_callonce, tlsm_thr_init_callonce );
|
|
||||||
}
|
|
||||||
|
|
||||||
#endif /* LDAP_R_COMPILE */
|
|
||||||
@@ -1079,7 +1099,6 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData )
|
|
||||||
SECStatus rc = SECSuccess;
|
|
||||||
|
|
||||||
SSL_ShutdownServerSessionIDCache();
|
|
||||||
- SSL_ClearSessionCache();
|
|
||||||
|
|
||||||
if ( pem_module ) {
|
|
||||||
SECMOD_UnloadUserModule( pem_module );
|
|
||||||
@@ -1089,6 +1108,24 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData )
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
|
|
||||||
+static PRStatus PR_CALLBACK
|
|
||||||
+tlsm_register_nss_shutdown_cb( void )
|
|
||||||
+{
|
|
||||||
+ if ( SECSuccess == NSS_RegisterShutdown( tlsm_nss_shutdown_cb,
|
|
||||||
+ NULL ) ) {
|
|
||||||
+ return PR_SUCCESS;
|
|
||||||
+ }
|
|
||||||
+ return PR_FAILURE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static PRStatus
|
|
||||||
+tlsm_register_nss_shutdown( void )
|
|
||||||
+{
|
|
||||||
+ return PR_CallOnce( &tlsm_register_shutdown_callonce,
|
|
||||||
+ tlsm_register_nss_shutdown_cb );
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static int
|
|
||||||
tlsm_init_pem_module( void )
|
|
||||||
{
|
|
||||||
@@ -1529,6 +1566,12 @@ tlsm_deferred_init( void *arg )
|
|
||||||
initParams.length = sizeof( initParams );
|
|
||||||
#endif /* HAVE_NSS_INITCONTEXT */
|
|
||||||
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ if ( PR_CallOnce( &tlsm_init_mutex_callonce, tlsm_thr_init_callonce ) ) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
+
|
|
||||||
#ifndef HAVE_NSS_INITCONTEXT
|
|
||||||
if ( !NSS_IsInitialized() ) {
|
|
||||||
#endif /* HAVE_NSS_INITCONTEXT */
|
|
||||||
@@ -1556,6 +1599,10 @@ tlsm_deferred_init( void *arg )
|
|
||||||
}
|
|
||||||
|
|
||||||
tlsm_get_certdb_prefix( securitydir, &realcertdir, &prefix );
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
+
|
|
||||||
#ifdef HAVE_NSS_INITCONTEXT
|
|
||||||
#ifdef INITCONTEXT_HACK
|
|
||||||
if ( !NSS_IsInitialized() && ctx->tc_is_server ) {
|
|
||||||
@@ -1574,6 +1621,10 @@ tlsm_deferred_init( void *arg )
|
|
||||||
rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY );
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
+
|
|
||||||
if ( rc != SECSuccess ) {
|
|
||||||
errcode = PORT_GetError();
|
|
||||||
if ( securitydirs[ii] != lt->lt_cacertdir) {
|
|
||||||
@@ -1597,6 +1648,9 @@ tlsm_deferred_init( void *arg )
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( errcode ) { /* no moznss db found, or not using moznss db */
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
#ifdef HAVE_NSS_INITCONTEXT
|
|
||||||
int flags = NSS_INIT_READONLY|NSS_INIT_NOCERTDB|NSS_INIT_NOMODDB;
|
|
||||||
#ifdef INITCONTEXT_HACK
|
|
||||||
@@ -1615,6 +1669,9 @@ tlsm_deferred_init( void *arg )
|
|
||||||
#else
|
|
||||||
rc = NSS_NoDB_Init( NULL );
|
|
||||||
#endif
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
if ( rc != SECSuccess ) {
|
|
||||||
errcode = PORT_GetError();
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
@@ -1628,13 +1685,22 @@ tlsm_deferred_init( void *arg )
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* initialize the PEM module */
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
if ( tlsm_init_pem_module() ) {
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
errcode = PORT_GetError();
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
|
|
||||||
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
|
|
||||||
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
|
|
||||||
/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
|
|
||||||
@@ -1669,10 +1735,13 @@ tlsm_deferred_init( void *arg )
|
|
||||||
PK11_SetPasswordFunc( tlsm_pin_prompt );
|
|
||||||
|
|
||||||
/* register cleanup function */
|
|
||||||
- /* delete the old one, if any */
|
|
||||||
- NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL );
|
|
||||||
- NSS_RegisterShutdown( tlsm_nss_shutdown_cb, NULL );
|
|
||||||
-
|
|
||||||
+ if ( tlsm_register_nss_shutdown() ) {
|
|
||||||
+ errcode = PORT_GetError();
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: could not register NSS shutdown function: %d:%s\n",
|
|
||||||
+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
#ifndef HAVE_NSS_INITCONTEXT
|
|
||||||
}
|
|
||||||
#endif /* HAVE_NSS_INITCONTEXT */
|
|
||||||
@@ -1884,6 +1953,9 @@ tlsm_clientauth_init( tlsm_ctx *ctx )
|
|
||||||
static void
|
|
||||||
tlsm_destroy( void )
|
|
||||||
{
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
|
|
||||||
+#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
static tls_ctx *
|
|
||||||
@@ -1949,8 +2021,20 @@ tlsm_ctx_free ( tls_ctx *ctx )
|
|
||||||
PL_strfree( c->tc_slotname );
|
|
||||||
tlsm_free_pem_objs( c );
|
|
||||||
#ifdef HAVE_NSS_INITCONTEXT
|
|
||||||
- if (c->tc_initctx)
|
|
||||||
- NSS_ShutdownContext( c->tc_initctx );
|
|
||||||
+ if ( c->tc_initctx ) {
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
+ if ( NSS_ShutdownContext( c->tc_initctx ) ) {
|
|
||||||
+ PRErrorCode errcode = PR_GetError();
|
|
||||||
+ Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ "TLS: could not shutdown NSS - error %d:%s.\n",
|
|
||||||
+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
||||||
+ }
|
|
||||||
+#ifdef LDAP_R_COMPILE
|
|
||||||
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
||||||
+#endif /* LDAP_R_COMPILE */
|
|
||||||
+ }
|
|
||||||
c->tc_initctx = NULL;
|
|
||||||
#endif /* HAVE_NSS_INITCONTEXT */
|
|
||||||
#ifdef LDAP_R_COMPILE
|
|
||||||
--
|
|
||||||
1.7.1
|
|
||||||
|
|
@ -1,40 +0,0 @@
|
|||||||
MozNSS: free the return of tlsm_find_and_verify_cert_key
|
|
||||||
|
|
||||||
If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
|
|
||||||
to verify them, it will leave them allocated for the caller to dispose of.
|
|
||||||
There were a couple of places that were not disposing of the cert and key
|
|
||||||
upon error.
|
|
||||||
|
|
||||||
Author: Rich Megginson <rmeggins@redhat.com>
|
|
||||||
Upstream ITS: #7001
|
|
||||||
Upstream commit: fb4b4f7445d9392fbae097cc861e4cfb1694dcae
|
|
||||||
Resolves: #725818
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 7ae7d82..72fdf49 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -1811,6 +1811,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd,
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: error: unable to perform client certificate authentication for "
|
|
||||||
"certificate named %s\n", ctx->tc_certname, 0, 0 );
|
|
||||||
+ if ( pRetKey && *pRetKey ) {
|
|
||||||
+ SECKEY_DestroyPrivateKey( *pRetKey );
|
|
||||||
+ *pRetKey = NULL;
|
|
||||||
+ }
|
|
||||||
+ if ( pRetCert && *pRetCert ) {
|
|
||||||
+ CERT_DestroyCertificate( *pRetCert );
|
|
||||||
+ *pRetCert = NULL;
|
|
||||||
+ }
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2162,6 +2170,8 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: error: unable to find and verify server's cert and key for certificate %s\n",
|
|
||||||
ctx->tc_certname, 0, 0 );
|
|
||||||
+ CERT_DestroyCertificate( serverCert );
|
|
||||||
+ SECKEY_DestroyPrivateKey( serverKey );
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
|||||||
Do not check server hostname when TLS_REQCERT is 'allow'.
|
|
||||||
|
|
||||||
If server certificate hostname does not match the server hostname,
|
|
||||||
connection is closed even if client has set TLS_REQCERT to 'allow'. This
|
|
||||||
is wrong - the documentation says, that bad certificates are being
|
|
||||||
ignored when TLS_REQCERT is set to 'allow'.
|
|
||||||
|
|
||||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
||||||
Upstream ITS: #7014
|
|
||||||
Resolves: #725819
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
|
||||||
index f38db27..3f05c1e 100644
|
|
||||||
--- a/libraries/libldap/tls2.c
|
|
||||||
+++ b/libraries/libldap/tls2.c
|
|
||||||
@@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
|
||||||
/*
|
|
||||||
* compare host with name(s) in certificate
|
|
||||||
*/
|
|
||||||
- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) {
|
|
||||||
+ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
|
|
||||||
+ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
|
|
||||||
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
|
|
||||||
if (ld->ld_errno != LDAP_SUCCESS) {
|
|
||||||
return ld->ld_errno;
|
|
||||||
--
|
|
||||||
1.7.6
|
|
||||||
|
|
@ -1,209 +0,0 @@
|
|||||||
Fix server side VerifyCert allow/try behavior
|
|
||||||
|
|
||||||
If the olcTLSVerifyClient is set to a value other than "never", the server
|
|
||||||
should request that the client send a client certificate for possible use
|
|
||||||
with client cert auth (e.g. SASL/EXTERNAL).
|
|
||||||
If set to "allow", if the client sends a cert, and there are problems with
|
|
||||||
it, the server will warn about problems, but will allow the SSL session to
|
|
||||||
proceed without a client cert.
|
|
||||||
If set to "try", if the client sends a cert, and there are problems with
|
|
||||||
it, the server will warn about those problems, and shutdown the SSL session.
|
|
||||||
If set to "demand" or "hard", the client must send a cert, and the server
|
|
||||||
will shutdown the SSL session if there are problems.
|
|
||||||
I added a new member of the tlsm context structure - tc_warn_only - if this
|
|
||||||
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
|
|
||||||
level debug is set. This allows the server to warn but allow bad certs
|
|
||||||
if "allow" is set, and warn and fail if "try" is set.
|
|
||||||
|
|
||||||
Author: Rich Megginson <rmeggins@redhat.com>
|
|
||||||
Upstream ITS: #7002
|
|
||||||
Upstream commit: 210b156ece28a71cb625283fa5c30ee76d639cdc
|
|
||||||
Resolves: #725819
|
|
||||||
|
|
||||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
||||||
index 72fdf49..997b3eb 100644
|
|
||||||
--- a/libraries/libldap/tls_m.c
|
|
||||||
+++ b/libraries/libldap/tls_m.c
|
|
||||||
@@ -96,6 +96,7 @@ typedef struct tlsm_ctx {
|
|
||||||
#endif
|
|
||||||
PK11GenericObject **tc_pem_objs; /* array of objects to free */
|
|
||||||
int tc_n_pem_objs; /* number of objects */
|
|
||||||
+ PRBool tc_warn_only; /* only warn of errors in validation */
|
|
||||||
#ifdef LDAP_R_COMPILE
|
|
||||||
ldap_pvt_thread_mutex_t tc_refmutex;
|
|
||||||
#endif
|
|
||||||
@@ -945,6 +946,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
|
|
||||||
CERTVerifyLog verifylog;
|
|
||||||
SECStatus ret = SECSuccess;
|
|
||||||
const char *name;
|
|
||||||
+ int debug_level = LDAP_DEBUG_ANY;
|
|
||||||
+
|
|
||||||
+ if ( errorToIgnore == -1 ) {
|
|
||||||
+ debug_level = LDAP_DEBUG_TRACE;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* the log captures information about every cert in the chain, so we can tell
|
|
||||||
which cert caused the problem and what the problem was */
|
|
||||||
@@ -965,7 +971,7 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
|
|
||||||
/* it is possible for CERT_VerifyCertificate return with an error with no logging */
|
|
||||||
if ( ret != SECSuccess ) {
|
|
||||||
PRErrorCode errcode = PR_GetError();
|
|
||||||
- Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ Debug( debug_level,
|
|
||||||
"TLS: certificate [%s] is not valid - error %d:%s.\n",
|
|
||||||
name ? name : "(unknown)",
|
|
||||||
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|
||||||
@@ -995,17 +1001,17 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
|
|
||||||
"please fix your certs if possible\n", name, 0, 0 );
|
|
||||||
} else { /* does not have basicconstraint, or some other error */
|
|
||||||
ret = SECFailure;
|
|
||||||
- Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ Debug( debug_level,
|
|
||||||
"TLS: certificate [%s] is not valid - CA cert is not valid\n",
|
|
||||||
name, 0, 0 );
|
|
||||||
}
|
|
||||||
} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
|
|
||||||
- Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ Debug( debug_level,
|
|
||||||
"TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
|
|
||||||
name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
|
|
||||||
} else {
|
|
||||||
ret = SECFailure;
|
|
||||||
- Debug( LDAP_DEBUG_ANY,
|
|
||||||
+ Debug( debug_level,
|
|
||||||
"TLS: certificate [%s] is not valid - error %ld:%s.\n",
|
|
||||||
name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
|
|
||||||
}
|
|
||||||
@@ -1020,7 +1026,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
|
|
||||||
if ( ret == SECSuccess ) {
|
|
||||||
Debug( LDAP_DEBUG_TRACE,
|
|
||||||
"TLS: certificate [%s] is valid\n", name, 0, 0 );
|
|
||||||
- }
|
|
||||||
+ } else if ( errorToIgnore == -1 ) {
|
|
||||||
+ ret = SECSuccess;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -1032,10 +1040,15 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
|
|
||||||
SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
|
|
||||||
SECStatus ret = SECSuccess;
|
|
||||||
CERTCertificate *peercert = SSL_PeerCertificate( fd );
|
|
||||||
+ int errorToIgnore = 0;
|
|
||||||
+ tlsm_ctx *ctx = (tlsm_ctx *)arg;
|
|
||||||
+
|
|
||||||
+ if (ctx && ctx->tc_warn_only )
|
|
||||||
+ errorToIgnore = -1;
|
|
||||||
|
|
||||||
- ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, peercert,
|
|
||||||
+ ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
|
|
||||||
SSL_RevealPinArg( fd ),
|
|
||||||
- checksig, certUsage, 0 );
|
|
||||||
+ checksig, certUsage, errorToIgnore );
|
|
||||||
CERT_DestroyCertificate( peercert );
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
@@ -1758,6 +1771,8 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx, PRFileDesc *fd, const char *certnam
|
|
||||||
SECCertificateUsage certUsage;
|
|
||||||
PRBool checkSig = PR_TRUE;
|
|
||||||
SECStatus status;
|
|
||||||
+ /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */
|
|
||||||
+ int errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER;
|
|
||||||
|
|
||||||
if ( pRetKey ) {
|
|
||||||
*pRetKey = key; /* caller will deal with this */
|
|
||||||
@@ -1774,9 +1789,11 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx, PRFileDesc *fd, const char *certnam
|
|
||||||
} else {
|
|
||||||
checkSig = PR_FALSE;
|
|
||||||
}
|
|
||||||
- /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */
|
|
||||||
+ if ( ctx->tc_warn_only ) {
|
|
||||||
+ errorToIgnore = -1;
|
|
||||||
+ }
|
|
||||||
status = tlsm_verify_cert( ctx->tc_certdb, cert, pin_arg,
|
|
||||||
- checkSig, certUsage, SEC_ERROR_UNKNOWN_ISSUER );
|
|
||||||
+ checkSig, certUsage, errorToIgnore );
|
|
||||||
if ( status == SECSuccess ) {
|
|
||||||
rc = 0;
|
|
||||||
}
|
|
||||||
@@ -1803,10 +1820,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd,
|
|
||||||
{
|
|
||||||
tlsm_ctx *ctx = (tlsm_ctx *)arg;
|
|
||||||
int rc;
|
|
||||||
+ PRBool saveval;
|
|
||||||
|
|
||||||
/* don't need caNames - this function will call CERT_VerifyCertificateNow
|
|
||||||
which will verify the cert against the known CAs */
|
|
||||||
+ saveval = ctx->tc_warn_only;
|
|
||||||
+ ctx->tc_warn_only = PR_TRUE;
|
|
||||||
rc = tlsm_find_and_verify_cert_key( ctx, fd, ctx->tc_certname, 0, pRetCert, pRetKey );
|
|
||||||
+ ctx->tc_warn_only = saveval;
|
|
||||||
if ( rc ) {
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: error: unable to perform client certificate authentication for "
|
|
||||||
@@ -1837,8 +1858,12 @@ tlsm_clientauth_init( tlsm_ctx *ctx )
|
|
||||||
{
|
|
||||||
SECStatus status = SECFailure;
|
|
||||||
int rc;
|
|
||||||
+ PRBool saveval;
|
|
||||||
|
|
||||||
+ saveval = ctx->tc_warn_only;
|
|
||||||
+ ctx->tc_warn_only = PR_TRUE;
|
|
||||||
rc = tlsm_find_and_verify_cert_key( ctx, ctx->tc_model, ctx->tc_certname, 0, NULL, NULL );
|
|
||||||
+ ctx->tc_warn_only = saveval;
|
|
||||||
if ( rc ) {
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: error: unable to set up client certificate authentication for "
|
|
||||||
@@ -1887,6 +1912,7 @@ tlsm_ctx_new ( struct ldapoptions *lo )
|
|
||||||
#endif /* HAVE_NSS_INITCONTEXT */
|
|
||||||
ctx->tc_pem_objs = NULL;
|
|
||||||
ctx->tc_n_pem_objs = 0;
|
|
||||||
+ ctx->tc_warn_only = PR_FALSE;
|
|
||||||
}
|
|
||||||
return (tls_ctx *)ctx;
|
|
||||||
}
|
|
||||||
@@ -2048,7 +2074,9 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ( ctx->tc_require_cert ) {
|
|
||||||
+ if ( !ctx->tc_require_cert ) {
|
|
||||||
+ ctx->tc_verify_cert = PR_FALSE;
|
|
||||||
+ } else if ( !ctx->tc_is_server ) {
|
|
||||||
request_cert = PR_TRUE;
|
|
||||||
require_cert = SSL_REQUIRE_NO_ERROR;
|
|
||||||
if ( ctx->tc_require_cert == LDAP_OPT_X_TLS_DEMAND ||
|
|
||||||
@@ -2057,8 +2085,22 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
}
|
|
||||||
if ( ctx->tc_require_cert != LDAP_OPT_X_TLS_ALLOW )
|
|
||||||
ctx->tc_verify_cert = PR_TRUE;
|
|
||||||
- } else {
|
|
||||||
- ctx->tc_verify_cert = PR_FALSE;
|
|
||||||
+ } else { /* server */
|
|
||||||
+ /* server does not request certs by default */
|
|
||||||
+ /* if allow - client may send cert, server will ignore if errors */
|
|
||||||
+ /* if try - client may send cert, server will error if bad cert */
|
|
||||||
+ /* if hard or demand - client must send cert, server will error if bad cert */
|
|
||||||
+ request_cert = PR_TRUE;
|
|
||||||
+ require_cert = SSL_REQUIRE_NO_ERROR;
|
|
||||||
+ if ( ctx->tc_require_cert == LDAP_OPT_X_TLS_DEMAND ||
|
|
||||||
+ ctx->tc_require_cert == LDAP_OPT_X_TLS_HARD ) {
|
|
||||||
+ require_cert = SSL_REQUIRE_ALWAYS;
|
|
||||||
+ }
|
|
||||||
+ if ( ctx->tc_require_cert != LDAP_OPT_X_TLS_ALLOW ) {
|
|
||||||
+ ctx->tc_verify_cert = PR_TRUE;
|
|
||||||
+ } else {
|
|
||||||
+ ctx->tc_warn_only = PR_TRUE;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_REQUEST_CERTIFICATE, request_cert ) ) {
|
|
||||||
@@ -2193,7 +2235,7 @@ tlsm_deferred_ctx_init( void *arg )
|
|
||||||
|
|
||||||
/* Callback for authenticating certificate */
|
|
||||||
if ( SSL_AuthCertificateHook( ctx->tc_model, tlsm_auth_cert_handler,
|
|
||||||
- ctx->tc_certdb ) != SECSuccess ) {
|
|
||||||
+ ctx ) != SECSuccess ) {
|
|
||||||
PRErrorCode err = PR_GetError();
|
|
||||||
Debug( LDAP_DEBUG_ANY,
|
|
||||||
"TLS: error: could not set auth cert handler for moznss - error %d:%s\n",
|
|
@ -1,17 +0,0 @@
|
|||||||
matching wildcard hostnames in certificate Subject field does not work
|
|
||||||
|
|
||||||
Upstream ITS: #7006
|
|
||||||
Author: Philippe Kueck <hash_oldap@cycdolphin.net>
|
|
||||||
Resolves: #733073
|
|
||||||
|
|
||||||
--- openldap-2.4.23.orig/libraries/libldap/tls_m.c 2011-08-01 12:43:59.000000000 +0200
|
|
||||||
+++ openldap-2.4.23.orig/libraries/libldap/tls_m.c 2011-08-01 13:53:05.000000000 +0200
|
|
||||||
@@ -2601,7 +2601,7 @@
|
|
||||||
if ( av->len == nlen && !strncasecmp( name, (char *)av->data, nlen )) {
|
|
||||||
ret = LDAP_SUCCESS;
|
|
||||||
} else if ( av->data[0] == '*' && av->data[1] == '.' &&
|
|
||||||
- domain && dlen == av->len - 1 && !strncasecmp( name,
|
|
||||||
+ domain && dlen == av->len - 1 && !strncasecmp( domain,
|
|
||||||
(char *)(av->data+1), dlen )) {
|
|
||||||
ret = LDAP_SUCCESS;
|
|
||||||
} else {
|
|
@ -3,10 +3,10 @@ address space layout randomization (ASLD).
|
|||||||
|
|
||||||
Author: Thomas Woerner <twoerner@redhat.com>
|
Author: Thomas Woerner <twoerner@redhat.com>
|
||||||
|
|
||||||
--- openldap-2.4.24.orig/servers/slapd/Makefile.in
|
--- a/servers/slapd/Makefile.in
|
||||||
+++ openldap-2.4.24/servers/slapd/Makefile.in
|
+++ b/servers/slapd/Makefile.in
|
||||||
@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a
|
@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE
|
||||||
cp slapi/.libs/libslapi.a .
|
(cd slapi; $(MAKE) $(MFLAGS) all)
|
||||||
|
|
||||||
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
|
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
|
||||||
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
|
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
|
||||||
|
@ -5,8 +5,8 @@
|
|||||||
%global evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
|
%global evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
|
||||||
|
|
||||||
Name: openldap
|
Name: openldap
|
||||||
Version: 2.4.26
|
Version: 2.4.28
|
||||||
Release: 6%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: LDAP support libraries
|
Summary: LDAP support libraries
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: OpenLDAP
|
License: OpenLDAP
|
||||||
@ -30,20 +30,8 @@ Patch3: openldap-reentrant-gethostby.patch
|
|||||||
Patch4: openldap-smbk5pwd-overlay.patch
|
Patch4: openldap-smbk5pwd-overlay.patch
|
||||||
Patch5: openldap-ldaprc-currentdir.patch
|
Patch5: openldap-ldaprc-currentdir.patch
|
||||||
Patch6: openldap-userconfig-setgid.patch
|
Patch6: openldap-userconfig-setgid.patch
|
||||||
Patch7: openldap-nss-free-peer-cert.patch
|
Patch7: openldap-dns-priority.patch
|
||||||
Patch8: openldap-nss-init-threadsafe.patch
|
Patch8: openldap-syncrepl-unset-tls-options.patch
|
||||||
Patch9: openldap-nss-reqcert-hostname.patch
|
|
||||||
Patch10: openldap-nss-verifycert.patch
|
|
||||||
Patch11: openldap-nss-memleak-free-certs.patch
|
|
||||||
Patch12: openldap-constraint-overlay-config.patch
|
|
||||||
Patch13: openldap-dds-overlay-tolerance.patch
|
|
||||||
Patch14: openldap-man-slapo-unique.patch
|
|
||||||
Patch15: openldap-nss-wildcards.patch
|
|
||||||
Patch16: openldap-dns-priority.patch
|
|
||||||
Patch17: openldap-man-ldap-sync.patch
|
|
||||||
Patch18: openldap-nss-handshake-threadsafe.patch
|
|
||||||
Patch19: openldap-syncrepl-unset-tls-options.patch
|
|
||||||
Patch20: openldap-cve-onebyte-buffer-overflow.patch
|
|
||||||
|
|
||||||
# Fedora specific patches
|
# Fedora specific patches
|
||||||
Patch100: openldap-fedora-systemd.patch
|
Patch100: openldap-fedora-systemd.patch
|
||||||
@ -136,29 +124,17 @@ programs needed for accessing and modifying OpenLDAP directories.
|
|||||||
|
|
||||||
pushd openldap-%{version}
|
pushd openldap-%{version}
|
||||||
|
|
||||||
%patch0 -p1 -b .manpages
|
%patch0 -p1
|
||||||
%patch1 -p1 -b .security-pie
|
%patch1 -p1
|
||||||
%patch2 -p1 -b .sql-linking
|
%patch2 -p1
|
||||||
%patch3 -p1 -b .reentrant-gethostby
|
%patch3 -p1
|
||||||
%patch4 -p1 -b .smbk5pwd-overlay
|
%patch4 -p1
|
||||||
%patch5 -p1 -b .ldaprc-currentdir
|
%patch5 -p1
|
||||||
%patch6 -p1 -b .userconfig-setgid
|
%patch6 -p1
|
||||||
%patch7 -p1 -b .nss-free-peer-cert
|
%patch7 -p1
|
||||||
%patch8 -p1 -b .nss-init-threadsafe
|
%patch8 -p1
|
||||||
%patch9 -p1 -b .nss-reqcert-hostname
|
|
||||||
%patch10 -p1 -b .nss-verifycert
|
|
||||||
%patch11 -p1 -b .nss-memleak-free-certs
|
|
||||||
%patch12 -p1 -b .constraint-overlay-config
|
|
||||||
%patch13 -p1 -b .dds-overlay-tolerance
|
|
||||||
%patch14 -p1 -b .man-slapo-unique
|
|
||||||
%patch15 -p1 -b .nss-wildcards
|
|
||||||
%patch16 -p1 -b .dns-priority
|
|
||||||
%patch17 -p1 -b .man-ldap-sync
|
|
||||||
%patch18 -p1 -b .nss-handshake-threadsafe
|
|
||||||
%patch19 -p1 -b .syncrepl-unset-tls-options
|
|
||||||
%patch20 -p1 -b .cve-onebyte-buffer-overflow
|
|
||||||
|
|
||||||
%patch100 -p1 -b .fedora-systemd
|
%patch100 -p1
|
||||||
|
|
||||||
cp %{_datadir}/libtool/config/config.{sub,guess} build/
|
cp %{_datadir}/libtool/config/config.{sub,guess} build/
|
||||||
|
|
||||||
@ -638,6 +614,16 @@ exit 0
|
|||||||
%{evolution_connector_prefix}/
|
%{evolution_connector_prefix}/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 30 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.28-1
|
||||||
|
- new upstream release
|
||||||
|
+ server: support for delta-syncrepl in multi master replication
|
||||||
|
+ server: add experimental backend - MDB
|
||||||
|
+ server: dynamic configuration for passwd, perl, shell, sock, and sql backends
|
||||||
|
+ server: support passwords in APR1
|
||||||
|
+ library: support for Wahl (draft)
|
||||||
|
+ a lot of bugfixes
|
||||||
|
- remove patches which were merged upstream
|
||||||
|
|
||||||
* Tue Nov 01 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-6
|
* Tue Nov 01 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-6
|
||||||
- package cleanup:
|
- package cleanup:
|
||||||
+ hardened build: switch from LDFLAGS to RPM macros
|
+ hardened build: switch from LDFLAGS to RPM macros
|
||||||
|
141
slapd.conf.obsolete
Normal file
141
slapd.conf.obsolete
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
#
|
||||||
|
# See slapd.conf(5) for details on configuration options.
|
||||||
|
# This file should NOT be world readable.
|
||||||
|
#
|
||||||
|
|
||||||
|
include /etc/openldap/schema/corba.schema
|
||||||
|
include /etc/openldap/schema/core.schema
|
||||||
|
include /etc/openldap/schema/cosine.schema
|
||||||
|
include /etc/openldap/schema/duaconf.schema
|
||||||
|
include /etc/openldap/schema/dyngroup.schema
|
||||||
|
include /etc/openldap/schema/inetorgperson.schema
|
||||||
|
include /etc/openldap/schema/java.schema
|
||||||
|
include /etc/openldap/schema/misc.schema
|
||||||
|
include /etc/openldap/schema/nis.schema
|
||||||
|
include /etc/openldap/schema/openldap.schema
|
||||||
|
include /etc/openldap/schema/ppolicy.schema
|
||||||
|
include /etc/openldap/schema/collective.schema
|
||||||
|
|
||||||
|
# Allow LDAPv2 client connections. This is NOT the default.
|
||||||
|
allow bind_v2
|
||||||
|
|
||||||
|
# Do not enable referrals until AFTER you have a working directory
|
||||||
|
# service AND an understanding of referrals.
|
||||||
|
#referral ldap://root.openldap.org
|
||||||
|
|
||||||
|
pidfile /var/run/openldap/slapd.pid
|
||||||
|
argsfile /var/run/openldap/slapd.args
|
||||||
|
|
||||||
|
# Load dynamic backend modules
|
||||||
|
# - modulepath is architecture dependent value (32/64-bit system)
|
||||||
|
# - back_sql.la overlay requires openldap-server-sql package
|
||||||
|
# - dyngroup.la and dynlist.la cannot be used at the same time
|
||||||
|
|
||||||
|
# modulepath /usr/lib/openldap
|
||||||
|
# modulepath /usr/lib64/openldap
|
||||||
|
|
||||||
|
# moduleload accesslog.la
|
||||||
|
# moduleload auditlog.la
|
||||||
|
# moduleload back_sql.la
|
||||||
|
# moduleload chain.la
|
||||||
|
# moduleload collect.la
|
||||||
|
# moduleload constraint.la
|
||||||
|
# moduleload dds.la
|
||||||
|
# moduleload deref.la
|
||||||
|
# moduleload dyngroup.la
|
||||||
|
# moduleload dynlist.la
|
||||||
|
# moduleload memberof.la
|
||||||
|
# moduleload pbind.la
|
||||||
|
# moduleload pcache.la
|
||||||
|
# moduleload ppolicy.la
|
||||||
|
# moduleload refint.la
|
||||||
|
# moduleload retcode.la
|
||||||
|
# moduleload rwm.la
|
||||||
|
# moduleload seqmod.la
|
||||||
|
# moduleload smbk5pwd.la
|
||||||
|
# moduleload sssvlv.la
|
||||||
|
# moduleload syncprov.la
|
||||||
|
# moduleload translucent.la
|
||||||
|
# moduleload unique.la
|
||||||
|
# moduleload valsort.la
|
||||||
|
|
||||||
|
# The next three lines allow use of TLS for encrypting connections using a
|
||||||
|
# dummy test certificate which you can generate by changing to
|
||||||
|
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
|
||||||
|
# slapd.pem so that the ldap user or group can read it. Your client software
|
||||||
|
# may balk at self-signed certificates, however.
|
||||||
|
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
|
||||||
|
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
|
||||||
|
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
|
||||||
|
|
||||||
|
# Sample security restrictions
|
||||||
|
# Require integrity protection (prevent hijacking)
|
||||||
|
# Require 112-bit (3DES or better) encryption for updates
|
||||||
|
# Require 63-bit encryption for simple bind
|
||||||
|
# security ssf=1 update_ssf=112 simple_bind=64
|
||||||
|
|
||||||
|
# Sample access control policy:
|
||||||
|
# Root DSE: allow anyone to read it
|
||||||
|
# Subschema (sub)entry DSE: allow anyone to read it
|
||||||
|
# Other DSEs:
|
||||||
|
# Allow self write access
|
||||||
|
# Allow authenticated users read access
|
||||||
|
# Allow anonymous users to authenticate
|
||||||
|
# Directives needed to implement policy:
|
||||||
|
# access to dn.base="" by * read
|
||||||
|
# access to dn.base="cn=Subschema" by * read
|
||||||
|
# access to *
|
||||||
|
# by self write
|
||||||
|
# by users read
|
||||||
|
# by anonymous auth
|
||||||
|
#
|
||||||
|
# if no access controls are present, the default policy
|
||||||
|
# allows anyone and everyone to read anything but restricts
|
||||||
|
# updates to rootdn. (e.g., "access to * by * read")
|
||||||
|
#
|
||||||
|
# rootdn can always read and write EVERYTHING!
|
||||||
|
|
||||||
|
# enable on-the-fly configuration (cn=config)
|
||||||
|
database config
|
||||||
|
access to *
|
||||||
|
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||||
|
by * none
|
||||||
|
|
||||||
|
# enable server status monitoring (cn=monitor)
|
||||||
|
database monitor
|
||||||
|
access to *
|
||||||
|
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
|
||||||
|
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
|
||||||
|
by * none
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
# database definitions
|
||||||
|
#######################################################################
|
||||||
|
|
||||||
|
database hdb
|
||||||
|
suffix "dc=my-domain,dc=com"
|
||||||
|
checkpoint 1024 15
|
||||||
|
rootdn "cn=Manager,dc=my-domain,dc=com"
|
||||||
|
# Cleartext passwords, especially for the rootdn, should
|
||||||
|
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
|
||||||
|
# Use of strong authentication encouraged.
|
||||||
|
# rootpw secret
|
||||||
|
# rootpw {crypt}ijFYNcSNctBYg
|
||||||
|
|
||||||
|
# The database directory MUST exist prior to running slapd AND
|
||||||
|
# should only be accessible by the slapd and slap tools.
|
||||||
|
# Mode 700 recommended.
|
||||||
|
directory /var/lib/ldap
|
||||||
|
|
||||||
|
# Indices to maintain for this database
|
||||||
|
index objectClass eq,pres
|
||||||
|
index ou,cn,mail,surname,givenname eq,pres,sub
|
||||||
|
index uidNumber,gidNumber,loginShell eq,pres
|
||||||
|
index uid,memberUid eq,pres,sub
|
||||||
|
index nisMapName,nisMapEntry eq,pres,sub
|
||||||
|
|
||||||
|
# Replicas of this database
|
||||||
|
#replogfile /var/lib/ldap/openldap-master-replog
|
||||||
|
#replica host=ldap-1.example.com:389 starttls=critical
|
||||||
|
# bindmethod=sasl saslmech=GSSAPI
|
||||||
|
# authcId=host/ldap-master.example.com@EXAMPLE.COM
|
94
slapd.ldif
Normal file
94
slapd.ldif
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
#
|
||||||
|
# See slapd.d(5) for details on configuration options.
|
||||||
|
# This file should NOT be world readable.
|
||||||
|
#
|
||||||
|
dn: cn=config
|
||||||
|
objectClass: olcGlobal
|
||||||
|
cn: config
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Define global ACLs to disable default read access.
|
||||||
|
#
|
||||||
|
olcArgsFile: /var/run/slapd.args
|
||||||
|
olcPidFile: /var/run/slapd.pid
|
||||||
|
#
|
||||||
|
# Do not enable referrals until AFTER you have a working directory
|
||||||
|
# service AND an understanding of referrals.
|
||||||
|
#olcReferral: ldap://root.openldap.org
|
||||||
|
#
|
||||||
|
# Sample security restrictions
|
||||||
|
# Require integrity protection (prevent hijacking)
|
||||||
|
# Require 112-bit (3DES or better) encryption for updates
|
||||||
|
# Require 64-bit encryption for simple bind
|
||||||
|
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Load dynamic backend modules:
|
||||||
|
#
|
||||||
|
#dn: cn=module,cn=config
|
||||||
|
#objectClass: olcModuleList
|
||||||
|
#cn: module
|
||||||
|
#olcModulepath: /usr/lib64/openldap
|
||||||
|
#olcModuleload: back_bdb.la
|
||||||
|
#olcModuleload: back_hdb.la
|
||||||
|
#olcModuleload: back_ldap.la
|
||||||
|
#olcModuleload: back_passwd.la
|
||||||
|
#olcModuleload: back_shell.la
|
||||||
|
|
||||||
|
|
||||||
|
dn: cn=schema,cn=config
|
||||||
|
objectClass: olcSchemaConfig
|
||||||
|
cn: schema
|
||||||
|
|
||||||
|
include: file:///etc/openldap/schema/core.ldif
|
||||||
|
|
||||||
|
# Frontend settings
|
||||||
|
#
|
||||||
|
dn: olcDatabase=frontend,cn=config
|
||||||
|
objectClass: olcDatabaseConfig
|
||||||
|
olcDatabase: frontend
|
||||||
|
#
|
||||||
|
# Sample global access control policy:
|
||||||
|
# Root DSE: allow anyone to read it
|
||||||
|
# Subschema (sub)entry DSE: allow anyone to read it
|
||||||
|
# Other DSEs:
|
||||||
|
# Allow self write access
|
||||||
|
# Allow authenticated users read access
|
||||||
|
# Allow anonymous users to authenticate
|
||||||
|
#
|
||||||
|
#olcAccess: to dn.base="" by * read
|
||||||
|
#olcAccess: to dn.base="cn=Subschema" by * read
|
||||||
|
#olcAccess: to *
|
||||||
|
# by self write
|
||||||
|
# by users read
|
||||||
|
# by anonymous auth
|
||||||
|
#
|
||||||
|
# if no access controls are present, the default policy
|
||||||
|
# allows anyone and everyone to read anything but restricts
|
||||||
|
# updates to rootdn. (e.g., "access to * by * read")
|
||||||
|
#
|
||||||
|
# rootdn can always read and write EVERYTHING!
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
#######################################################################
|
||||||
|
# BDB database definitions
|
||||||
|
#######################################################################
|
||||||
|
#
|
||||||
|
dn: olcDatabase=bdb,cn=config
|
||||||
|
objectClass: olcDatabaseConfig
|
||||||
|
objectClass: olcBdbConfig
|
||||||
|
olcDatabase: bdb
|
||||||
|
olcSuffix: dc=my-domain,dc=com
|
||||||
|
olcRootDN: cn=Manager,dc=my-domain,dc=com
|
||||||
|
# Cleartext passwords, especially for the rootdn, should
|
||||||
|
# be avoided. See slappasswd(8) and slapd-config(5) for details.
|
||||||
|
# Use of strong authentication encouraged.
|
||||||
|
olcRootPW: secret
|
||||||
|
# The database directory MUST exist prior to running slapd AND
|
||||||
|
# should only be accessible by the slapd and slap tools.
|
||||||
|
# Mode 700 recommended.
|
||||||
|
olcDbDirectory: /var/openldap-data
|
||||||
|
# Indices to maintain
|
||||||
|
olcDbIndex: objectClass eq
|
Loading…
Reference in New Issue
Block a user