Rebase to version 2.6.8

Avoid SSL context cleanup during library destruction Resolves: RHEL-56502, RHEL-71053
2024-12-12 20:00:13 -08:00 · 2024-12-12 20:00:13 -08:00 · bfc9f1b252
commit bfc9f1b252
parent 0fc0bd06ce
5 changed files with 118 additions and 17 deletions
--- a/.gitignore
+++ b/.gitignore
@ -30,3 +30,4 @@
 /openldap-ppolicy-check-password-1.1.tar.gz
 /openldap-2.6.3.tgz
 /openldap-2.6.6.tgz
+/openldap-2.6.8.tgz
--- a/openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch
+++ b/openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch
@ -1,6 +1,6 @@
-From aa5c93049d48b7fd1ff98661a00e4e12d7d47324 Mon Sep 17 00:00:00 2001
+From 25db869956b0f8edaa3a688a4b3dc92c2d9832f5 Mon Sep 17 00:00:00 2001
 From: Simon Pichugin <spichugi@redhat.com>
-Date: Wed, 13 Dec 2023 11:03:20 -0800
+Date: Thu, 12 Dec 2024 19:58:37 -0800
 Subject: [PATCH] Revert "ITS#9917 Remove 'h' and 'p' from options[] in client
 tools"

@ -18,7 +18,7 @@ This reverts commit a8f7fd00043e2c63b6216aeb3ba69b0d0485311b.
 9 files changed, 9 insertions(+), 9 deletions(-)

 diff --git a/clients/tools/ldapcompare.c b/clients/tools/ldapcompare.c
-index 63c30408f..a83c8d4ac 100644
+index e571600f35..39b7b80aec 100644
 --- a/clients/tools/ldapcompare.c
 +++ b/clients/tools/ldapcompare.c
@@ -104,7 +104,7 @@ static int docompare LDAP_P((
@ -31,7 +31,7 @@ index 63c30408f..a83c8d4ac 100644
 #ifdef LDAP_CONTROL_DONTUSECOPY
 int dontUseCopy = 0;
 diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c
-index a66900d48..53f6e0278 100644
+index f31e5bb3f8..b3676faaa7 100644
 --- a/clients/tools/ldapdelete.c
 +++ b/clients/tools/ldapdelete.c
@@ -82,7 +82,7 @@ usage( void )
@ -44,7 +44,7 @@ index a66900d48..53f6e0278 100644
 int
 handle_private_option( int i )
 diff --git a/clients/tools/ldapexop.c b/clients/tools/ldapexop.c
-index bfe6e4eac..bd6e02979 100644
+index d66f2cfb1f..10fe910dc3 100644
 --- a/clients/tools/ldapexop.c
 +++ b/clients/tools/ldapexop.c
@@ -52,7 +52,7 @@ usage( void )
@ -57,20 +57,20 @@ index bfe6e4eac..bd6e02979 100644
 int
 handle_private_option( int i )
 diff --git a/clients/tools/ldapmodify.c b/clients/tools/ldapmodify.c
-index 33b723bda..c94c11a3a 100644
+index 032e4e1479..d33b092308 100644
 --- a/clients/tools/ldapmodify.c
 +++ b/clients/tools/ldapmodify.c
-@@ -125,7 +125,7 @@ usage( void )
+@@ -127,7 +127,7 @@ usage( void )
 
 
 const char options[] = "aE:rS:"
-	"cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
-+	"cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
+-	"cd:D:e:f:H:Ij:MnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
+	"cd:D:e:f:h:H:Ij:MnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
 
 int
 handle_private_option( int i )
 diff --git a/clients/tools/ldapmodrdn.c b/clients/tools/ldapmodrdn.c
-index 40a482f5d..d5cf43f7a 100644
+index 1197d3813f..6ea8b66380 100644
 --- a/clients/tools/ldapmodrdn.c
 +++ b/clients/tools/ldapmodrdn.c
@@ -95,7 +95,7 @@ usage( void )
@ -83,7 +83,7 @@ index 40a482f5d..d5cf43f7a 100644
 int
 handle_private_option( int i )
 diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
-index 9a48aabf3..1958a30f6 100644
+index cd0650e914..e34d897c7b 100644
 --- a/clients/tools/ldappasswd.c
 +++ b/clients/tools/ldappasswd.c
@@ -83,7 +83,7 @@ usage( void )
@ -96,7 +96,7 @@ index 9a48aabf3..1958a30f6 100644
 int
 handle_private_option( int i )
 diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
-index 69e172c6c..48793314b 100644
+index 3755a937d2..ab9308f593 100644
 --- a/clients/tools/ldapsearch.c
 +++ b/clients/tools/ldapsearch.c
@@ -363,7 +363,7 @@ parse_vlv(char *cvalue)
@ -109,7 +109,7 @@ index 69e172c6c..48793314b 100644
 int
 handle_private_option( int i )
 diff --git a/clients/tools/ldapvc.c b/clients/tools/ldapvc.c
-index 4f35025ec..846561847 100644
+index e359611882..a59595b56e 100644
 --- a/clients/tools/ldapvc.c
 +++ b/clients/tools/ldapvc.c
@@ -86,7 +86,7 @@ usage( void )
@ -122,7 +122,7 @@ index 4f35025ec..846561847 100644
 int
 handle_private_option( int i )
 diff --git a/clients/tools/ldapwhoami.c b/clients/tools/ldapwhoami.c
-index e8ac4b34b..45d32f5d9 100644
+index be1f81300a..ac6197b061 100644
 --- a/clients/tools/ldapwhoami.c
 +++ b/clients/tools/ldapwhoami.c
@@ -62,7 +62,7 @@ usage( void )
@ -135,5 +135,5 @@ index e8ac4b34b..45d32f5d9 100644
 int
 handle_private_option( int i )
 -- 
-2.43.0
+2.47.1

--- a/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
+++ b/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
@ -0,0 +1,92 @@
+From 5f4569f0605a73eb1a282ee5251ead073ed3b26e Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Tue, 26 Nov 2024 12:32:07 -0800
+Subject: [PATCH] libldap: avoid SSL context cleanup during library destruction
+
+Given that libldap can be pulled into random applications and applications
+are allowed to call OPENSSL_cleanup() before exiting, the only sane thing
+to do is to avoid trying to touch SSL context in ldap destructors, and just
+let them leak if the application does not explicitly free the ldap context.
+
+Add ldap_int_tls_destroy_safe() which skips SSL context cleanup while
+maintaining all other cleanup operations, and use it in the library
+destructor path.
+
+Fixes: https://bugs.openldap.org/show_bug.cgi?id=9952
+---
+ libraries/libldap/init.c     |  2 +-
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/tls2.c     | 25 +++++++++++++++++++++----
+ 3 files changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 213276b4b5..aa017f4128 100644
+--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
+@@ -545,7 +545,7 @@ ldap_int_destroy_global_options(void)
+ 	}
+ #endif
+ #ifdef HAVE_TLS
+-	ldap_int_tls_destroy( gopts );
+	ldap_int_tls_destroy_safe( gopts );
+ #endif
+ }
+ 
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 7e754775e8..b73097ccc7 100644
+--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
+@@ -914,6 +914,7 @@ LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld,
+ 	LDAPConn *conn, LDAPURLDesc *srv ));
+ 
+ LDAP_F (void) ldap_int_tls_destroy LDAP_P(( struct ldapoptions *lo ));
+LDAP_F (void) ldap_int_tls_destroy_safe LDAP_P(( struct ldapoptions *lo ));
+ 
+ /*
+  *	in getvalues.c
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 0841005a59..82f8573602 100644
+--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
+@@ -97,10 +97,14 @@ tls_ctx_ref( tls_ctx *ctx )
+ static ldap_pvt_thread_mutex_t tls_def_ctx_mutex;
+ #endif
+ 
+-void
+-ldap_int_tls_destroy( struct ldapoptions *lo )
+-{
+-	if ( lo->ldo_tls_ctx ) {
+/*
+ * Implementation function that handles all cleanup.
+ * skip_ctx_cleanup: 1 when called from destructor, 0 for normal operation
+ */
+static void
+ldap_int_tls_destroy_impl( struct ldapoptions *lo, int skip_ctx_cleanup )
+ {
+	if ( lo->ldo_tls_ctx && !skip_ctx_cleanup ) {
+ 		ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
+ 		lo->ldo_tls_ctx = NULL;
+ 	}
+@@ -147,6 +151,19 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
+ 	BER_BVZERO( &lo->ldo_tls_pin );
+ }
+ 
+
+void
+ldap_int_tls_destroy( struct ldapoptions *lo )
+{
+	ldap_int_tls_destroy_impl(lo, 0);
+}
+
+/* Safe version for destructor use */
+void ldap_int_tls_destroy_safe( struct ldapoptions *lo )
+{
+	ldap_int_tls_destroy_impl(lo, 1);
+}
+
+ /*
+  * Tear down the TLS subsystem. Should only be called once.
+  */
+-- 
+2.47.0
+
--- a/openldap.spec
+++ b/openldap.spec
@ -15,8 +15,8 @@
 %global __brp_remove_la_files %nil

 Name: openldap
-Version: 2.6.6
-Release: 4%{?dist}
+Version: 2.6.8
+Release: 1%{?dist}
 Summary: LDAP support libraries
 License: OLDAP-2.8
 URL: http://www.openldap.org/
@ -51,6 +51,7 @@ Patch7: openldap-openssl-manpage-defaultCA.patch
 Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
 Patch9: openldap-Revert-ITS-8618-Remove-deprecated-h-and-p.patch
 Patch10: openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch
+Patch11: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch

 # check-password module specific patches
 Patch90: check-password-makefile.patch
@ -167,6 +168,7 @@ pushd openldap-%{version}
 %patch -P8 -p1
 %patch -P9 -p1
 %patch -P10 -p1
+%patch -P11 -p1

 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -484,6 +486,7 @@ exit 0
 %{_libdir}/openldap/home*
 %{_libdir}/openldap/lloadd*
 %{_libdir}/openldap/memberof*
+%{_libdir}/openldap/nestgroup*
 %{_libdir}/openldap/otp*
 %{_libdir}/openldap/pcache*
 %{_libdir}/openldap/ppolicy*
@ -550,6 +553,10 @@ exit 0
 %{_libdir}/libslapi-2.4*.so.*

 %changelog
+* Mon Dec 16 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.8-1
+- Rebase to version 2.6.8 (RHEL-71053)
+- Avoid SSL context cleanup during library destruction (RHEL-56502)
+
 * Fri Oct 11 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.6-4
 - Disable MD2 hash algorithm
  Resolves: RHEL-59715
--- a/1
+++ b/1
@ -1,2 +1,3 @@
 SHA512 (openldap-ppolicy-check-password-1.1.tar.gz) = a92854d7438cb95fac361da80a49d084d502155e8ce0ad2ea679db9529bbe0182aa4354e6139793c775e496349375d8f017678941d23315ff1c20fefc9573cdc
 SHA512 (openldap-2.6.6.tgz) = 0e800807b23f090b465dc18c2f0d342585f96768543b3298b85d17c18272d1c5576a66326d30b3520cac493cbd2ea70e309cd923bf19447c973a63d940619fa6
+SHA512 (openldap-2.6.8.tgz) = c86bda8a0af2645e586d56a1494a5bd486ec5dd55c47859dbabcc2bb6ddc0a8307e23c6b58228d49ee3c8bc5e4d6ead305863442efdcee3dc2ab9953097b5a77