rpms
/
openldap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c9-beta/openldap-2.4.57-8.el9
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8-beta
rpms:c8s
rpms:imports/c9/openldap-2.6.6-3.el9
rpms:imports/c9/openldap-2.6.3-1.el9
rpms:imports/c9-beta/openldap-2.6.3-1.el9
rpms:imports/c9/openldap-2.6.2-3.el9
rpms:imports/c9-beta/openldap-2.6.2-3.el9
rpms:imports/c9/openldap-2.6.2-1.el9_0
rpms:imports/c9/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-3.el9
rpms:imports/c9-beta/openldap-2.4.57-8.el9
rpms:imports/c8/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-16.el8
rpms:imports/c8-beta/openldap-2.4.46-15.el8
rpms:imports/c8-beta/openldap-2.4.46-10.el8
rpms:imports/c8-beta/openldap-2.4.46-9.el8
rpms:imports/c8s/openldap-2.4.46-18.el8
rpms:imports/c8s/openldap-2.4.46-17.el8_4
rpms:imports/c8s/openldap-2.4.46-17.el8
rpms:imports/c8s/openldap-2.4.46-16.el8
rpms:imports/c8s/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-17.el8_4
rpms:imports/c8/openldap-2.4.46-16.el8
rpms:imports/c8/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-11.el8_1
rpms:imports/c8/openldap-2.4.46-11.el8
...
compare: rpms:c8
Branches Tags
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:imports/c9/openldap-2.6.6-3.el9
rpms:imports/c9/openldap-2.6.3-1.el9
rpms:imports/c9-beta/openldap-2.6.3-1.el9
rpms:imports/c9/openldap-2.6.2-3.el9
rpms:imports/c9-beta/openldap-2.6.2-3.el9
rpms:imports/c9/openldap-2.6.2-1.el9_0
rpms:imports/c9/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-3.el9
rpms:imports/c9-beta/openldap-2.4.57-8.el9
rpms:imports/c8/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-16.el8
rpms:imports/c8-beta/openldap-2.4.46-15.el8
rpms:imports/c8-beta/openldap-2.4.46-10.el8
rpms:imports/c8-beta/openldap-2.4.46-9.el8
rpms:imports/c8s/openldap-2.4.46-18.el8
rpms:imports/c8s/openldap-2.4.46-17.el8_4
rpms:imports/c8s/openldap-2.4.46-17.el8
rpms:imports/c8s/openldap-2.4.46-16.el8
rpms:imports/c8s/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-17.el8_4
rpms:imports/c8/openldap-2.4.46-16.el8
rpms:imports/c8/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-11.el8_1
rpms:imports/c8/openldap-2.4.46-11.el8

No commits in common. "imports/c9-beta/openldap-2.4.57-8.el9" and "c8" have entirely different histories.
imports/c9 ... c8

25 changed files with 1149 additions and 582 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
SOURCES/openldap-2.4.57.tgz
SOURCES/openldap-2.4.46.tgz

2
.openldap.metadata
View File

@ -1,2 +1,2 @@
444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
1cffa70a3ea8545948041fd113f8f53bc24d6d87 SOURCES/openldap-2.4.57.tgz
a9ae2273eb9bdd70090dafe0d018a3132606bef6 SOURCES/openldap-2.4.46.tgz

339
SOURCES/openldap-add-TLS_REQSAN-option.patch Normal file
View File

@ -0,0 +1,339 @@
From c8050d1e6eb0f4f3deb187224945ddcfc3baa4d6 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 21 Aug 2020 09:15:15 +0100
Subject: [PATCH] ITS#9318 add TLS_REQSAN option
Add an option to specify how subjectAlternativeNames should be
handled when validating the names in a server certificate.
---
doc/man/man3/ldap_get_option.3 | 9 +++++++
doc/man/man5/ldap.conf.5 | 31 +++++++++++++++++++++++
include/ldap.h | 1 +
libraries/libldap/init.c | 2 ++
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/tls2.c | 16 ++++++++++++
libraries/libldap/tls_g.c | 46 ++++++++++++++++++++++++++++++++--
libraries/libldap/tls_o.c | 44 ++++++++++++++++++++++++++++++--
8 files changed, 146 insertions(+), 4 deletions(-)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index d229ce6e3..7d760136f 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -788,6 +788,15 @@ one of
.BR LDAP_OPT_X_TLS_ALLOW ,
.BR LDAP_OPT_X_TLS_TRY .
.TP
+.B LDAP_OPT_X_TLS_REQUIRE_SAN
+Sets/gets the peer certificate subjectAlternativeName checking strategy,
+one of
+.BR LDAP_OPT_X_TLS_NEVER ,
+.BR LDAP_OPT_X_TLS_HARD ,
+.BR LDAP_OPT_X_TLS_DEMAND ,
+.BR LDAP_OPT_X_TLS_ALLOW ,
+.BR LDAP_OPT_X_TLS_TRY .
+.TP
.B LDAP_OPT_X_TLS_SSL_CTX
Gets the TLS session context associated with this handle.
.BR outvalue
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 2f1ee886d..cde2c875f 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -464,6 +464,37 @@ certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting.
.RE
.TP
+.B TLS_REQSAN <level>
+Specifies what checks to perform on the subjectAlternativeName
+(SAN) extensions in a server certificate when validating the certificate
+name against the specified hostname of the server. The
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B never
+The client will not check any SAN in the certificate.
+.TP
+.B allow
+The SAN is checked against the specified hostname. If a SAN is
+present but none match the specified hostname, the SANs are ignored
+and the usual check against the certificate DN is used.
+This is the default setting.
+.TP
+.B try
+The SAN is checked against the specified hostname. If no SAN is present
+in the server certificate, the usual check against the certificate DN
+is used. If a SAN is present but doesn't match the specified hostname,
+the session is immediately terminated. This setting may be preferred
+when a mix of certs with and without SANs are in use.
+.TP
+.B demand | hard
+These keywords are equivalent. The SAN is checked against the specified
+hostname. If no SAN is present in the server certificate, or no SANs
+match, the session is immediately terminated. This setting should be
+used when only certificates with SANs are in use.
+.RE
+.TP
.B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certificates have not been revoked. This
diff --git a/include/ldap.h b/include/ldap.h
index 4b81a6841..4877de24a 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
+#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index d503019aa..0d91808ec 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -128,6 +128,7 @@ static const struct ol_attribute {
{0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE},
{0, ATTR_TLS, "TLS_CACERTDIR", NULL, LDAP_OPT_X_TLS_CACERTDIR},
{0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
+ {0, ATTR_TLS, "TLS_REQSAN", NULL, LDAP_OPT_X_TLS_REQUIRE_SAN},
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
{0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN},
@@ -624,6 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
gopts->ldo_tls_connect_cb = NULL;
gopts->ldo_tls_connect_arg = NULL;
gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
#endif
gopts->ldo_keepalive_probes = 0;
gopts->ldo_keepalive_interval = 0;
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 753014ad0..2bf5d4ff6 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -262,6 +262,7 @@ struct ldapoptions {
int ldo_tls_require_cert;
int ldo_tls_impl;
int ldo_tls_crlcheck;
+ int ldo_tls_require_san;
#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0
#else
#define LDAP_LDO_TLS_NULLARG
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 6a2113255..670292c22 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -539,6 +539,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
return ldap_pvt_tls_set_option( ld, option, (void *) arg );
case LDAP_OPT_X_TLS_REQUIRE_CERT:
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
case LDAP_OPT_X_TLS:
i = -1;
if ( strcasecmp( arg, "never" ) == 0 ) {
@@ -669,6 +670,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = lo->ldo_tls_require_cert;
break;
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
+ *(int *)arg = lo->ldo_tls_require_san;
+ break;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck;
@@ -818,6 +822,18 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
return 0;
}
return -1;
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
+ if ( !arg ) return -1;
+ switch( *(int *) arg ) {
+ case LDAP_OPT_X_TLS_NEVER:
+ case LDAP_OPT_X_TLS_DEMAND:
+ case LDAP_OPT_X_TLS_ALLOW:
+ case LDAP_OPT_X_TLS_TRY:
+ case LDAP_OPT_X_TLS_HARD:
+ lo->ldo_tls_require_san = * (int *) arg;
+ return 0;
+ }
+ return -1;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1;
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 15ce0bbb8..e3486c9b4 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -496,6 +496,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{
tlsg_session *s = (tlsg_session *)session;
int i, ret;
+ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
char altname[NI_MAXHOST];
@@ -558,12 +559,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
}
}
+ if (chkSAN) {
for ( i=0, ret=0; ret >= 0; i++ ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
altname, &altnamesize, NULL );
if ( ret < 0 ) break;
+ gotSAN = 1;
/* ignore empty */
if ( altnamesize == 0 ) continue;
@@ -599,7 +602,45 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
}
if ( ret >= 0 ) {
ret = LDAP_SUCCESS;
- } else {
+ }
+ }
+ if (ret != LDAP_SUCCESS && chkSAN) {
+ switch(chkSAN) {
+ case LDAP_OPT_X_TLS_DEMAND:
+ case LDAP_OPT_X_TLS_HARD:
+ if (!gotSAN) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: unable to get subjectAltName from peer certificate.\n",
+ 0, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: unable to get subjectAltName from peer certificate"));
+ goto done;
+ }
+ /* FALLTHRU */
+ case LDAP_OPT_X_TLS_TRY:
+ if (gotSAN) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "subjectAltName in certificate.\n",
+ name, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match subjectAltName in peer certificate"));
+ goto done;
+ }
+ break;
+ case LDAP_OPT_X_TLS_ALLOW:
+ break;
+ }
+ }
+
+ if ( ret != LDAP_SUCCESS ){
/* find the last CN */
i=0;
do {
@@ -654,9 +695,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ _("TLS: hostname does not match name in peer certificate"));
}
}
+done:
gnutls_x509_crt_deinit( cert );
return ret;
}
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 4006f7a4f..6f27168e9 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -600,6 +600,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session *s = (tlso_session *)sess;
int i, ret = LDAP_LOCAL_ERROR;
+ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
X509 *x;
const char *name;
char *ptr;
@@ -638,7 +639,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
-
+
+ if (chkSAN) {
i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
if (i >= 0) {
X509_EXTENSION *ex;
@@ -651,6 +653,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
char *domain = NULL;
GENERAL_NAME *gn;
+ gotSAN = 1;
if (ntype == IS_DNS) {
domain = strchr(name, '.');
if (domain) {
@@ -709,6 +712,42 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
}
}
}
+ }
+ if (ret != LDAP_SUCCESS && chkSAN) {
+ switch(chkSAN) {
+ case LDAP_OPT_X_TLS_DEMAND:
+ case LDAP_OPT_X_TLS_HARD:
+ if (!gotSAN) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: unable to get subjectAltName from peer certificate.\n",
+ 0, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: unable to get subjectAltName from peer certificate"));
+ goto done;
+ }
+ /* FALLTHRU */
+ case LDAP_OPT_X_TLS_TRY:
+ if (gotSAN) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "subjectAltName in certificate.\n",
+ name, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match subjectAltName in peer certificate"));
+ goto done;
+ }
+ break;
+ case LDAP_OPT_X_TLS_ALLOW:
+ break;
+ }
+ }
if (ret != LDAP_SUCCESS) {
X509_NAME *xn;
@@ -772,9 +811,10 @@ no_cn:
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ _("TLS: hostname does not match name in peer certificate"));
}
}
+done:
X509_free(x);
return ret;
}
--
2.31.1

52
SOURCES/openldap-cbinding-Add-channel-binding-support.patch
View File

@ -20,10 +20,10 @@ Needs an option to set the criticality flag.
11 files changed, 90 insertions(+)
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 716c1a90f..61c620785 100644
index 871e7c180..fdc9d2de3 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -420,6 +420,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
@@ -430,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
LDAPDN_rewrite_dummy *func, unsigned flags ));
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
@ -32,10 +32,10 @@ index 716c1a90f..61c620785 100644
LDAP_END_DECL
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 4c0089d5d..3171d56a3 100644
index 28c241b0b..a57292800 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -360,6 +360,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
@@ -369,6 +369,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
lc->lconn_sasl_sockctx = NULL;
lc->lconn_sasl_authctx = NULL;
}
@ -46,7 +46,7 @@ index 4c0089d5d..3171d56a3 100644
return LDAP_SUCCESS;
}
@@ -492,6 +496,24 @@ ldap_int_sasl_bind(
@@ -482,6 +486,24 @@ ldap_int_sasl_bind(
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
LDAP_FREE( authid.bv_val );
@ -72,10 +72,10 @@ index 4c0089d5d..3171d56a3 100644
#endif
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 98ad4dc05..397894271 100644
index 37c342e26..1915ecab4 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -308,6 +308,7 @@ typedef struct ldap_conn {
@@ -305,6 +305,7 @@ typedef struct ldap_conn {
#ifdef HAVE_CYRUS_SASL
void *lconn_sasl_authctx; /* context for bind */
void *lconn_sasl_sockctx; /* for security layer */
@ -84,7 +84,7 @@ index 98ad4dc05..397894271 100644
#ifdef HAVE_GSSAPI
void *lconn_gss_ctx; /* gss_ctx_id_t */
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index c8a27112f..0ecf81ab9 100644
index 75661c005..1eb5ae47e 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
@ -104,10 +104,10 @@ index c8a27112f..0ecf81ab9 100644
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 82ca5272c..13d734362 100644
index e11d1a8a3..957e73c03 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1013,6 +1013,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
@@ -981,6 +981,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
return rc;
}
@ -122,10 +122,10 @@ index 82ca5272c..13d734362 100644
int
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 3b72cd2a1..b78c12086 100644
index ed1f8f1cb..dfdc35da4 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -669,6 +669,12 @@ tlsg_session_strength( tls_session *session )
@@ -780,6 +780,12 @@ tlsg_session_strength( tls_session *session )
return gnutls_cipher_get_key_size( c ) * 8;
}
@ -138,7 +138,7 @@ index 3b72cd2a1..b78c12086 100644
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
@@ -925,6 +931,7 @@ tls_impl ldap_int_tls_impl = {
@@ -1110,6 +1116,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_peer_dn,
tlsg_session_chkhost,
tlsg_session_strength,
@ -147,10 +147,10 @@ index 3b72cd2a1..b78c12086 100644
&tlsg_sbio,
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 43fbae4bc..c64f4c176 100644
index 072d41d56..240bd9ff6 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2874,6 +2874,12 @@ tlsm_session_strength( tls_session *session )
@@ -2838,6 +2838,12 @@ tlsm_session_strength( tls_session *session )
return rc ? 0 : keySize;
}
@ -163,7 +163,7 @@ index 43fbae4bc..c64f4c176 100644
/*
* TLS support for LBER Sockbufs
*/
@@ -3302,6 +3308,7 @@ tls_impl ldap_int_tls_impl = {
@@ -3266,6 +3272,7 @@ tls_impl ldap_int_tls_impl = {
tlsm_session_peer_dn,
tlsm_session_chkhost,
tlsm_session_strength,
@ -172,10 +172,10 @@ index 43fbae4bc..c64f4c176 100644
&tlsm_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index a13f11fb5..f741a461f 100644
index 3c077f895..2ecee465b 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -846,6 +846,21 @@ tlso_session_strength( tls_session *sess )
@@ -676,6 +676,21 @@ tlso_session_strength( tls_session *sess )
return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
}
@ -197,7 +197,7 @@ index a13f11fb5..f741a461f 100644
/*
* TLS support for LBER Sockbufs
*/
@@ -1363,6 +1378,7 @@ tls_impl ldap_int_tls_impl = {
@@ -1283,6 +1298,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_peer_dn,
tlso_session_chkhost,
tlso_session_strength,
@ -206,7 +206,7 @@ index a13f11fb5..f741a461f 100644
&tlso_sbio,
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 44c3fc63d..0602fdceb 100644
index e34703cb3..bc2b8a4d0 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -406,6 +406,7 @@ Connection * connection_init(
@ -225,7 +225,7 @@ index 44c3fc63d..0602fdceb 100644
assert( c->c_currentber == NULL );
assert( c->c_writewaiter == 0);
assert( c->c_writers == 0);
@@ -1428,6 +1430,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
@@ -1408,6 +1410,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
@ -239,10 +239,10 @@ index 44c3fc63d..0602fdceb 100644
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
slapd_set_write( s, 1 );
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 5144170d1..258cd5407 100644
index 0bd6259be..57907d79b 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1389,6 +1389,21 @@ int slap_sasl_external(
@@ -1503,6 +1503,21 @@ int slap_sasl_external(
return LDAP_SUCCESS;
}
@ -264,7 +264,7 @@ index 5144170d1..258cd5407 100644
int slap_sasl_reset( Connection *conn )
{
return LDAP_SUCCESS;
@@ -1454,6 +1469,9 @@ int slap_sasl_close( Connection *conn )
@@ -1568,6 +1583,9 @@ int slap_sasl_close( Connection *conn )
free( conn->c_sasl_extra );
conn->c_sasl_extra = NULL;
@ -275,7 +275,7 @@ index 5144170d1..258cd5407 100644
SASL_CTX *ctx = conn->c_sasl_authctx;
if( ctx ) {
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 7581967be..ad797d752 100644
index 09c1854f8..4b3bbd12e 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -2910,6 +2910,7 @@ struct Connection {
@ -287,5 +287,5 @@ index 7581967be..ad797d752 100644
#ifdef LDAP_X_TXN
--
2.29.2
2.26.2

111
SOURCES/openldap-cbinding-Convert-test077-to-LDIF-config.patch
View File

@ -4,18 +4,18 @@ Date: Mon, 27 Apr 2020 23:24:16 -0700
Subject: [PATCH] Convert test077 to LDIF config
---
tests/data/slapd-sasl-gssapi.conf | 65 ------------------
tests/scripts/defines.sh | 1 -
tests/scripts/test077-sasl-gssapi | 108 ++++++++++++++++++++++++++++--
3 files changed, 103 insertions(+), 71 deletions(-)
tests/data/slapd-sasl-gssapi.conf | 68 -------------------------------
tests/scripts/defines.sh | 1 -
tests/scripts/test077-sasl-gssapi | 35 +++++++++++++---
3 files changed, 30 insertions(+), 74 deletions(-)
delete mode 100644 tests/data/slapd-sasl-gssapi.conf
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
deleted file mode 100644
index 611fc7097..000000000
index 29ab6040b..000000000
--- a/tests/data/slapd-sasl-gssapi.conf
+++ /dev/null
@@ -1,65 +0,0 @@
@@ -1,68 +0,0 @@
-# stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
@ -81,11 +81,14 @@ index 611fc7097..000000000
-
-sasl-realm @KRB5REALM@
-sasl-host localhost
-
-database config
-rootpw secret
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 78dc1f8ae..76c85b442 100755
index f9e5578ee..a84fd0a65 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -108,7 +108,6 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
@@ -114,7 +114,6 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
TLSCONF=$DATADIR/slapd-tls.conf
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
@ -94,18 +97,17 @@ index 78dc1f8ae..76c85b442 100755
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index bde9006ca..322df60a4 100755
index 20c414600..322df60a4 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
exit 0
fi
-mkdir -p $TESTDIR $DBDIR1
+CONFDIR=$TESTDIR/slapd.d
+CONFLDIF=$TESTDIR/slapd.ldif
+
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
+$SLAPPASSWD -g -n >$CONFIGPWF
@ -151,86 +153,15 @@ index bde9006ca..322df60a4 100755
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
@@ -141,6 +166,79 @@ else
fi
fi
@@ -151,7 +176,7 @@ else
for acb in "none" "tls-unique" "tls-endpoint" ; do
+if test $WITH_TLS = no ; then
+ echo "TLS support not available, skipping channe-binding test"
+elif test $HAVE_SASL_GSS_CBIND = no ; then
+ echo "SASL has no channel-binding support in GSSAPI, test skipped"
+else
+ echo "Testing SASL/GSSAPI with SASL_CBINDING..."
+
+ for acb in "none" "tls-unique" "tls-endpoint" ; do
+
+ echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
- $LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
+ $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+replace: olcSaslCBinding
+olcSaslCBinding: ${acb}
+EOF
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
+ for icb in "none" "tls-unique" "tls-endpoint" ; do
+
+ # The gnutls implemantation of "tls-unique" seems broken
+ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
+ if test $WITH_TLS_TYPE == gnutls ; then
+ continue
+ fi
+ fi
+
+ fail="no"
+ if test $icb != $acb -a $acb != "none" ; then
+ # This currently fails in MIT, but it is planned to be
+ # fixed not to fail like in heimdal - avoid testing.
+ if test $icb = "none" ; then
+ continue
+ fi
+ # Otherwise unmatching bindings are expected to fail.
+ fail="yes"
+ fi
+
+ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
+ echo -ne "(client: ${icb},\tserver: ${acb}): "
+
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ -o SASL_CBINDING=$icb > $TESTOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ if test $fail = "no" ; then
+ echo "test failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+ elif test $fail = "yes" ; then
+ echo "failed: command succeeded unexpectedly."
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+ fi
+
+ echo "success"
+ RC=0
+ done
+ done
+fi
+
+
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
dn: cn=config
changetype: modify
replace: olcSaslCBinding
--
2.29.2
2.26.2

35
SOURCES/openldap-cbinding-Fix-slaptest-in-test077.patch
View File

@ -17,15 +17,21 @@ slaptest since the database hasn't been initialized yet.
Dynamic config isn't actually used in this test script, so let's just
run slapd off the config file directly.
---
tests/scripts/test077-sasl-gssapi | 3 ---
1 file changed, 3 deletions(-)
tests/scripts/test077-sasl-gssapi | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index 64abe16fe..bde9006ca 100755
index 19f665622..20c414600 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -24,9 +24,6 @@ fi
mkdir -p $TESTDIR $DBDIR1
@@ -21,22 +21,15 @@ if test $WITH_SASL = no ; then
exit 0
fi
-SLAPTEST="$TESTWD/../servers/slapd/slaptest"
-CONFDIR=$TESTDIR/slapd.d
-
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
-cd $TESTWD
@ -34,6 +40,23 @@ index 64abe16fe..bde9006ca 100755
echo "Starting KDC for SASL/GSSAPI tests..."
. $SRCDIR/scripts/setup_kdc.sh
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPTEST -f $CONF1 -F $CONFDIR
-$SLAPADD -F $CONFDIR -l $LDIFORDERED
+$SLAPADD -f $CONF1 -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
@@ -45,7 +38,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
--
2.29.2
2.26.2

50
SOURCES/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
View File

@ -10,17 +10,17 @@ retrieve peer cert for an active TLS session
doc/man/man3/ldap_get_option.3 | 8 ++++++++
include/ldap.h | 1 +
libraries/libldap/ldap-tls.h | 2 ++
libraries/libldap/tls2.c | 24 ++++++++++++++++++++++++
libraries/libldap/tls2.c | 23 +++++++++++++++++++++++
libraries/libldap/tls_g.c | 19 +++++++++++++++++++
libraries/libldap/tls_m.c | 17 +++++++++++++++++
libraries/libldap/tls_o.c | 16 ++++++++++++++++
7 files changed, 87 insertions(+)
7 files changed, 86 insertions(+)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index eb3f25b33..7546875f5 100644
index e67de75e9..1bb55d357 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -744,6 +744,14 @@ A non-zero value pointed to by
@@ -732,6 +732,14 @@ A non-zero value pointed to by
.BR invalue
tells the library to create a context for a server.
.TP
@ -36,22 +36,22 @@ index eb3f25b33..7546875f5 100644
Sets/gets the minimum protocol version.
.BR invalue
diff --git a/include/ldap.h b/include/ldap.h
index 389441031..88bfcabf8 100644
index 4de3f7f32..97ca524d7 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
@@ -161,6 +161,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a
+#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index 0ecf81ab9..103004fa7 100644
index 548814d7f..890d20dc7 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
@@ -43,6 +43,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
@ -59,19 +59,19 @@ index 0ecf81ab9..103004fa7 100644
typedef void (TI_thr_init)(void);
@@ -66,6 +67,7 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
@@ -69,6 +70,7 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
TI_session_unique *ti_session_unique;
+ TI_session_peercert *ti_session_peercert;
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 13d734362..ad09ba39b 100644
index 05fce3218..cbf73bdd5 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -705,6 +705,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
@@ -718,6 +718,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_CONNECT_ARG:
*(void **)arg = lo->ldo_tls_connect_arg;
break;
@ -95,7 +95,7 @@ index 13d734362..ad09ba39b 100644
default:
return -1;
}
@@ -1020,6 +1037,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
@@ -1050,6 +1066,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
tls_session *session = s;
return tls_imp->ti_session_unique( session, buf, is_server );
}
@ -110,10 +110,10 @@ index 13d734362..ad09ba39b 100644
int
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index b78c12086..26d9f99ce 100644
index ce422387c..739680439 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -675,6 +675,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
@@ -830,6 +830,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
@ -138,7 +138,7 @@ index b78c12086..26d9f99ce 100644
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
@@ -932,6 +950,7 @@ tls_impl ldap_int_tls_impl = {
@@ -1166,6 +1184,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_chkhost,
tlsg_session_strength,
tlsg_session_unique,
@ -147,10 +147,10 @@ index b78c12086..26d9f99ce 100644
&tlsg_sbio,
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index c64f4c176..d35a803de 100644
index 4bd9e63cb..36dc989ef 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2880,6 +2880,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
@@ -2891,6 +2891,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
@ -173,7 +173,7 @@ index c64f4c176..d35a803de 100644
/*
* TLS support for LBER Sockbufs
*/
@@ -3309,6 +3325,7 @@ tls_impl ldap_int_tls_impl = {
@@ -3322,6 +3338,7 @@ tls_impl ldap_int_tls_impl = {
tlsm_session_chkhost,
tlsm_session_strength,
tlsm_session_unique,
@ -182,10 +182,10 @@ index c64f4c176..d35a803de 100644
&tlsm_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f741a461f..157923289 100644
index 6288456d3..1fa50392f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -861,6 +861,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
@@ -721,6 +721,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
return buf->bv_len;
}
@ -207,7 +207,7 @@ index f741a461f..157923289 100644
/*
* TLS support for LBER Sockbufs
*/
@@ -1379,6 +1394,7 @@ tls_impl ldap_int_tls_impl = {
@@ -1229,6 +1244,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_chkhost,
tlso_session_strength,
tlso_session_unique,
@ -216,5 +216,5 @@ index f741a461f..157923289 100644
&tlso_sbio,
--
2.29.2
2.26.2

10
SOURCES/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch
View File

@ -9,10 +9,10 @@ Subject: [PATCH] ITS#8573 Add missing URI variables for tests
2 files changed, 25 insertions(+)
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index 9a33d88e9..2a859d89d 100755
index fe5e60509..02629f190 100755
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -74,6 +74,24 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
@@ -75,6 +75,24 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s;@PORT4@;${PORT4};" \
-e "s;@PORT5@;${PORT5};" \
-e "s;@PORT6@;${PORT6};" \
@ -38,10 +38,10 @@ index 9a33d88e9..2a859d89d 100755
-e "s;@TESTDIR@;${TESTDIR};" \
-e "s;@TESTWD@;${TESTWD};" \
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 8f7c7b853..26dab1bae 100755
index 2c9e8f76a..9816034f9 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -221,16 +221,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
@@ -223,16 +223,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
URI3="ldap://${LOCALHOST}:$PORT3/"
URIP3="ldap://${LOCALIP}:$PORT3/"
URI4="ldap://${LOCALHOST}:$PORT4/"
@ -66,5 +66,5 @@ index 8f7c7b853..26dab1bae 100755
# LDIF
LDIF=$DATADIR/test.ldif
--
2.29.2
2.26.2

46
SOURCES/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
View File

@ -39,10 +39,10 @@ Subject: [PATCH] ITS#8573 TLS option test suite
create mode 100755 tests/scripts/test070-delta-multimaster-ldaps
diff --git a/configure b/configure
index e87850ec2..e8a720961 100755
index 16d4ab884..29b7ad91d 100755
--- a/configure
+++ b/configure
@@ -758,6 +758,7 @@ AUTH_LIBS
@@ -761,6 +761,7 @@ AUTH_LIBS
LIBSLAPI
SLAPI_LIBS
MODULES_LIBS
@ -50,7 +50,7 @@ index e87850ec2..e8a720961 100755
TLS_LIBS
SASL_LIBS
KRB5_LIBS
@@ -5133,6 +5134,7 @@ KRB4_LIBS=
@@ -5223,6 +5224,7 @@ KRB4_LIBS=
KRB5_LIBS=
SASL_LIBS=
TLS_LIBS=
@ -58,7 +58,7 @@ index e87850ec2..e8a720961 100755
MODULES_LIBS=
SLAPI_LIBS=
LIBSLAPI=
@@ -15582,6 +15584,7 @@ fi
@@ -15701,6 +15703,7 @@ fi
if test $have_openssl = yes ; then
ol_with_tls=openssl
ol_link_tls=yes
@ -66,7 +66,7 @@ index e87850ec2..e8a720961 100755
$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
@@ -15716,6 +15719,7 @@ fi
@@ -15835,6 +15838,7 @@ fi
if test $have_gnutls = yes ; then
ol_with_tls=gnutls
ol_link_tls=yes
@ -75,10 +75,10 @@ index e87850ec2..e8a720961 100755
TLS_LIBS="-lgnutls"
diff --git a/configure.in b/configure.in
index 0c7c0a9ee..cf143d9bf 100644
index ee25a4a90..60c446096 100644
--- a/configure.in
+++ b/configure.in
@@ -592,6 +592,7 @@ KRB4_LIBS=
@@ -610,6 +610,7 @@ KRB4_LIBS=
KRB5_LIBS=
SASL_LIBS=
TLS_LIBS=
@ -86,7 +86,7 @@ index 0c7c0a9ee..cf143d9bf 100644
MODULES_LIBS=
SLAPI_LIBS=
LIBSLAPI=
@@ -1186,6 +1187,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
@@ -1210,6 +1211,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
if test $have_openssl = yes ; then
ol_with_tls=openssl
ol_link_tls=yes
@ -94,7 +94,7 @@ index 0c7c0a9ee..cf143d9bf 100644
AC_DEFINE(HAVE_OPENSSL, 1,
[define if you have OpenSSL])
@@ -1226,6 +1228,7 @@ if test $ol_link_tls = no ; then
@@ -1250,6 +1252,7 @@ if test $ol_link_tls = no ; then
if test $have_gnutls = yes ; then
ol_with_tls=gnutls
ol_link_tls=yes
@ -102,7 +102,7 @@ index 0c7c0a9ee..cf143d9bf 100644
TLS_LIBS="-lgnutls"
@@ -3163,6 +3166,7 @@ AC_SUBST(KRB4_LIBS)
@@ -3261,6 +3264,7 @@ AC_SUBST(KRB4_LIBS)
AC_SUBST(KRB5_LIBS)
AC_SUBST(SASL_LIBS)
AC_SUBST(TLS_LIBS)
@ -600,10 +600,10 @@ index 000000000..8a24f69f8
+b61hkjQZfbEg5cg=
+-----END PRIVATE KEY-----
diff --git a/tests/run.in b/tests/run.in
index a542eedec..468c3e1f2 100644
index 6c33d4d20..793e388c1 100644
--- a/tests/run.in
+++ b/tests/run.in
@@ -56,6 +56,7 @@ AC_valsort=valsort@BUILD_VALSORT@
@@ -57,6 +57,7 @@ AC_valsort=valsort@BUILD_VALSORT@
# misc
AC_WITH_SASL=@WITH_SASL@
AC_WITH_TLS=@WITH_TLS@
@ -611,7 +611,7 @@ index a542eedec..468c3e1f2 100644
AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@
AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@
AC_THREADS=threads@BUILD_THREAD@
@@ -74,7 +75,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \
@@ -75,7 +76,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \
AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \
AC_valsort \
AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \
@ -621,10 +621,10 @@ index a542eedec..468c3e1f2 100644
if test ! -x ../servers/slapd/slapd ; then
echo "Could not locate slapd(8)"
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index b374cc500..8f7c7b853 100755
index a7dacebdd..2c9e8f76a 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -45,6 +45,9 @@ VALSORT=${AC_valsort-valsortno}
@@ -46,6 +46,9 @@ VALSORT=${AC_valsort-valsortno}
# misc
WITH_SASL=${AC_WITH_SASL-no}
USE_SASL=${SLAPD_USE_SASL-no}
@ -634,16 +634,16 @@ index b374cc500..8f7c7b853 100755
ACI=${AC_ACI_ENABLED-acino}
THREADS=${AC_THREADS-threadsno}
SLEEP0=${SLEEP0-1}
@@ -103,6 +106,8 @@ P2SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist2.conf
P3SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist3.conf
REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
@@ -104,6 +107,8 @@ P2SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist2.conf
P3SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist3.conf
REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
+TLSCONF=$DATADIR/slapd-tls.conf
+TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
GLUECONF=$DATADIR/slapd-glue.conf
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
@@ -163,6 +168,7 @@ SLURPLOG=$TESTDIR/slurp.log
@@ -164,6 +169,7 @@ SLURPLOG=$TESTDIR/slurp.log
CONFIGPWF=$TESTDIR/configpw
# args
@ -651,7 +651,7 @@ index b374cc500..8f7c7b853 100755
TOOLARGS="-x $LDAP_TOOLARGS"
TOOLPROTO="-P 3"
@@ -184,7 +190,8 @@ BCMP="diff -iB"
@@ -186,7 +192,8 @@ BCMP="diff -iB"
CMPOUT=/dev/null
SLAPD="$TESTWD/../servers/slapd/slapd -s0"
LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS"
@ -661,7 +661,7 @@ index b374cc500..8f7c7b853 100755
LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL"
LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS"
LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS"
@@ -199,6 +206,7 @@ LDIFFILTER=$PROGDIR/ldif-filter
@@ -201,6 +208,7 @@ LDIFFILTER=$PROGDIR/ldif-filter
SLAPDMTREAD=$PROGDIR/slapd-mtread
LVL=${SLAPD_DEBUG-0x4105}
LOCALHOST=localhost
@ -669,7 +669,7 @@ index b374cc500..8f7c7b853 100755
BASEPORT=${SLAPD_BASEPORT-9010}
PORT1=`expr $BASEPORT + 1`
PORT2=`expr $BASEPORT + 2`
@@ -207,11 +215,22 @@ PORT4=`expr $BASEPORT + 4`
@@ -209,11 +217,22 @@ PORT4=`expr $BASEPORT + 4`
PORT5=`expr $BASEPORT + 5`
PORT6=`expr $BASEPORT + 6`
URI1="ldap://${LOCALHOST}:$PORT1/"
@ -2104,5 +2104,5 @@ index 000000000..1024640ef
+
+exit 0
--
2.29.2
2.26.2

46
SOURCES/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch
View File

@ -23,10 +23,10 @@ Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option
14 files changed, 200 insertions(+), 136 deletions(-)
diff --git a/clients/tools/common.c b/clients/tools/common.c
index 39db70b93..d5c3491fc 100644
index 1cd8a2c1b..b1edffdaf 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -351,9 +351,9 @@ N_(" -I use SASL Interactive mode\n"),
@@ -374,9 +374,9 @@ N_(" -I use SASL Interactive mode\n"),
N_(" -n show what would be done but don't actually do it\n"),
N_(" -N do not use reverse DNS to canonicalize SASL host name\n"),
N_(" -O props SASL security properties\n"),
@ -38,7 +38,7 @@ index 39db70b93..d5c3491fc 100644
N_(" -p port port on LDAP server\n"),
N_(" -Q use SASL Quiet mode\n"),
N_(" -R realm SASL realm\n"),
@@ -785,6 +785,11 @@ tool_args( int argc, char **argv )
@@ -838,6 +838,11 @@ tool_args( int argc, char **argv )
if ( (cvalue = strchr( control, '=' )) != NULL ) {
*cvalue++ = '\0';
}
@ -50,7 +50,7 @@ index 39db70b93..d5c3491fc 100644
if ( strcasecmp( control, "nettimeout" ) == 0 ) {
if( nettimeout.tv_sec != -1 ) {
@@ -814,7 +819,7 @@ tool_args( int argc, char **argv )
@@ -867,7 +872,7 @@ tool_args( int argc, char **argv )
exit( EXIT_FAILURE );
}
@ -59,7 +59,7 @@ index 39db70b93..d5c3491fc 100644
if ( cvalue == 0 ) {
ldif_wrap = LDIF_LINE_WIDTH;
@@ -825,13 +830,13 @@ tool_args( int argc, char **argv )
@@ -878,13 +883,13 @@ tool_args( int argc, char **argv )
unsigned int u;
if ( lutil_atou( &u, cvalue ) ) {
fprintf( stderr,
@ -76,10 +76,10 @@ index 39db70b93..d5c3491fc 100644
control );
usage();
diff --git a/doc/devel/args b/doc/devel/args
index 7805eff1c..31c22f948 100644
index 9796fe528..c5aa02f11 100644
--- a/doc/devel/args
+++ b/doc/devel/args
@@ -27,7 +27,7 @@ ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy
@@ -28,7 +28,7 @@ ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy
-h host
-n no-op
-N no (SASLprep) normalization of simple bind password
@ -89,7 +89,7 @@ index 7805eff1c..31c22f948 100644
-v verbose
-V version
diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
index 667815a26..de90498db 100644
index 9e66cd4b2..a0e58d7c3 100644
--- a/doc/man/man1/ldapcompare.1
+++ b/doc/man/man1/ldapcompare.1
@@ -186,13 +186,14 @@ Compare extensions:
@ -112,7 +112,7 @@ index 667815a26..de90498db 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
index 9e7036230..872424a65 100644
index 394d35275..85dbf4360 100644
--- a/doc/man/man1/ldapdelete.1
+++ b/doc/man/man1/ldapdelete.1
@@ -192,13 +192,14 @@ Delete extensions:
@ -135,7 +135,7 @@ index 9e7036230..872424a65 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
index 5f5ae7aae..96a7c514e 100644
index 503d681ca..26e1730a8 100644
--- a/doc/man/man1/ldapexop.1
+++ b/doc/man/man1/ldapexop.1
@@ -189,13 +189,14 @@ Specify general extensions. \'!\' indicates criticality.
@ -158,7 +158,7 @@ index 5f5ae7aae..96a7c514e 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index f884c5bfb..90f813506 100644
index 2792d460b..6c277d89c 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -255,13 +255,14 @@ Modify extensions:
@ -181,7 +181,7 @@ index f884c5bfb..90f813506 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
index fa9eac627..900ba7e0e 100644
index 5d0f3fcd9..b24e500fe 100644
--- a/doc/man/man1/ldapmodrdn.1
+++ b/doc/man/man1/ldapmodrdn.1
@@ -186,13 +186,14 @@ Modrdn extensions:
@ -204,7 +204,7 @@ index fa9eac627..900ba7e0e 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
index d3f45b082..bf273fb25 100644
index 36857ab8f..a2805e57b 100644
--- a/doc/man/man1/ldappasswd.1
+++ b/doc/man/man1/ldappasswd.1
@@ -188,13 +188,14 @@ Passwd Modify extensions:
@ -227,7 +227,7 @@ index d3f45b082..bf273fb25 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
index 196179232..901e56043 100644
index 036ce6245..1914eafbf 100644
--- a/doc/man/man1/ldapsearch.1
+++ b/doc/man/man1/ldapsearch.1
@@ -332,13 +332,14 @@ Search extensions:
@ -250,7 +250,7 @@ index 196179232..901e56043 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
index b684de54a..79864c729 100644
index 5912af5ba..2c8cfded2 100644
--- a/doc/man/man1/ldapwhoami.1
+++ b/doc/man/man1/ldapwhoami.1
@@ -143,13 +143,18 @@ WhoAmI extensions:
@ -277,7 +277,7 @@ index b684de54a..79864c729 100644
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
index d05cfa643..24c8f03ea 100644
index 57c41deff..2085e9176 100644
--- a/doc/man/man8/slapcat.8
+++ b/doc/man/man8/slapcat.8
@@ -149,7 +149,7 @@ Possible generic options/values are:
@ -290,10 +290,10 @@ index d05cfa643..24c8f03ea 100644
.in
\fIn\fP is the number of columns allowed for the LDIF output
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 61c620785..c586a95b5 100644
index 31f37277c..e86b032cb 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -321,6 +321,11 @@ struct ldapmsg;
@@ -326,6 +326,11 @@ struct ldifrecord;
LDAP_F ( int ) ldap_pvt_discard LDAP_P((
struct ldap *ld, ber_int_t msgid ));
@ -306,10 +306,10 @@ index 61c620785..c586a95b5 100644
LDAP_F( BerElement * )
ldap_get_message_ber LDAP_P((
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 182ef7d7e..746824fbd 100644
index 548d2c1cb..4a7e81bdb 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -148,6 +148,141 @@ static const struct ol_attribute {
@@ -147,6 +147,141 @@ static const struct ol_attribute {
#define MAX_LDAP_ATTR_LEN sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL")
#define MAX_LDAP_ENV_PREFIX_LEN 8
@ -451,7 +451,7 @@ index 182ef7d7e..746824fbd 100644
static void openldap_ldap_init_w_conf(
const char *file, int userconf )
{
@@ -213,101 +348,7 @@ static void openldap_ldap_init_w_conf(
@@ -212,101 +347,7 @@ static void openldap_ldap_init_w_conf(
while(isspace((unsigned char)*start)) start++;
opt = start;
@ -555,7 +555,7 @@ index 182ef7d7e..746824fbd 100644
fclose(fp);
diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
index 01574af1e..a62c69581 100644
index 87ea0ea06..39384e5e9 100644
--- a/servers/slapd/slapcommon.c
+++ b/servers/slapd/slapcommon.c
@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode )
@ -578,5 +578,5 @@ index 01574af1e..a62c69581 100644
}
ldif_wrap = (ber_len_t)u;
--
2.29.2
2.26.2

98
SOURCES/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
View File

@ -13,31 +13,31 @@ RCF 5929, which is compatible with Windows.
Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
---
doc/man/man3/ldap_get_option.3 | 16 ++++++
doc/man/man3/ldap_get_option.3 | 16 +++++
doc/man/man5/ldap.conf.5 | 3 +
doc/man/man5/slapd-config.5 | 4 ++
doc/man/man5/slapd.conf.5 | 3 +
include/ldap.h | 5 ++
include/ldap_pvt.h | 5 ++
libraries/libldap/cyrus.c | 101 +++++++++++++++++++++++++++++----
libraries/libldap/cyrus.c | 103 ++++++++++++++++++++++++++++-----
libraries/libldap/init.c | 1 +
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/ldap-tls.h | 2 +
libraries/libldap/tls2.c | 7 +++
libraries/libldap/tls_g.c | 59 +++++++++++++++++++
libraries/libldap/tls_o.c | 45 +++++++++++++++
libraries/libldap/tls_o.c | 45 ++++++++++++++
servers/slapd/bconfig.c | 11 +++-
servers/slapd/config.c | 1 +
servers/slapd/connection.c | 9 +--
servers/slapd/proto-slap.h | 4 +-
servers/slapd/sasl.c | 27 ++++++---
18 files changed, 274 insertions(+), 30 deletions(-)
18 files changed, 274 insertions(+), 32 deletions(-)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index 7546875f5..e953900ce 100644
index 4f03a01a3..fd1b3c91c 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -557,6 +557,22 @@ must be a
@@ -563,6 +563,22 @@ must be a
.BR "char **" .
Its content needs to be freed by the caller using
.BR ldap_memfree (3).
@ -61,7 +61,7 @@ index 7546875f5..e953900ce 100644
The TCP options are OpenLDAP specific.
Mainly intended for use with Linux, they may not be portable.
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index adf134899..29810fc9f 100644
index 65ad40c1b..4974f8340 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -286,6 +286,9 @@ size allowed. 0 disables security layers. The default is 65536.
@ -75,10 +75,10 @@ index adf134899..29810fc9f 100644
If OpenLDAP is built with Generic Security Services Application Programming Interface support,
there are more options you can specify.
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 0dddfdb6c..8c987d8c1 100644
index 18518a186..dc0ab769f 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -699,6 +699,10 @@ Used to specify the fully qualified domain name used for SASL processing.
@@ -720,6 +720,10 @@ Used to specify the fully qualified domain name used for SASL processing.
.B olcSaslRealm: <realm>
Specify SASL realm. Default is empty.
.TP
@ -90,10 +90,10 @@ index 0dddfdb6c..8c987d8c1 100644
Used to specify Cyrus SASL security properties.
The
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 0071072b1..203ab988e 100644
index f2094b7fd..73a151a70 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -893,6 +893,9 @@ The
@@ -914,6 +914,9 @@ The
property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.TP
@ -104,10 +104,10 @@ index 0071072b1..203ab988e 100644
Specify the distinguished name for the subschema subentry that
controls the entries on this server. The default is "cn=Subschema".
diff --git a/include/ldap.h b/include/ldap.h
index 88bfcabf8..e8ac968a9 100644
index 7b4fc9d64..9d5679ae8 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -180,6 +180,10 @@ LDAP_BEGIN_DECL
@@ -186,6 +186,10 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
@ -118,7 +118,7 @@ index 88bfcabf8..e8ac968a9 100644
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100
#define LDAP_OPT_X_SASL_REALM 0x6101
@@ -195,6 +199,7 @@ LDAP_BEGIN_DECL
@@ -201,6 +205,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_SASL_NOCANON 0x610b
#define LDAP_OPT_X_SASL_USERNAME 0x610c /* read-only */
#define LDAP_OPT_X_SASL_GSS_CREDS 0x610d
@ -127,7 +127,7 @@ index 88bfcabf8..e8ac968a9 100644
/* OpenLDAP GSSAPI options */
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index c586a95b5..b71552ec5 100644
index 783d280a5..01220d00a 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void));
@ -141,7 +141,7 @@ index c586a95b5..b71552ec5 100644
#endif /* HAVE_CYRUS_SASL */
struct sockbuf; /* avoid pulling in <lber.h> */
@@ -426,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
@@ -438,6 +442,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
LDAPDN_rewrite_dummy *func, unsigned flags ));
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
@ -150,10 +150,10 @@ index c586a95b5..b71552ec5 100644
LDAP_END_DECL
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 3171d56a3..081e3cea5 100644
index beb1cf4a0..4d4d5b3e3 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -368,6 +368,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
@@ -372,6 +372,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
return LDAP_SUCCESS;
}
@ -243,7 +243,7 @@ index 3171d56a3..081e3cea5 100644
sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
SASL_CHANNEL_BINDING, cb );
ld->ld_defconn->lconn_sasl_cbind = cb;
@@ -930,12 +984,20 @@ int ldap_pvt_sasl_secprops(
@@ -931,12 +983,20 @@ int ldap_pvt_sasl_secprops(
int
ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
{
@ -265,7 +265,7 @@ index 3171d56a3..081e3cea5 100644
}
return -1;
@@ -1041,6 +1103,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
@@ -1042,6 +1102,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
/* this option is write only */
return -1;
@ -276,7 +276,7 @@ index 3171d56a3..081e3cea5 100644
#ifdef SASL_GSS_CREDS
case LDAP_OPT_X_SASL_GSS_CREDS: {
sasl_conn_t *ctx;
@@ -1142,6 +1208,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
@@ -1143,6 +1207,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
return sc == LDAP_SUCCESS ? 0 : -1;
}
@ -295,10 +295,10 @@ index 3171d56a3..081e3cea5 100644
case LDAP_OPT_X_SASL_GSS_CREDS: {
sasl_conn_t *ctx;
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 746824fbd..0c4b6237e 100644
index 3468ee249..dfe1ea9da 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -113,6 +113,7 @@ static const struct ol_attribute {
@@ -110,6 +110,7 @@ static const struct ol_attribute {
offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
{0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS},
{0, ATTR_BOOL, "SASL_NOCANON", NULL, LDAP_BOOL_SASL_NOCANON},
@ -307,10 +307,10 @@ index 746824fbd..0c4b6237e 100644
#ifdef HAVE_GSSAPI
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 397894271..08d4b4a92 100644
index 67e8bd6da..c6c6891a9 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -276,6 +276,7 @@ struct ldapoptions {
@@ -300,6 +300,7 @@ struct ldapoptions {
/* SASL Security Properties */
struct sasl_security_properties ldo_sasl_secprops;
@ -319,7 +319,7 @@ index 397894271..08d4b4a92 100644
#else
#define LDAP_LDO_SASL_NULLARG
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index 103004fa7..77975bb6c 100644
index efd51aaa2..9f01ddda1 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
@ -328,9 +328,9 @@ index 103004fa7..77975bb6c 100644
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
+typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server);
typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
typedef void (TI_thr_init)(void);
@@ -67,6 +68,7 @@ typedef struct tls_impl {
@@ -69,6 +70,7 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
TI_session_unique *ti_session_unique;
@ -339,10 +339,10 @@ index 103004fa7..77975bb6c 100644
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 8b1fee748..f74af7d1d 100644
index 79a651a38..72827a1a3 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1041,6 +1041,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
@@ -1200,6 +1200,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
return tls_imp->ti_session_unique( session, buf, is_server );
}
@ -357,10 +357,10 @@ index 8b1fee748..f74af7d1d 100644
ldap_pvt_tls_get_peercert( void *s, struct berval *der )
{
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 26d9f99ce..52dfcd3ab 100644
index 956a9ec90..ef0f44e20 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -675,6 +675,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
@@ -729,6 +729,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
@ -425,7 +425,7 @@ index 26d9f99ce..52dfcd3ab 100644
static int
tlsg_session_peercert( tls_session *sess, struct berval *der )
{
@@ -950,6 +1008,7 @@ tls_impl ldap_int_tls_impl = {
@@ -1117,6 +1175,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_chkhost,
tlsg_session_strength,
tlsg_session_unique,
@ -434,10 +434,10 @@ index 26d9f99ce..52dfcd3ab 100644
&tlsg_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 157923289..8ede11572 100644
index cf97d7632..aa855d77a 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -861,6 +861,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
@@ -858,6 +858,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
return buf->bv_len;
}
@ -488,7 +488,7 @@ index 157923289..8ede11572 100644
static int
tlso_session_peercert( tls_session *sess, struct berval *der )
{
@@ -1394,6 +1438,7 @@ tls_impl ldap_int_tls_impl = {
@@ -1474,6 +1518,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_chkhost,
tlso_session_strength,
tlso_session_unique,
@ -497,10 +497,10 @@ index 157923289..8ede11572 100644
&tlso_sbio,
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 3188ccfbe..8c4ccb860 100644
index 6069ee203..4c90715be 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -569,6 +569,15 @@ static ConfigTable config_back_cf_table[] = {
@@ -630,6 +630,15 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
@ -516,7 +516,7 @@ index 3188ccfbe..8c4ccb860 100644
{ "sasl-host", "host", 2, 2, 0,
#ifdef HAVE_CYRUS_SASL
ARG_STRING|ARG_UNIQUE, &sasl_host,
@@ -820,7 +829,7 @@ static ConfigOCs cf_ocs[] = {
@@ -948,7 +957,7 @@ static ConfigOCs cf_ocs[] = {
"olcPluginLogFile $ olcReadOnly $ olcReferral $ "
"olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
"olcRootDSE $ "
@ -526,7 +526,7 @@ index 3188ccfbe..8c4ccb860 100644
"olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
"olcTCPBuffer $ "
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 5108da696..77dd3c1ae 100644
index 060d3410f..3d713d4fb 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -73,6 +73,7 @@ char *global_host = NULL;
@ -538,10 +538,10 @@ index 5108da696..77dd3c1ae 100644
struct berval default_search_base = BER_BVNULL;
struct berval default_search_nbase = BER_BVNULL;
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 0602fdceb..d074009e4 100644
index 5f11a0cf1..6d9bb8e85 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -1430,12 +1430,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
@@ -1440,12 +1440,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
@ -558,10 +558,10 @@ index 0602fdceb..d074009e4 100644
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
slapd_set_write( s, 1 );
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index de1cabf32..9b52760bd 100644
index b89fa836a..0790a8004 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1657,8 +1657,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
@@ -1681,8 +1681,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
slap_ssf_t ssf, /* relative strength of external security */
struct berval *authid ); /* asserted authenication id */
@ -571,7 +571,7 @@ index de1cabf32..9b52760bd 100644
LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
@@ -2039,6 +2038,7 @@ LDAP_SLAPD_V (char *) global_host;
@@ -2072,6 +2071,7 @@ LDAP_SLAPD_V (char *) global_host;
LDAP_SLAPD_V (struct berval) global_host_bv;
LDAP_SLAPD_V (char *) global_realm;
LDAP_SLAPD_V (char *) sasl_host;
@ -580,10 +580,10 @@ index de1cabf32..9b52760bd 100644
LDAP_SLAPD_V (char **) default_passwd_hash;
LDAP_SLAPD_V (int) lber_debug;
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 258cd5407..c14e8a628 100644
index fc023904a..5cced358c 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1203,6 +1203,8 @@ int slap_sasl_destroy( void )
@@ -1320,6 +1320,8 @@ int slap_sasl_destroy( void )
#endif
free( sasl_host );
sasl_host = NULL;
@ -592,7 +592,7 @@ index 258cd5407..c14e8a628 100644
return 0;
}
@@ -1389,17 +1391,24 @@ int slap_sasl_external(
@@ -1506,17 +1508,24 @@ int slap_sasl_external(
return LDAP_SUCCESS;
}
@ -627,5 +627,5 @@ index 258cd5407..c14e8a628 100644
return LDAP_SUCCESS;
}
--
2.29.2
2.26.2

153
SOURCES/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
View File

@ -4,11 +4,41 @@ Date: Sat, 18 Apr 2020 16:30:03 +0200
Subject: [PATCH] ITS#9189 add channel-bindings tests
---
tests/scripts/test068-sasl-tls-external | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
tests/data/slapd-sasl-gssapi.conf | 3 +
tests/scripts/setup_kdc.sh | 8 +++
tests/scripts/test068-sasl-tls-external | 22 +++++++
tests/scripts/test077-sasl-gssapi | 83 ++++++++++++++++++++++++-
4 files changed, 113 insertions(+), 3 deletions(-)
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
index 611fc7097..29ab6040b 100644
--- a/tests/data/slapd-sasl-gssapi.conf
+++ b/tests/data/slapd-sasl-gssapi.conf
@@ -63,3 +63,6 @@ rootpw secret
sasl-realm @KRB5REALM@
sasl-host localhost
+
+database config
+rootpw secret
diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
index 1cb784075..98bcd9f96 100755
--- a/tests/scripts/setup_kdc.sh
+++ b/tests/scripts/setup_kdc.sh
@@ -142,3 +142,11 @@ if test $RC != 0 ; then
exit 0
fi
fi
+
+HAVE_SASL_GSS_CBIND=no
+
+grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
+RC=$?
+if test $RC = 0 ; then
+ HAVE_SASL_GSS_CBIND=yes
+fi
diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
index dcbc50fd4..ee112cf98 100755
index f647b1012..0b91aa197 100755
--- a/tests/scripts/test068-sasl-tls-external
+++ b/tests/scripts/test068-sasl-tls-external
@@ -88,6 +88,28 @@ else
@ -40,6 +70,121 @@ index dcbc50fd4..ee112cf98 100755
test $KILLSERVERS != no && kill -HUP $KILLPIDS
if test $RC != 0 ; then
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index 64abe16fe..19f665622 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
exit 0
fi
-mkdir -p $TESTDIR $DBDIR1
+SLAPTEST="$TESTWD/../servers/slapd/slaptest"
+CONFDIR=$TESTDIR/slapd.d
+
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
cd $TESTWD
@@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+$SLAPTEST -f $CONF1 -F $CONFDIR
+$SLAPADD -F $CONFDIR -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
@@ -41,7 +45,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
@@ -144,6 +148,79 @@ else
fi
fi
+if test $WITH_TLS = no ; then
+ echo "TLS support not available, skipping channe-binding test"
+elif test $HAVE_SASL_GSS_CBIND = no ; then
+ echo "SASL has no channel-binding support in GSSAPI, test skipped"
+else
+ echo "Testing SASL/GSSAPI with SASL_CBINDING..."
+
+ for acb in "none" "tls-unique" "tls-endpoint" ; do
+
+ echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
+ $LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+replace: olcSaslCBinding
+olcSaslCBinding: ${acb}
+EOF
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
+ for icb in "none" "tls-unique" "tls-endpoint" ; do
+
+ # The gnutls implemantation of "tls-unique" seems broken
+ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
+ if test $WITH_TLS_TYPE == gnutls ; then
+ continue
+ fi
+ fi
+
+ fail="no"
+ if test $icb != $acb -a $acb != "none" ; then
+ # This currently fails in MIT, but it is planned to be
+ # fixed not to fail like in heimdal - avoid testing.
+ if test $icb = "none" ; then
+ continue
+ fi
+ # Otherwise unmatching bindings are expected to fail.
+ fail="yes"
+ fi
+
+ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
+ echo -ne "(client: ${icb},\tserver: ${acb}): "
+
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ -o SASL_CBINDING=$icb > $TESTOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ if test $fail = "no" ; then
+ echo "test failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+ elif test $fail = "yes" ; then
+ echo "failed: command succeeded unexpectedly."
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+ fi
+
+ echo "success"
+ RC=0
+ done
+ done
+fi
+
+
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
--
2.29.2
2.26.2

6
SOURCES/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch
View File

@ -10,10 +10,10 @@ Reported-by: Ryan Tandy @ryan
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 08d4b4a92..8c7f1e5c1 100644
index c6c6891a9..336448115 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -277,7 +277,7 @@ struct ldapoptions {
@@ -301,7 +301,7 @@ struct ldapoptions {
/* SASL Security Properties */
struct sasl_security_properties ldo_sasl_secprops;
int ldo_sasl_cbinding;
@ -23,5 +23,5 @@ index 08d4b4a92..8c7f1e5c1 100644
#define LDAP_LDO_SASL_NULLARG
#endif
--
2.29.2
2.26.2

28
SOURCES/openldap-cbinding-ITS-9215-fix-for-glibc-again.patch
View File

@ -1,28 +0,0 @@
From d548ab15e0d615524c403440c01a9748bfcac87d Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 28 Apr 2020 16:33:41 +0100
Subject: [PATCH] ITS#9215 fix for glibc again
---
libraries/libldap_r/thr_posix.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libraries/libldap_r/thr_posix.c b/libraries/libldap_r/thr_posix.c
index e4b435707..62f94ca16 100644
--- a/libraries/libldap_r/thr_posix.c
+++ b/libraries/libldap_r/thr_posix.c
@@ -18,6 +18,11 @@
#if defined( HAVE_PTHREADS )
+#ifdef __GLIBC__
+#undef _FEATURES_H
+#define _XOPEN_SOURCE 500 /* For pthread_setconcurrency() on glibc */
+#endif
+
#include <ac/errno.h>
#ifdef REPLACE_BROKEN_YIELD
--
2.31.1

12
SOURCES/openldap-cbinding-Make-prototypes-available-where-needed.patch
View File

@ -12,7 +12,7 @@ Subject: [PATCH] Make prototypes available where needed
3 files changed, 8 insertions(+)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index ad09ba39b..8b1fee748 100644
index 1a96b62c3..869de2eb5 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -76,6 +76,9 @@ static oid_name oids[] = {
@ -26,7 +26,7 @@ index ad09ba39b..8b1fee748 100644
ldap_pvt_tls_ctx_free ( void *c )
{
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index bd68a2421..5108da696 100644
index 778365fd0..2816455a3 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -48,6 +48,7 @@
@ -38,10 +38,10 @@ index bd68a2421..5108da696 100644
#ifdef _WIN32
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 7f8e604fa..de1cabf32 100644
index 4bfdcf930..e33e3b7d9 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -739,6 +739,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
@@ -755,6 +755,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
slap_bindconf *bc, LDAP *ld ));
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
@ -49,7 +49,7 @@ index 7f8e604fa..de1cabf32 100644
LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ));
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
const char *fname, int lineno, int argc, char **argv ));
@@ -1656,6 +1657,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
@@ -1683,6 +1684,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
slap_ssf_t ssf, /* relative strength of external security */
struct berval *authid ); /* asserted authenication id */
@ -60,5 +60,5 @@ index 7f8e604fa..de1cabf32 100644
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
--
2.29.2
2.26.2

2
SOURCES/openldap-cbinding-Update-keys-to-RSA-4096.patch
View File

@ -522,5 +522,5 @@ index 8a24f69f8..99cb512c4 100644
+bcnWV4XIPIMbouL4132Ove+GukJlPA==
-----END PRIVATE KEY-----
--
2.29.2
2.26.2

14
SOURCES/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
View File

@ -126,10 +126,10 @@ index 000000000..611fc7097
+sasl-realm @KRB5REALM@
+sasl-host localhost
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index 2a859d89d..5b477ed93 100755
index b0393865d..c9e1a4b0a 100755
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -97,4 +97,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
@@ -99,4 +99,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s;@TESTWD@;${TESTWD};" \
-e "s;@DATADIR@;${DATADIR};" \
-e "s;@SCHEMADIR@;${SCHEMADIR};" \
@ -138,10 +138,10 @@ index 2a859d89d..5b477ed93 100755
+ -e "s;@KDCPORT@;${KDCPORT};" \
-e "/^#/d"
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 26dab1bae..78dc1f8ae 100755
index 1d6c2b3f1..ccb2e5b41 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -108,6 +108,7 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf
@@ -114,6 +114,7 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
TLSCONF=$DATADIR/slapd-tls.conf
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
@ -149,7 +149,7 @@ index 26dab1bae..78dc1f8ae 100755
GLUECONF=$DATADIR/slapd-glue.conf
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
@@ -214,6 +215,7 @@ PORT3=`expr $BASEPORT + 3`
@@ -223,6 +224,7 @@ PORT3=`expr $BASEPORT + 3`
PORT4=`expr $BASEPORT + 4`
PORT5=`expr $BASEPORT + 5`
PORT6=`expr $BASEPORT + 6`
@ -157,7 +157,7 @@ index 26dab1bae..78dc1f8ae 100755
URI1="ldap://${LOCALHOST}:$PORT1/"
URIP1="ldap://${LOCALIP}:$PORT1/"
URI2="ldap://${LOCALHOST}:$PORT2/"
@@ -239,6 +241,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
@@ -248,6 +250,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
SURI6="ldaps://${LOCALHOST}:$PORT6/"
SURIP6="ldaps://${LOCALIP}:$PORT6/"
@ -483,5 +483,5 @@ index 000000000..64abe16fe
+
+exit $RC
--
2.29.2
2.26.2

137
SOURCES/openldap-cbinding-fix-multiprovider-tests.patch
View File

@ -1,137 +0,0 @@
From a6d34ed8672a02b49bb286cbeb2d75a08bc0c085 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@rehdat.com>
Date: Thu, 1 Jul 2021 12:53:24 +0200
Subject: [PATCH] Fix Channel Binding tests
---
...s => test069-delta-multiprovider-starttls} | 24 +++++++++----------
...daps => test070-delta-multiprovider-ldaps} | 24 +++++++++----------
2 files changed, 24 insertions(+), 24 deletions(-)
rename tests/scripts/{test069-delta-multimaster-starttls => test069-delta-multiprovider-starttls} (96%)
rename tests/scripts/{test070-delta-multimaster-ldaps => test070-delta-multiprovider-ldaps} (96%)
diff --git a/tests/scripts/test069-delta-multimaster-starttls b/tests/scripts/test069-delta-multiprovider-starttls
similarity index 96%
rename from tests/scripts/test069-delta-multimaster-starttls
rename to tests/scripts/test069-delta-multiprovider-starttls
index 2dfbb30a1..01fed1e2c 100755
--- a/tests/scripts/test069-delta-multimaster-starttls
+++ b/tests/scripts/test069-delta-multiprovider-starttls
@@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2017 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -277,7 +277,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -301,7 +301,7 @@ THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
sleep 1
for i in 1 2 3; do
$LDAPSEARCH -S "" -b "$THEDN" -H $URI1 \
- -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
+ -s base '(objectClass=*)' entryCSN > "${PROVIDEROUT}.$i" 2>&1
RC=$?
if test $RC = 0 ; then
@@ -309,7 +309,7 @@ for i in 1 2 3; do
fi
if test $RC != 32 ; then
- echo "ldapsearch failed at slave ($RC)!"
+ echo "ldapsearch failed at replica ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
@@ -340,7 +340,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -555,7 +555,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
diff --git a/tests/scripts/test070-delta-multimaster-ldaps b/tests/scripts/test070-delta-multiprovider-ldaps
similarity index 96%
rename from tests/scripts/test070-delta-multimaster-ldaps
rename to tests/scripts/test070-delta-multiprovider-ldaps
index 1024640ef..37de9ddd0 100755
--- a/tests/scripts/test070-delta-multimaster-ldaps
+++ b/tests/scripts/test070-delta-multiprovider-ldaps
@@ -2,7 +2,7 @@
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
-## Copyright 1998-2017 The OpenLDAP Foundation.
+## Copyright 1998-2021 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -276,7 +276,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -300,7 +300,7 @@ THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com"
sleep 1
for i in 1 2 3; do
$LDAPSEARCH -S "" -b "$THEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $SURIP1 \
- -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1
+ -s base '(objectClass=*)' entryCSN > "${PROVIDEROUT}.$i" 2>&1
RC=$?
if test $RC = 0 ; then
@@ -308,7 +308,7 @@ for i in 1 2 3; do
fi
if test $RC != 32 ; then
- echo "ldapsearch failed at slave ($RC)!"
+ echo "ldapsearch failed at replica ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
@@ -339,7 +339,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
@@ -552,7 +552,7 @@ done
n=2
while [ $n -le $MMR ]; do
echo "Comparing retrieved entries from server 1 and server $n..."
-$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT
+$CMP $PROVIDERFLT $TESTDIR/server$n.flt > $CMPOUT
if test $? != 0 ; then
echo "test failed - server 1 and server $n databases differ"
--
2.31.1

46
SOURCES/openldap-change-TLS_REQSAN-default-to-TRY.patch Normal file
View File

@ -0,0 +1,46 @@
From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@rehdat.com>
Date: Thu, 5 Aug 2021 16:15:09 +0200
Subject: [PATCH] Change TLS_REQSAN default to TRY
---
doc/man/man5/ldap.conf.5 | 2 +-
libraries/libldap/init.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cde2c875f..9f1aa2c0a 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -479,7 +479,6 @@ The client will not check any SAN in the certificate.
The SAN is checked against the specified hostname. If a SAN is
present but none match the specified hostname, the SANs are ignored
and the usual check against the certificate DN is used.
-This is the default setting.
.TP
.B try
The SAN is checked against the specified hostname. If no SAN is present
@@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN
is used. If a SAN is present but doesn't match the specified hostname,
the session is immediately terminated. This setting may be preferred
when a mix of certs with and without SANs are in use.
+This is the default setting.
.TP
.B demand | hard
These keywords are equivalent. The SAN is checked against the specified
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 0d91808ec..fa4c176fd 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
gopts->ldo_tls_connect_cb = NULL;
gopts->ldo_tls_connect_arg = NULL;
gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
- gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
+ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY;
#endif
gopts->ldo_keepalive_probes = 0;
gopts->ldo_keepalive_interval = 0;
--
2.31.1

41
SOURCES/openldap-cldap-check-for-error-on-connected-socket.patch Normal file
View File

@ -0,0 +1,41 @@
From ec5eba5393e5cc65b05e54658c55500cdbff775a Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 26 Aug 2020 13:22:52 +0100
Subject: [PATCH 01/34] ITS#9328 cldap: check for error on connected socket
libldap doesn't use a connected socket for UDP sessions, but 3rd
parties can, passed in with ldap_init_fd().
---
libraries/libldap/result.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
index bdced135b..e2b220630 100644
--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -486,7 +486,8 @@ retry:
#ifdef LDAP_CONNECTIONLESS
if ( LDAP_IS_UDP(ld) ) {
struct sockaddr_storage from;
- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
+ if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 )
+ goto fail;
if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
}
nextresp3:
@@ -502,10 +503,11 @@ nextresp3:
break;
case LBER_DEFAULT:
+fail:
err = sock_errno();
#ifdef LDAP_DEBUG
Debug( LDAP_DEBUG_CONNS,
- "ber_get_next failed.\n", 0, 0, 0 );
+ "ber_get_next failed, errno=%d.\n", err, 0, 0 );
#endif
if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
--
2.26.2

55
SOURCES/openldap-ldapi-sasl.patch Normal file
View File

@ -0,0 +1,55 @@
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 May 2013 17:02:57 +0200
Subject: [PATCH] LDAPI SASL fix
Resolves: #960222
---
libraries/libldap/cyrus.c | 19 ++++++++++++++++---
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
struct berval ccred = BER_BVNULL;
int saslrc, rc;
unsigned credlen;
+ char my_hostname[HOST_NAME_MAX + 1];
+ int free_saslhost = 0;
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 );
@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
/* If we don't need to canonicalize just use the host
* from the LDAP URI.
+ * Always use the result of gethostname() for LDAPI.
*/
- if ( nocanon )
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
+ if (rc == 0) {
+ saslhost = my_hostname;
+ } else {
+ saslhost = "localhost";
+ }
+ } else if ( nocanon )
saslhost = ld->ld_defconn->lconn_server->lud_host;
- else
+ else {
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" );
+ free_saslhost = 1;
+ }
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- if ( !nocanon )
+ if ( free_saslhost )
LDAP_FREE( saslhost );
}
--
1.7.11.7

227
SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch Normal file
View File

@ -0,0 +1,227 @@
ITS#7595 Add Elliptic Curve support for OpenSSL
Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
Author: Howard Chu <hyc@openldap.org>
Date: Sat Sep 7 09:47:19 2013 -0700
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 9c72e8296..2311c3096 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -922,6 +922,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B olcTLSECName: <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index f504adcf9..ef03e0ad8 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1153,6 +1153,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B TLSECName <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/include/ldap.h b/include/ldap.h
index c245651c2..0964a193e 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
+#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 66e04ae80..db7193f4f 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -165,6 +165,7 @@ struct ldaptls {
char *lt_ciphersuite;
char *lt_crlfile;
char *lt_randfile; /* OpenSSL only */
+ char *lt_ecname; /* OpenSSL only */
int lt_protocol_min;
};
#endif
@@ -250,6 +251,7 @@ struct ldapoptions {
#define ldo_tls_certfile ldo_tls_info.lt_certfile
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile
+#define ldo_tls_ecname ldo_tls_info.lt_ecname
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190ea..0451b01af 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
+ if ( lo->ldo_tls_ecname ) {
+ LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = NULL;
+ }
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
+ if ( lts.lt_ecname ) {
+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
+ __atoe( lts.lt_ecname );
+ }
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
@@ -257,6 +265,7 @@ error_exit:
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
+ LDAP_FREE( lts.lt_ecname );
#endif
return rc;
}
@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
+ case LDAP_OPT_X_TLS_ECNAME:
+ *(char **)arg = lo->ldo_tls_ecname ?
+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
+ break;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
+ case LDAP_OPT_X_TLS_ECNAME:
+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f24060b7e..1370923af 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if ( lo->ldo_tls_dhfile ) {
- DH *dh = NULL;
+ if ( is_server && lo->ldo_tls_dhfile ) {
+ DH *dh;
BIO *bio;
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
BIO_free( bio );
SSL_CTX_set_tmp_dh( ctx, dh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ DH_free( dh );
+ }
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ if ( is_server && lo->ldo_tls_ecname ) {
+ EC_KEY *ecdh;
+
+ int nid = OBJ_sn2nid( lt->lt_ecname );
+ if ( nid == NID_undef ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ ecdh = EC_KEY_new_by_curve_name( nid );
+ if ( ecdh == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not generate key for EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ EC_KEY_free( ecdh );
}
+#endif
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f14100..8b1e4e582 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -194,6 +194,7 @@ enum {
CFG_ACL_ADD,
CFG_SYNC_SUBENTRY,
CFG_LTHREADS,
+ CFG_TLS_ECNAME,
CFG_LAST
};
@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSECName", NULL, 2, 2, 0,
+#ifdef HAVE_TLS
+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
+#else
+ ARG_IGNORED, NULL,
+#endif
+ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSProtocolMin", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
#ifdef HAVE_GNUTLS
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
#endif

34
SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch Normal file
View File

@ -0,0 +1,34 @@
ITS#7595 don't try to use EC if OpenSSL lacks it
Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
Author: Howard Chu <hyc@openldap.org>
Date: Sun Sep 8 06:32:23 2013 -0700
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 1a81bc625..71c2b055c 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free( dh );
}
-#ifdef SSL_OP_SINGLE_ECDH_USE
if ( is_server && lo->ldo_tls_ecname ) {
+#ifdef OPENSSL_NO_EC
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
+ return -1;
+#else
EC_KEY *ecdh;
int nid = OBJ_sn2nid( lt->lt_ecname );
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
EC_KEY_free( ecdh );
- }
#endif
+ }
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );

2
SOURCES/slapd.tmpfiles
View File

@ -1,2 +1,2 @@
# openldap runtime directory for slapd.arg and slapd.pid
d /run/openldap 0755 ldap ldap -
d /var/run/openldap 0755 ldap ldap -

183
SPECS/openldap.spec
View File

@ -3,16 +3,14 @@
%global systemctl_bin /usr/bin/systemctl
%global check_password_version 1.1
%global so_ver 2
Name: openldap
Version: 2.4.57
Release: 8%{?dist}
Version: 2.4.46
Release: 18%{?dist}
Summary: LDAP support libraries
License: OpenLDAP
URL: http://www.openldap.org/
Source0: https://openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: slapd.service
Source2: slapd.tmpfiles
Source3: slapd.ldif
@ -28,12 +26,17 @@ Patch2: openldap-reentrant-gethostby.patch
Patch3: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ai-addrconfig.patch
Patch17: openldap-allop-overlay.patch
Patch18: openldap-cldap-check-for-error-on-connected-socket.patch
# fix back_perl problems with lt_dlopen()
# might cause crashes because of symbol collisions
# the proper fix is to link all perl modules against libperl
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch
Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
Patch24: openldap-openssl-manpage-defaultCA.patch
# The below patches come from upstream master and are necessary for Channel Binding
@ -53,17 +56,15 @@ Patch59: openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_S
Patch60: openldap-cbinding-Fix-slaptest-in-test077.patch
Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch
Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch
Patch63: openldap-cbinding-ITS-9215-fix-for-glibc-again.patch
Patch64: openldap-cbinding-fix-multiprovider-tests.patch
Patch63: openldap-add-TLS_REQSAN-option.patch
Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
Patch91: check-password.patch
BuildRequires: make
BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
BuildRequires: gcc
%description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@ -86,21 +87,6 @@ protocols for enabling directory services over the Internet. Install
this package only if you plan to develop or will need to compile
customized LDAP clients.
%package compat
Summary: Package providing legacy non-threded libldap
Requires: openldap%{?_isa} = %{version}-%{release}
# since libldap is manually linked from libldap_r, the provides is not generated automatically
%ifarch armv7hl i686
Provides: libldap-2.4.so.%{so_ver}
%else
Provides: libldap-2.4.so.%{so_ver}()(%{__isa_bits}bit)
%endif
%description compat
The openldap-compat package contains non-threaded variant of libldap
which should not be used. Instead, applications should link to libldap_r
which provides thread-safe variant with the very same API.
%package servers
Summary: LDAP server
License: OpenLDAP
@ -146,7 +132,11 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch3 -p1
%patch5 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch50 -p1
%patch51 -p1
@ -229,11 +219,11 @@ pushd openldap-%{version}
\
--libexecdir=%{_libdir}
%make_build
make %{_smp_mflags}
popd
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
%make_build LDAP_INC="-I../openldap-%{version}/include \
make LDAP_INC="-I../openldap-%{version}/include \
-I../openldap-%{version}/servers/slapd \
-I../openldap-%{version}/build-servers/include"
popd
@ -243,7 +233,7 @@ popd
mkdir -p %{buildroot}%{_libdir}/
pushd openldap-%{version}
%make_install STRIP=""
make install DESTDIR=%{buildroot} STRIP=""
popd
# install check_password module
@ -316,29 +306,8 @@ v=%{version}
version=$(echo ${v%.[0-9]*})
for lib in liblber libldap libldap_r libslapi; do
rm -f ${lib}.so
ln -s ${lib}-${version}.so.%{so_ver} ${lib}.so
ln -s ${lib}-${version}.so.2 ${lib}.so
done
# provide only libldap_r and copy it to libldap, make a versioned lib link
rm -f libldap.so
ln -s libldap_r.so "%{buildroot}%{_libdir}/libldap.so"
rm -f libldap-*.so.*
for lib in $(ls | grep libldap_r-); do
IFS='.'
read -r -a libsplit <<< "$lib"
if [ -z "${libsplit[4]}" ]
then
so_ver_short="${libsplit[3]}"
unset IFS
gcc -shared -o "%{buildroot}%{_libdir}/libldap-${version}.so.${so_ver_short}" -Wl,--no-as-needed \
-Wl,-soname -Wl,libldap-${version}.so.${so_ver_short} -L "%{buildroot}%{_libdir}" -lldap_r
else
so_ver_full="${libsplit[3]}.${libsplit[4]}.${libsplit[5]}"
unset IFS
fi
done
ln -s libldap-${version}.so.{${so_ver_short},${so_ver_full}}
popd
# tweak permissions on the libraries to make sure they're correct
@ -477,6 +446,7 @@ exit 0
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%dir %{_libexecdir}/openldap/
%{_libdir}/liblber-2.4*.so.*
%{_libdir}/libldap-2.4*.so.*
%{_libdir}/libldap_r-2.4*.so.*
%{_libdir}/libslapi-2.4*.so.*
%{_mandir}/man5/ldif.5*
@ -551,112 +521,33 @@ exit 0
%{_includedir}/*
%{_mandir}/man3/*
%files compat
%{_libdir}/libldap-2.4*.so.*
%changelog
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Aug 5 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-18
- Add TLS_REQSAN option and change the default to TRY (#1814674)
* Mon Jul 12 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-7
- Fix Channel Binding tests Related: rhbz#1967853
* Wed Jun 16 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-17
- Rebuild without MP_2 support (#1909037)
* Thu Jun 24 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-6
- Fix slapd.tmpfiles complaints. Related: rhbz#1969853
- Use https:// for source Related: rhbz#1973597
* Thu Sep 10 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.46-16
- CLDAP ldap_result hangs if nobody listens on the port (#1875361)
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-5
- Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065
* Thu Jun 18 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-15
- Fix covscan issues from previous release (#1822737)
* Fri Jun 4 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-4
- Backport Channel Binding support. Related: rhbz#1967853
- Fix coverity issues. Related: rhbz#1938829
* Tue Jun 16 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-14
- Backport Channel Binding support (#1822904, #1822737)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 15 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-11
- Use OpenSSL-1.0.2+ API for host name verification (#1788572)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.57-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10
- Do not fallback to checking CN when no SAN matched (#1740070)
* Tue Jan 19 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-1
- Rebase to version 2.4.57 (#1917583)
* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
- Reference default system-wide CA certificates in manpages (#1611624)
* Thu Nov 26 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-4
- Use gcc to link libldap_r to libldap (#1537260)
* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-3
- Fix 32-bit libraries build (#1537260)
* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-2
- Drop non-threaded libldap (#1537260)
* Wed Nov 18 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-1
- Rebase to version 2.4.56 (#1896508)
* Mon Nov 02 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.55-1
- Rebase to version 2.4.55 (#1891622)
* Tue Oct 13 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.54-1
- Rebase to version 2.4.54 (#1887581)
* Thu Sep 10 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.53-1
- Rebase to version 2.4.53 (#1868240)
* Thu Sep 03 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.52-1
- Rebase to version 2.4.52 (#1868240)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.50-2
- Perl 5.32 rebuild
* Wed Jun 17 2020 Matus Honek <mhonek@redhat.com> - 2.4.50-1
- Rebase to version 2.4.50 (#1742285)
* Tue Jun 16 2020 Tom Stellard <tstellar@redhat.com> - 2.4.47-5
- Spec file cleanups
- Add BuildRequres: gcc [1]
- make_build [2] and make_install [3]
- [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/#_buildrequires_and_requires
- [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
- [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_why_the_makeinstall_macro_should_not_be_used
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.47-2
- Perl 5.30 rebuild
* Wed Feb 13 2019 Matus Honek <mhonek@redhat.com> - 2.4.47-1
- Rebase to upstream version 2.4.47
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.4.46-12
- Rebuilt for libcrypt.so.2 (#1666033)
* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-11
- Reference default system-wide CA certificates in manpages (#1611591)
* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-10
- Revert "Fix: Cannot use SSL3 anymore"
* Mon Oct 08 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623495)
* Tue Aug 14 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
- Fix: Cannot use SSL3 anymore (#1592431)
* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild