diff --git a/openldap-nss-cipher-attributes.patch b/openldap-nss-cipher-attributes.patch index e51f1ea..5ebd347 100644 --- a/openldap-nss-cipher-attributes.patch +++ b/openldap-nss-cipher-attributes.patch @@ -6,31 +6,51 @@ PreviousAuthor: Jan Vcelak diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c -@@ -210,27 +210,37 @@ typedef struct { +@@ -210,27 +210,44 @@ typedef struct { + int num; /* The cipher id */ + int attr; /* cipher attributes: algorithms, etc */ + int version; /* protocol version valid for this cipher */ +- int bits; /* bits of strength */ +- int alg_bits; /* bits of the algorithm */ + int strength; /* LOW, MEDIUM, HIGH */ + int enabled; /* Enabled by default? */ + } cipher_properties; + /* cipher attributes */ - #define SSL_kRSA 0x00000001L - #define SSL_aRSA 0x00000002L --#define SSL_RSA (SSL_kRSA|SSL_aRSA) - #define SSL_aDSA 0x00000004L - #define SSL_DSA SSL_aDSA - #define SSL_eNULL 0x00000008L - #define SSL_DES 0x00000010L - #define SSL_3DES 0x00000020L - #define SSL_RC4 0x00000040L - #define SSL_RC2 0x00000080L - #define SSL_AES128 0x00000100L - #define SSL_AES256 0x00000200L --#define SSL_AES (SSL_AES128|SSL_AES256) - #define SSL_MD5 0x00000400L - #define SSL_SHA1 0x00000800L - #define SSL_kEDH 0x00001000L - #define SSL_CAMELLIA128 0x00002000L - #define SSL_CAMELLIA256 0x00004000L --#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) - #define SSL_SEED 0x00008000L - #define SSL_kECDH 0x00010000L - #define SSL_kECDHE 0x00020000L - #define SSL_aECDSA 0x00040000L +-#define SSL_kRSA 0x00000001L +-#define SSL_aRSA 0x00000002L +-#define SSL_aDSS 0x00000004L +-#define SSL_DSS SSL_aDSS +-#define SSL_eNULL 0x00000008L +-#define SSL_DES 0x00000010L +-#define SSL_3DES 0x00000020L +-#define SSL_RC4 0x00000040L +-#define SSL_RC2 0x00000080L +-#define SSL_AES 0x00000100L +-#define SSL_MD5 0x00000200L +-#define SSL_SHA1 0x00000400L +-#define SSL_SHA SSL_SHA1 +-#define SSL_RSA (SSL_kRSA|SSL_aRSA) ++#define SSL_kRSA 0x00000001L ++#define SSL_aRSA 0x00000002L ++#define SSL_aDSA 0x00000004L ++#define SSL_DSA SSL_aDSA ++#define SSL_eNULL 0x00000008L ++#define SSL_DES 0x00000010L ++#define SSL_3DES 0x00000020L ++#define SSL_RC4 0x00000040L ++#define SSL_RC2 0x00000080L ++#define SSL_AES128 0x00000100L ++#define SSL_AES256 0x00000200L ++#define SSL_MD5 0x00000400L ++#define SSL_SHA1 0x00000800L ++#define SSL_kEDH 0x00001000L ++#define SSL_CAMELLIA128 0x00002000L ++#define SSL_CAMELLIA256 0x00004000L ++#define SSL_SEED 0x00008000L ++#define SSL_kECDH 0x00010000L ++#define SSL_kECDHE 0x00020000L ++#define SSL_aECDSA 0x00040000L +#define SSL_SHA256 0x00080000L +#define SSL_SHA384 0x00100000L +#define SSL_kEECDH 0x00200000L @@ -47,7 +67,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c /* cipher strength */ #define SSL_NULL 0x00000001L -@@ -237,10 +251,14 @@ typedef struct { +@@ -240,10 +257,14 @@ typedef struct { #define SSL_MEDIUM 0x00000010L #define SSL_HIGH 0x00000020L @@ -62,3 +82,13 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c /* Cipher translation */ static cipher_properties ciphers_def[] = { +--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200 ++++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100 +@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) ++#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) + + /* OpenLDAP SASL options */ + #define LDAP_OPT_X_SASL_MECH 0x6100 diff --git a/openldap-nss-ciphers-definitions.patch b/openldap-nss-ciphers-definitions.patch index beb0e55..7b7a868 100644 --- a/openldap-nss-ciphers-definitions.patch +++ b/openldap-nss-ciphers-definitions.patch @@ -6,41 +6,37 @@ PreviousAuthor: Jan Vcelak diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c -@@ -255,69 +255,103 @@ typedef struct { +@@ -268,29 +268,104 @@ typedef struct { + /* Cipher translation */ static cipher_properties ciphers_def[] = { - -- /* -- * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2 -- */ +- /* SSL 2 ciphers */ +- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED}, +- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED}, +- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, - - /* SSLv2 ciphers */ -- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED}, -- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED}, -- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, -- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, +- /* SSL3 ciphers */ +- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED}, +- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED}, +- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED}, +- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, +- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, ++ ++ /* SSLv2 ciphers */ + {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW}, + {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH}, + {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM}, + {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM}, + {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40}, + {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40}, - - /* SSLv3 ciphers */ -- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -- {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -- {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -- {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -- {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, ++ ++ /* SSLv3 ciphers */ + {"NULL-MD5", TLS_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_MD5 */ + {"NULL-SHA", TLS_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_SHA */ + {"DES-CBC-SHA", TLS_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_RSA_WITH_DES_CBC_SHA */ @@ -55,42 +51,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + {"EDH-DSS-DES-CBC3-SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA */ /* TLSv1 ciphers */ -- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -- {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -- {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -- {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -- {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -- {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -- {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -- {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -- {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -- {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -- {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -- {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, +- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, +- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, +- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, +- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, + {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56}, + {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56}, + {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM}, diff --git a/openldap-nss-ciphers-parsing.patch b/openldap-nss-ciphers-parsing.patch index 8b7c4e5..b91d07d 100644 --- a/openldap-nss-ciphers-parsing.patch +++ b/openldap-nss-ciphers-parsing.patch @@ -6,7 +6,7 @@ PreviousAuthor: Jan Vcelak diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c -@@ -597,10 +597,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -617,10 +617,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) while ((*cipher) && (isspace(*cipher))) ++cipher; @@ -22,7 +22,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c cipher++; break; case '-': /* Subtract something */ -@@ -611,8 +613,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -631,8 +633,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) action = -1; cipher++; break; @@ -33,7 +33,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c break; } -@@ -646,7 +648,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -666,7 +668,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) } } else { int mask = 0; @@ -44,7 +44,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c int protocol = 0; char *c; -@@ -657,16 +662,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -677,12 +682,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) *c++ = '\0'; } @@ -57,10 +57,10 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + negative_mask |= SSL_kECDH; } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { mask |= SSL_eNULL; - } else if (!strcmp(cipher, "AES128")) { - mask |= SSL_AES128; - } else if (!strcmp(cipher, "AES256")) { - mask |= SSL_AES256; ++ } else if (!strcmp(cipher, "AES128")) { ++ mask |= SSL_AES128; ++ } else if (!strcmp(cipher, "AES256")) { ++ mask |= SSL_AES256; + } else if (!strcmp(cipher, "AESGCM")) { + mask |= SSL_AESGCM; } else if (!strcmp(cipher, "AES")) { @@ -69,7 +69,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c } else if (!strcmp(cipher, "3DES")) { mask |= SSL_3DES; } else if (!strcmp(cipher, "DES")) { -@@ -673,44 +687,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -693,26 +707,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) mask |= SSL_RC2; } else if (!strcmp(cipher, "MD5")) { mask |= SSL_MD5; @@ -79,29 +79,18 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c + mask |= SSL_SHA384; } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { mask |= SSL_SHA1; -- } else if (!strcmp(cipher, "EDH")) { -- mask |= SSL_kEDH; -- } else if (!strcmp(cipher, "DSS")) { -- mask |= SSL_aDSA; + } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) { + mask |= SSL_kEDH; + } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) { + mask |= SSL_aDSA; - } else if (!strcmp(cipher, "CAMELLIA128")) { - mask |= SSL_CAMELLIA128; - } else if (!strcmp(cipher, "CAMELLIA256")) { - mask |= SSL_CAMELLIA256; - } else if (!strcmp(cipher, "CAMELLIA")) { -- mask |= SSL_CAMELLIA; ++ } else if (!strcmp(cipher, "CAMELLIA128")) { ++ mask |= SSL_CAMELLIA128; ++ } else if (!strcmp(cipher, "CAMELLIA256")) { ++ mask |= SSL_CAMELLIA256; ++ } else if (!strcmp(cipher, "CAMELLIA")) { + multi_mask |= SSL_CAMELLIA; - } else if (!strcmp(cipher, "SEED")) { - mask |= SSL_SEED; -- } else if (!strcmp(cipher, "ECDH")) { -- mask |= SSL_kECDH; -- } else if (!strcmp(cipher, "ECDHE")) { -- mask |= SSL_kECDHE; -- } else if (!strcmp(cipher, "ECDSA")) { -- mask |= SSL_aECDSA; ++ } else if (!strcmp(cipher, "SEED")) { ++ mask |= SSL_SEED; + } else if (!strcmp(cipher, "kECDHe")) { + mask |= SSL_kECDH|SSL_aECDSA; + } else if (!strcmp(cipher, "kECDHr")) { @@ -150,7 +139,7 @@ diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c } if (c) -@@ -700,23 +751,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) +@@ -720,23 +775,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) } /* while */ diff --git a/openldap-nss-protocol-version-new-api.patch b/openldap-nss-protocol-version-new-api.patch index 65cedf3..0ee0ec2 100644 --- a/openldap-nss-protocol-version-new-api.patch +++ b/openldap-nss-protocol-version-new-api.patch @@ -10,23 +10,6 @@ RHBZ: #1375432 diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c -@@ -2019,16 +2019,6 @@ tlsm_deferred_init( void *arg ) - } - } - -- /* -- * Set the SSL version range. MozNSS SSL versions are the same as openldap's: -- * -- * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* -- */ -- SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ -- range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; -- variant = ssl_variant_stream; -- SSL_VersionRangeSetDefault(variant, &range); -- - NSS_SetDomesticPolicy(); - - PK11_SetPasswordFunc( tlsm_pin_prompt ); @@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg ) 0, 0, 0 ); return -1; diff --git a/openldap-nss-update-list-of-ciphers.patch b/openldap-nss-update-list-of-ciphers.patch deleted file mode 100644 index d5986c0..0000000 --- a/openldap-nss-update-list-of-ciphers.patch +++ /dev/null @@ -1,193 +0,0 @@ -MozNSS: update list of supported cipher suites - -The updated list includes all ciphers implemented in Mozilla NSS 3.13.15 - -Author: Jan Vcelak -Upstream ITS: #7374 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 1422ce2..5e49fc5 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -211,27 +211,34 @@ typedef struct { - int num; /* The cipher id */ - int attr; /* cipher attributes: algorithms, etc */ - int version; /* protocol version valid for this cipher */ -- int bits; /* bits of strength */ -- int alg_bits; /* bits of the algorithm */ - int strength; /* LOW, MEDIUM, HIGH */ - int enabled; /* Enabled by default? */ - } cipher_properties; - - /* cipher attributes */ --#define SSL_kRSA 0x00000001L --#define SSL_aRSA 0x00000002L --#define SSL_aDSS 0x00000004L --#define SSL_DSS SSL_aDSS --#define SSL_eNULL 0x00000008L --#define SSL_DES 0x00000010L --#define SSL_3DES 0x00000020L --#define SSL_RC4 0x00000040L --#define SSL_RC2 0x00000080L --#define SSL_AES 0x00000100L --#define SSL_MD5 0x00000200L --#define SSL_SHA1 0x00000400L --#define SSL_SHA SSL_SHA1 --#define SSL_RSA (SSL_kRSA|SSL_aRSA) -+#define SSL_kRSA 0x00000001L -+#define SSL_aRSA 0x00000002L -+#define SSL_RSA (SSL_kRSA|SSL_aRSA) -+#define SSL_aDSA 0x00000004L -+#define SSL_DSA SSL_aDSA -+#define SSL_eNULL 0x00000008L -+#define SSL_DES 0x00000010L -+#define SSL_3DES 0x00000020L -+#define SSL_RC4 0x00000040L -+#define SSL_RC2 0x00000080L -+#define SSL_AES128 0x00000100L -+#define SSL_AES256 0x00000200L -+#define SSL_AES (SSL_AES128|SSL_AES256) -+#define SSL_MD5 0x00000400L -+#define SSL_SHA1 0x00000800L -+#define SSL_kEDH 0x00001000L -+#define SSL_CAMELLIA128 0x00002000L -+#define SSL_CAMELLIA256 0x00004000L -+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) -+#define SSL_SEED 0x00008000L -+#define SSL_kECDH 0x00010000L -+#define SSL_kECDHE 0x00020000L -+#define SSL_aECDSA 0x00040000L - - /* cipher strength */ - #define SSL_NULL 0x00000001L -@@ -248,29 +255,70 @@ typedef struct { - - /* Cipher translation */ - static cipher_properties ciphers_def[] = { -- /* SSL 2 ciphers */ -- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED}, -- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- -- /* SSL3 ciphers */ -- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, -- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED}, -- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED}, -- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, -- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED}, -- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, -- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, -+ -+ /* -+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2 -+ */ -+ -+ /* SSLv2 ciphers */ -+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED}, -+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED}, -+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, -+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, -+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, -+ -+ /* SSLv3 ciphers */ -+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED}, -+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, -+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, -+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, -+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, - - /* TLSv1 ciphers */ -- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, -- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, -- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, -- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, -+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, -+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, -+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, -+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, - }; - - #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) -@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - mask |= SSL_RSA; - } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { - mask |= SSL_eNULL; -+ } else if (!strcmp(cipher, "AES128")) { -+ mask |= SSL_AES128; -+ } else if (!strcmp(cipher, "AES256")) { -+ mask |= SSL_AES256; - } else if (!strcmp(cipher, "AES")) { - mask |= SSL_AES; - } else if (!strcmp(cipher, "3DES")) { -@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) - mask |= SSL_MD5; - } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { - mask |= SSL_SHA1; -+ } else if (!strcmp(cipher, "EDH")) { -+ mask |= SSL_kEDH; -+ } else if (!strcmp(cipher, "DSS")) { -+ mask |= SSL_aDSA; -+ } else if (!strcmp(cipher, "CAMELLIA128")) { -+ mask |= SSL_CAMELLIA128; -+ } else if (!strcmp(cipher, "CAMELLIA256")) { -+ mask |= SSL_CAMELLIA256; -+ } else if (!strcmp(cipher, "CAMELLIA")) { -+ mask |= SSL_CAMELLIA; -+ } else if (!strcmp(cipher, "SEED")) { -+ mask |= SSL_SEED; -+ } else if (!strcmp(cipher, "ECDH")) { -+ mask |= SSL_kECDH; -+ } else if (!strcmp(cipher, "ECDHE")) { -+ mask |= SSL_kECDHE; -+ } else if (!strcmp(cipher, "ECDSA")) { -+ mask |= SSL_aECDSA; - } else if (!strcmp(cipher, "SSLv2")) { - protocol |= SSL2; - } else if (!strcmp(cipher, "SSLv3")) { --- -1.7.11.4 - diff --git a/openldap-support-tlsv1-and-later.patch b/openldap-support-tlsv1-and-later.patch deleted file mode 100644 index b8cc0f8..0000000 --- a/openldap-support-tlsv1-and-later.patch +++ /dev/null @@ -1,54 +0,0 @@ -Support TLSv1 and later. - -Author: Mark Reynolds -Backported-by: Jan Synacek -Upstream ITS: #7979 -Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00 - ---- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100 -+++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100 -@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD - case SSL_ERROR_BAD_CERT_DOMAIN: - break; - default: -- success = SECFailure; -+ success = SECFailure; - break; - } - -@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg ) - NSSInitContext *initctx = NULL; - PK11SlotInfo *certdb_slot = NULL; - #endif -+ SSLVersionRange range; -+ SSLProtocolVariant variant; - SECStatus rc; - int done = 0; - -@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg ) - } - } - -+ /* -+ * Set the SSL version range. MozNSS SSL versions are the same as openldap's: -+ * -+ * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* -+ */ -+ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ -+ range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; -+ variant = ssl_variant_stream; -+ SSL_VersionRangeSetDefault(variant, &range); -+ - NSS_SetDomesticPolicy(); - - PK11_SetPasswordFunc( tlsm_pin_prompt ); ---- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200 -+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100 -@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1) - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) -+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4) - - /* OpenLDAP SASL options */ - #define LDAP_OPT_X_SASL_MECH 0x6100 diff --git a/openldap.spec b/openldap.spec index b12081b..74632df 100644 --- a/openldap.spec +++ b/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.44 -Release: 7%{?dist} +Release: 8%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -29,7 +29,6 @@ Patch3: openldap-smbk5pwd-overlay.patch Patch4: openldap-man-sasl-nocanon.patch Patch5: openldap-ai-addrconfig.patch # nss patches, unlikely to ever get upstreamed -Patch11: openldap-nss-update-list-of-ciphers.patch Patch12: openldap-tls-no-reuse-of-tls_session.patch Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch Patch14: openldap-nss-ignore-certdb-type-prefix.patch @@ -44,8 +43,6 @@ Patch17: openldap-allop-overlay.patch Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch # ldapi sasl fix pending upstream inclusion Patch20: openldap-ldapi-sasl.patch -# TLSv1 support, already included upstream -Patch21: openldap-support-tlsv1-and-later.patch Patch22: openldap-nss-protocol-version-new-api.patch Patch50: openldap-nss-cipher-attributes.patch @@ -145,7 +142,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 @@ -154,7 +150,6 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch17 -p1 %patch19 -p1 %patch20 -p1 -%patch21 -p1 %patch22 -p1 %patch50 -p1 @@ -553,6 +548,9 @@ exit 0 %{_mandir}/man3/* %changelog +* Fri Mar 24 2017 Matus Honek - 2.4.44-8 +- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435689) + * Mon Jan 30 2017 Matus Honek - 2.4.44-7 - NSS: Update list of ciphers (#1387868)