Rebase to version 2.6.8

Avoid SSL context cleanup during library destruction

Resolves: RHEL-56502, RHEL-71053

.gitignore

@@ -30,3 +30,4 @@
 /openldap-ppolicy-check-password-1.1.tar.gz
 /openldap-2.6.3.tgz
 /openldap-2.6.6.tgz
+/openldap-2.6.8.tgz

openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch

@@ -1,6 +1,6 @@
-From aa5c93049d48b7fd1ff98661a00e4e12d7d47324 Mon Sep 17 00:00:00 2001
+From 25db869956b0f8edaa3a688a4b3dc92c2d9832f5 Mon Sep 17 00:00:00 2001
 From: Simon Pichugin <spichugi@redhat.com>
-Date: Wed, 13 Dec 2023 11:03:20 -0800
+Date: Thu, 12 Dec 2024 19:58:37 -0800
 Subject: [PATCH] Revert "ITS#9917 Remove 'h' and 'p' from options[] in client
  tools"
 
@@ -18,7 +18,7 @@ This reverts commit a8f7fd00043e2c63b6216aeb3ba69b0d0485311b.
  9 files changed, 9 insertions(+), 9 deletions(-)
 
 diff --git a/clients/tools/ldapcompare.c b/clients/tools/ldapcompare.c
-index 63c30408f..a83c8d4ac 100644
+index e571600f35..39b7b80aec 100644
 --- a/clients/tools/ldapcompare.c
 +++ b/clients/tools/ldapcompare.c
 @@ -104,7 +104,7 @@ static int docompare LDAP_P((
@@ -31,7 +31,7 @@ index 63c30408f..a83c8d4ac 100644
  #ifdef LDAP_CONTROL_DONTUSECOPY
  int dontUseCopy = 0;
 diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c
-index a66900d48..53f6e0278 100644
+index f31e5bb3f8..b3676faaa7 100644
 --- a/clients/tools/ldapdelete.c
 +++ b/clients/tools/ldapdelete.c
 @@ -82,7 +82,7 @@ usage( void )
@@ -44,7 +44,7 @@ index a66900d48..53f6e0278 100644
  int
  handle_private_option( int i )
 diff --git a/clients/tools/ldapexop.c b/clients/tools/ldapexop.c
-index bfe6e4eac..bd6e02979 100644
+index d66f2cfb1f..10fe910dc3 100644
 --- a/clients/tools/ldapexop.c
 +++ b/clients/tools/ldapexop.c
 @@ -52,7 +52,7 @@ usage( void )
@@ -57,20 +57,20 @@ index bfe6e4eac..bd6e02979 100644
  int
  handle_private_option( int i )
 diff --git a/clients/tools/ldapmodify.c b/clients/tools/ldapmodify.c
-index 33b723bda..c94c11a3a 100644
+index 032e4e1479..d33b092308 100644
 --- a/clients/tools/ldapmodify.c
 +++ b/clients/tools/ldapmodify.c
-@@ -125,7 +125,7 @@ usage( void )
+@@ -127,7 +127,7 @@ usage( void )
  
  
  const char options[] = "aE:rS:"
--	"cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
+-	"cd:D:e:f:H:Ij:MnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
-+	"cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
++	"cd:D:e:f:h:H:Ij:MnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
  
  int
  handle_private_option( int i )
 diff --git a/clients/tools/ldapmodrdn.c b/clients/tools/ldapmodrdn.c
-index 40a482f5d..d5cf43f7a 100644
+index 1197d3813f..6ea8b66380 100644
 --- a/clients/tools/ldapmodrdn.c
 +++ b/clients/tools/ldapmodrdn.c
 @@ -95,7 +95,7 @@ usage( void )
@@ -83,7 +83,7 @@ index 40a482f5d..d5cf43f7a 100644
  int
  handle_private_option( int i )
 diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
-index 9a48aabf3..1958a30f6 100644
+index cd0650e914..e34d897c7b 100644
 --- a/clients/tools/ldappasswd.c
 +++ b/clients/tools/ldappasswd.c
 @@ -83,7 +83,7 @@ usage( void )
@@ -96,7 +96,7 @@ index 9a48aabf3..1958a30f6 100644
  int
  handle_private_option( int i )
 diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
-index 69e172c6c..48793314b 100644
+index 3755a937d2..ab9308f593 100644
 --- a/clients/tools/ldapsearch.c
 +++ b/clients/tools/ldapsearch.c
 @@ -363,7 +363,7 @@ parse_vlv(char *cvalue)
@@ -109,7 +109,7 @@ index 69e172c6c..48793314b 100644
  int
  handle_private_option( int i )
 diff --git a/clients/tools/ldapvc.c b/clients/tools/ldapvc.c
-index 4f35025ec..846561847 100644
+index e359611882..a59595b56e 100644
 --- a/clients/tools/ldapvc.c
 +++ b/clients/tools/ldapvc.c
 @@ -86,7 +86,7 @@ usage( void )
@@ -122,7 +122,7 @@ index 4f35025ec..846561847 100644
  int
  handle_private_option( int i )
 diff --git a/clients/tools/ldapwhoami.c b/clients/tools/ldapwhoami.c
-index e8ac4b34b..45d32f5d9 100644
+index be1f81300a..ac6197b061 100644
 --- a/clients/tools/ldapwhoami.c
 +++ b/clients/tools/ldapwhoami.c
 @@ -62,7 +62,7 @@ usage( void )
@@ -135,5 +135,5 @@ index e8ac4b34b..45d32f5d9 100644
  int
  handle_private_option( int i )
 -- 
-2.43.0
+2.47.1
 

openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch

@@ -0,0 +1,92 @@
+From 5f4569f0605a73eb1a282ee5251ead073ed3b26e Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Tue, 26 Nov 2024 12:32:07 -0800
+Subject: [PATCH] libldap: avoid SSL context cleanup during library destruction
+
+Given that libldap can be pulled into random applications and applications
+are allowed to call OPENSSL_cleanup() before exiting, the only sane thing
+to do is to avoid trying to touch SSL context in ldap destructors, and just
+let them leak if the application does not explicitly free the ldap context.
+
+Add ldap_int_tls_destroy_safe() which skips SSL context cleanup while
+maintaining all other cleanup operations, and use it in the library
+destructor path.
+
+Fixes: https://bugs.openldap.org/show_bug.cgi?id=9952
+---
+ libraries/libldap/init.c     |  2 +-
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/tls2.c     | 25 +++++++++++++++++++++----
+ 3 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 213276b4b5..aa017f4128 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -545,7 +545,7 @@ ldap_int_destroy_global_options(void)
+ 	}
+ #endif
+ #ifdef HAVE_TLS
+-	ldap_int_tls_destroy( gopts );
++	ldap_int_tls_destroy_safe( gopts );
+ #endif
+ }
+ 
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 7e754775e8..b73097ccc7 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -914,6 +914,7 @@ LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld,
+ 	LDAPConn *conn, LDAPURLDesc *srv ));
+ 
+ LDAP_F (void) ldap_int_tls_destroy LDAP_P(( struct ldapoptions *lo ));
++LDAP_F (void) ldap_int_tls_destroy_safe LDAP_P(( struct ldapoptions *lo ));
+ 
+ /*
+  *	in getvalues.c
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 0841005a59..82f8573602 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -97,10 +97,14 @@ tls_ctx_ref( tls_ctx *ctx )
+ static ldap_pvt_thread_mutex_t tls_def_ctx_mutex;
+ #endif
+ 
+-void
+-ldap_int_tls_destroy( struct ldapoptions *lo )
+-{
+-	if ( lo->ldo_tls_ctx ) {
++/*
++ * Implementation function that handles all cleanup.
++ * skip_ctx_cleanup: 1 when called from destructor, 0 for normal operation
++ */
++static void
++ldap_int_tls_destroy_impl( struct ldapoptions *lo, int skip_ctx_cleanup )
++ {
++	if ( lo->ldo_tls_ctx && !skip_ctx_cleanup ) {
+ 		ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
+ 		lo->ldo_tls_ctx = NULL;
+ 	}
+@@ -147,6 +151,19 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
+ 	BER_BVZERO( &lo->ldo_tls_pin );
+ }
+ 
++
++void
++ldap_int_tls_destroy( struct ldapoptions *lo )
++{
++	ldap_int_tls_destroy_impl(lo, 0);
++}
++
++/* Safe version for destructor use */
++void ldap_int_tls_destroy_safe( struct ldapoptions *lo )
++{
++	ldap_int_tls_destroy_impl(lo, 1);
++}
++
+ /*
+  * Tear down the TLS subsystem. Should only be called once.
+  */
+-- 
+2.47.0
+

openldap.spec

@@ -15,8 +15,8 @@
 %global __brp_remove_la_files %nil
 
 Name: openldap
-Version: 2.6.6
+Version: 2.6.8
-Release: 4%{?dist}
+Release: 1%{?dist}
 Summary: LDAP support libraries
 License: OLDAP-2.8
 URL: http://www.openldap.org/
@@ -51,6 +51,7 @@ Patch7: openldap-openssl-manpage-defaultCA.patch
 Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
 Patch9: openldap-Revert-ITS-8618-Remove-deprecated-h-and-p.patch
 Patch10: openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch
+Patch11: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
 
 # check-password module specific patches
 Patch90: check-password-makefile.patch
@@ -167,6 +168,7 @@ pushd openldap-%{version}
 %patch -P8 -p1
 %patch -P9 -p1
 %patch -P10 -p1
+%patch -P11 -p1
 
 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@@ -484,6 +486,7 @@ exit 0
 %{_libdir}/openldap/home*
 %{_libdir}/openldap/lloadd*
 %{_libdir}/openldap/memberof*
+%{_libdir}/openldap/nestgroup*
 %{_libdir}/openldap/otp*
 %{_libdir}/openldap/pcache*
 %{_libdir}/openldap/ppolicy*
@@ -550,6 +553,10 @@ exit 0
 %{_libdir}/libslapi-2.4*.so.*
 
 %changelog
+* Mon Dec 16 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.8-1
+- Rebase to version 2.6.8 (RHEL-71053)
+- Avoid SSL context cleanup during library destruction (RHEL-56502)
+
 * Fri Oct 11 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.6-4
 - Disable MD2 hash algorithm
   Resolves: RHEL-59715

sources

@@ -1,2 +1,3 @@
 SHA512 (openldap-ppolicy-check-password-1.1.tar.gz) = a92854d7438cb95fac361da80a49d084d502155e8ce0ad2ea679db9529bbe0182aa4354e6139793c775e496349375d8f017678941d23315ff1c20fefc9573cdc
 SHA512 (openldap-2.6.6.tgz) = 0e800807b23f090b465dc18c2f0d342585f96768543b3298b85d17c18272d1c5576a66326d30b3520cac493cbd2ea70e309cd923bf19447c973a63d940619fa6
+SHA512 (openldap-2.6.8.tgz) = c86bda8a0af2645e586d56a1494a5bd486ec5dd55c47859dbabcc2bb6ddc0a8307e23c6b58228d49ee3c8bc5e4d6ead305863442efdcee3dc2ab9953097b5a77