From bfc9f1b25289f5aefae1ccf5eeaba3c781a19bc8 Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Thu, 12 Dec 2024 20:00:13 -0800 Subject: [PATCH] Rebase to version 2.6.8 Avoid SSL context cleanup during library destruction Resolves: RHEL-56502, RHEL-71053 --- .gitignore | 1 + ...TS-9917-Remove--h-and-p-from-options.patch | 30 +++--- ...L-context-cleanup-during-library-des.patch | 92 +++++++++++++++++++ openldap.spec | 11 ++- sources | 1 + 5 files changed, 118 insertions(+), 17 deletions(-) create mode 100644 openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch diff --git a/.gitignore b/.gitignore index 945991d..ab9a84f 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ /openldap-ppolicy-check-password-1.1.tar.gz /openldap-2.6.3.tgz /openldap-2.6.6.tgz +/openldap-2.6.8.tgz diff --git a/openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch b/openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch index 50262a2..31d2033 100644 --- a/openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch +++ b/openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch @@ -1,6 +1,6 @@ -From aa5c93049d48b7fd1ff98661a00e4e12d7d47324 Mon Sep 17 00:00:00 2001 +From 25db869956b0f8edaa3a688a4b3dc92c2d9832f5 Mon Sep 17 00:00:00 2001 From: Simon Pichugin -Date: Wed, 13 Dec 2023 11:03:20 -0800 +Date: Thu, 12 Dec 2024 19:58:37 -0800 Subject: [PATCH] Revert "ITS#9917 Remove 'h' and 'p' from options[] in client tools" @@ -18,7 +18,7 @@ This reverts commit a8f7fd00043e2c63b6216aeb3ba69b0d0485311b. 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/clients/tools/ldapcompare.c b/clients/tools/ldapcompare.c -index 63c30408f..a83c8d4ac 100644 +index e571600f35..39b7b80aec 100644 --- a/clients/tools/ldapcompare.c +++ b/clients/tools/ldapcompare.c @@ -104,7 +104,7 @@ static int docompare LDAP_P(( @@ -31,7 +31,7 @@ index 63c30408f..a83c8d4ac 100644 #ifdef LDAP_CONTROL_DONTUSECOPY int dontUseCopy = 0; diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c -index a66900d48..53f6e0278 100644 +index f31e5bb3f8..b3676faaa7 100644 --- a/clients/tools/ldapdelete.c +++ b/clients/tools/ldapdelete.c @@ -82,7 +82,7 @@ usage( void ) @@ -44,7 +44,7 @@ index a66900d48..53f6e0278 100644 int handle_private_option( int i ) diff --git a/clients/tools/ldapexop.c b/clients/tools/ldapexop.c -index bfe6e4eac..bd6e02979 100644 +index d66f2cfb1f..10fe910dc3 100644 --- a/clients/tools/ldapexop.c +++ b/clients/tools/ldapexop.c @@ -52,7 +52,7 @@ usage( void ) @@ -57,20 +57,20 @@ index bfe6e4eac..bd6e02979 100644 int handle_private_option( int i ) diff --git a/clients/tools/ldapmodify.c b/clients/tools/ldapmodify.c -index 33b723bda..c94c11a3a 100644 +index 032e4e1479..d33b092308 100644 --- a/clients/tools/ldapmodify.c +++ b/clients/tools/ldapmodify.c -@@ -125,7 +125,7 @@ usage( void ) +@@ -127,7 +127,7 @@ usage( void ) const char options[] = "aE:rS:" -- "cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z"; -+ "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z"; +- "cd:D:e:f:H:Ij:MnNO:o:P:QR:U:vVw:WxX:y:Y:Z"; ++ "cd:D:e:f:h:H:Ij:MnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) diff --git a/clients/tools/ldapmodrdn.c b/clients/tools/ldapmodrdn.c -index 40a482f5d..d5cf43f7a 100644 +index 1197d3813f..6ea8b66380 100644 --- a/clients/tools/ldapmodrdn.c +++ b/clients/tools/ldapmodrdn.c @@ -95,7 +95,7 @@ usage( void ) @@ -83,7 +83,7 @@ index 40a482f5d..d5cf43f7a 100644 int handle_private_option( int i ) diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c -index 9a48aabf3..1958a30f6 100644 +index cd0650e914..e34d897c7b 100644 --- a/clients/tools/ldappasswd.c +++ b/clients/tools/ldappasswd.c @@ -83,7 +83,7 @@ usage( void ) @@ -96,7 +96,7 @@ index 9a48aabf3..1958a30f6 100644 int handle_private_option( int i ) diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c -index 69e172c6c..48793314b 100644 +index 3755a937d2..ab9308f593 100644 --- a/clients/tools/ldapsearch.c +++ b/clients/tools/ldapsearch.c @@ -363,7 +363,7 @@ parse_vlv(char *cvalue) @@ -109,7 +109,7 @@ index 69e172c6c..48793314b 100644 int handle_private_option( int i ) diff --git a/clients/tools/ldapvc.c b/clients/tools/ldapvc.c -index 4f35025ec..846561847 100644 +index e359611882..a59595b56e 100644 --- a/clients/tools/ldapvc.c +++ b/clients/tools/ldapvc.c @@ -86,7 +86,7 @@ usage( void ) @@ -122,7 +122,7 @@ index 4f35025ec..846561847 100644 int handle_private_option( int i ) diff --git a/clients/tools/ldapwhoami.c b/clients/tools/ldapwhoami.c -index e8ac4b34b..45d32f5d9 100644 +index be1f81300a..ac6197b061 100644 --- a/clients/tools/ldapwhoami.c +++ b/clients/tools/ldapwhoami.c @@ -62,7 +62,7 @@ usage( void ) @@ -135,5 +135,5 @@ index e8ac4b34b..45d32f5d9 100644 int handle_private_option( int i ) -- -2.43.0 +2.47.1 diff --git a/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch b/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch new file mode 100644 index 0000000..3663f3f --- /dev/null +++ b/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch @@ -0,0 +1,92 @@ +From 5f4569f0605a73eb1a282ee5251ead073ed3b26e Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Tue, 26 Nov 2024 12:32:07 -0800 +Subject: [PATCH] libldap: avoid SSL context cleanup during library destruction + +Given that libldap can be pulled into random applications and applications +are allowed to call OPENSSL_cleanup() before exiting, the only sane thing +to do is to avoid trying to touch SSL context in ldap destructors, and just +let them leak if the application does not explicitly free the ldap context. + +Add ldap_int_tls_destroy_safe() which skips SSL context cleanup while +maintaining all other cleanup operations, and use it in the library +destructor path. + +Fixes: https://bugs.openldap.org/show_bug.cgi?id=9952 +--- + libraries/libldap/init.c | 2 +- + libraries/libldap/ldap-int.h | 1 + + libraries/libldap/tls2.c | 25 +++++++++++++++++++++---- + 3 files changed, 23 insertions(+), 5 deletions(-) + +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index 213276b4b5..aa017f4128 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -545,7 +545,7 @@ ldap_int_destroy_global_options(void) + } + #endif + #ifdef HAVE_TLS +- ldap_int_tls_destroy( gopts ); ++ ldap_int_tls_destroy_safe( gopts ); + #endif + } + +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 7e754775e8..b73097ccc7 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -914,6 +914,7 @@ LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld, + LDAPConn *conn, LDAPURLDesc *srv )); + + LDAP_F (void) ldap_int_tls_destroy LDAP_P(( struct ldapoptions *lo )); ++LDAP_F (void) ldap_int_tls_destroy_safe LDAP_P(( struct ldapoptions *lo )); + + /* + * in getvalues.c +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 0841005a59..82f8573602 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -97,10 +97,14 @@ tls_ctx_ref( tls_ctx *ctx ) + static ldap_pvt_thread_mutex_t tls_def_ctx_mutex; + #endif + +-void +-ldap_int_tls_destroy( struct ldapoptions *lo ) +-{ +- if ( lo->ldo_tls_ctx ) { ++/* ++ * Implementation function that handles all cleanup. ++ * skip_ctx_cleanup: 1 when called from destructor, 0 for normal operation ++ */ ++static void ++ldap_int_tls_destroy_impl( struct ldapoptions *lo, int skip_ctx_cleanup ) ++ { ++ if ( lo->ldo_tls_ctx && !skip_ctx_cleanup ) { + ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); + lo->ldo_tls_ctx = NULL; + } +@@ -147,6 +151,19 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) + BER_BVZERO( &lo->ldo_tls_pin ); + } + ++ ++void ++ldap_int_tls_destroy( struct ldapoptions *lo ) ++{ ++ ldap_int_tls_destroy_impl(lo, 0); ++} ++ ++/* Safe version for destructor use */ ++void ldap_int_tls_destroy_safe( struct ldapoptions *lo ) ++{ ++ ldap_int_tls_destroy_impl(lo, 1); ++} ++ + /* + * Tear down the TLS subsystem. Should only be called once. + */ +-- +2.47.0 + diff --git a/openldap.spec b/openldap.spec index 24588a0..e55bc0a 100644 --- a/openldap.spec +++ b/openldap.spec @@ -15,8 +15,8 @@ %global __brp_remove_la_files %nil Name: openldap -Version: 2.6.6 -Release: 4%{?dist} +Version: 2.6.8 +Release: 1%{?dist} Summary: LDAP support libraries License: OLDAP-2.8 URL: http://www.openldap.org/ @@ -51,6 +51,7 @@ Patch7: openldap-openssl-manpage-defaultCA.patch Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch Patch9: openldap-Revert-ITS-8618-Remove-deprecated-h-and-p.patch Patch10: openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch +Patch11: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -167,6 +168,7 @@ pushd openldap-%{version} %patch -P8 -p1 %patch -P9 -p1 %patch -P10 -p1 +%patch -P11 -p1 # build smbk5pwd with other overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays @@ -484,6 +486,7 @@ exit 0 %{_libdir}/openldap/home* %{_libdir}/openldap/lloadd* %{_libdir}/openldap/memberof* +%{_libdir}/openldap/nestgroup* %{_libdir}/openldap/otp* %{_libdir}/openldap/pcache* %{_libdir}/openldap/ppolicy* @@ -550,6 +553,10 @@ exit 0 %{_libdir}/libslapi-2.4*.so.* %changelog +* Mon Dec 16 2024 Simon Pichugin - 2.6.8-1 +- Rebase to version 2.6.8 (RHEL-71053) +- Avoid SSL context cleanup during library destruction (RHEL-56502) + * Fri Oct 11 2024 Simon Pichugin - 2.6.6-4 - Disable MD2 hash algorithm Resolves: RHEL-59715 diff --git a/sources b/sources index f38b7f6..d094588 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ SHA512 (openldap-ppolicy-check-password-1.1.tar.gz) = a92854d7438cb95fac361da80a49d084d502155e8ce0ad2ea679db9529bbe0182aa4354e6139793c775e496349375d8f017678941d23315ff1c20fefc9573cdc SHA512 (openldap-2.6.6.tgz) = 0e800807b23f090b465dc18c2f0d342585f96768543b3298b85d17c18272d1c5576a66326d30b3520cac493cbd2ea70e309cd923bf19447c973a63d940619fa6 +SHA512 (openldap-2.6.8.tgz) = c86bda8a0af2645e586d56a1494a5bd486ec5dd55c47859dbabcc2bb6ddc0a8307e23c6b58228d49ee3c8bc5e4d6ead305863442efdcee3dc2ab9953097b5a77