summaryrefslogtreecommitdiff
path: root/databases/openldap
diff options
context:
space:
mode:
authormanu <manu@pkgsrc.org>2015-09-14 16:32:26 +0000
committermanu <manu@pkgsrc.org>2015-09-14 16:32:26 +0000
commit8e373bd1bf04606c6d086dbf17b8b97c71a5f3ed (patch)
treea84276f5501bdd0ba3dd9050259335106bb98882 /databases/openldap
parent05eb14a91da6e1dbcc3cc48c55e75254965e7365 (diff)
downloadpkgsrc-8e373bd1bf04606c6d086dbf17b8b97c71a5f3ed.tar.gz
Add support for ECDH, from upstream
After the recent logjam attack, longer DH parameter size have been advised. Unfortunately, this comes with a high computational cost. ECDH is a good alternative to acheive forward secrecy with lower CPU Loads. This patch is a backport from upstream ECDH umplementation. ECDH is enabled by speciying a curve name through the TLSECName directive. Valid curve names can be obtaines by openssl ecparam -list_curves Advised usage for a forward-secrecy only setup wiht only ECDH: TLSCipherSuite EECDH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL TLSECName prime256v1 If backward compatibility with older clients is required: TLSCipherSuite EECDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL TLSECName prime256v1 Backward compatible flavor with more forward secrecy, at the expense of using costly DH. dh2048.pem is obtained using openssl dhparam 2048 > /etc/openssl/certs/dh2048.pem TLSCipherSuite EECDH:EDH:HIGH:!RC4:!SHA:!MD5:!DES:!aNULL:!eNULL TLSDHParamFile /etc/openssl/certs/dh2048.pem TLSECName prime256v1
Diffstat (limited to 'databases/openldap')
-rw-r--r--databases/openldap/distinfo3
-rw-r--r--databases/openldap/patches/patch-its7595284
2 files changed, 286 insertions, 1 deletions
diff --git a/databases/openldap/distinfo b/databases/openldap/distinfo
index 5509141d7ed..05e9867f55c 100644
--- a/databases/openldap/distinfo
+++ b/databases/openldap/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.101 2015/08/24 22:35:50 adam Exp $
+$NetBSD: distinfo,v 1.102 2015/09/14 16:32:26 manu Exp $
SHA1 (openldap-2.4.42.tgz) = ec03e061bfdb2e6a90827855cf77a72cb3f89cf4
RMD160 (openldap-2.4.42.tgz) = e45f38305f9a151b194534c60899d16be02813f8
@@ -18,4 +18,5 @@ SHA1 (patch-contrib_slapd-modules_nops_slapo-nops.5) = f32352f19361b7e9aa5b038ae
SHA1 (patch-da) = 75e26bd08c6e66b69192ebfbb36db974d391ec3e
SHA1 (patch-dd) = 9c74118ff0b2232bda729c9917082fceef41dd16
SHA1 (patch-its7506) = a50f9428d6d7dd28f71d21e11ae3f8b0f1372f75
+SHA1 (patch-its7595) = 9ea396adb7f2fd572d60190534caa80a01ef79d2
SHA1 (patch-libraries_libldap_os-local.c) = 7cd4f8638456fae12499de0d36d7802e47d3d688
diff --git a/databases/openldap/patches/patch-its7595 b/databases/openldap/patches/patch-its7595
new file mode 100644
index 00000000000..69e7a7eb2f2
--- /dev/null
+++ b/databases/openldap/patches/patch-its7595
@@ -0,0 +1,284 @@
+$NetBSD: patch-its7595,v 1.1 2015/09/14 16:32:26 manu Exp $
+
+ECDH support from upstream
+
+From e631ce808ed56119e61321463d06db7999ba5a08 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 7 Sep 2013 09:47:19 -0700
+Subject: [PATCH] ITS#7595 Add Elliptic Curve support for OpenSSL
+
+From 9562ad00bd7f965df721bc22ac905bc759298a27 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 7 Sep 2013 10:13:40 -0700
+Subject: [PATCH] ITS#7595 more doc for elliptic curve
+
+From 721e46fe6695077d63a3df6ea2e397920a72308d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sun, 8 Sep 2013 06:32:23 -0700
+Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
+
+--- doc/guide/admin/tls.sdf.orig
++++ doc/guide/admin/tls.sdf
+@@ -200,8 +200,20 @@
+ > openssl dhparam [-dsaparam] -out <filename> <numbits>
+
+ This directive is ignored with GnuTLS and Mozilla NSS.
+
++H4: TLSECName <name>
++
++This directive specifies the curve to use for Elliptic Curve
++Diffie-Hellman ephemeral key exchange. This is required in order
++to use ECDHE-based cipher suites in OpenSSL. The names of supported
++curves may be shown using the following command
++
++> openssl ecparam -list_curves
++
++This directive is not used for GnuTLS and is ignored with Mozilla NSS.
++For GnuTLS the curves may be specified in the ciphersuite.
++
+ H4: TLSVerifyClient { never | allow | try | demand }
+
+ This directive specifies what checks to perform on client certificates
+ in an incoming TLS session, if any. This option is set to {{EX:never}}
+--- doc/man/man5/slapd-config.5.orig
++++ doc/man/man5/slapd-config.5
+@@ -917,8 +917,15 @@
+ from the default, otherwise no certificate exchanges or verification will
+ be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B olcTLSECName: <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This is required to enable ECDHE algorithms in
++OpenSSL. This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B olcTLSProtocolMin: <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+ the SSL handshake will fail.
+--- doc/man/man5/slapd.conf.5.orig
++++ doc/man/man5/slapd.conf.5
+@@ -1148,8 +1148,15 @@
+ from the default, otherwise no certificate exchanges or verification will
+ be done. When using GnuTLS these parameters are always generated randomly so
+ this directive is ignored. This directive is ignored when using Mozilla NSS.
+ .TP
++.B TLSECName <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange. This is required to enable ECDHE algorithms in
++OpenSSL. This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B TLSProtocolMin <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+ the SSL handshake will fail.
+--- include/ldap.h.orig
++++ include/ldap.h
+@@ -157,8 +157,9 @@
+ #define LDAP_OPT_X_TLS_DHFILE 0x600e
+ #define LDAP_OPT_X_TLS_NEWCTX 0x600f
+ #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
+ #define LDAP_OPT_X_TLS_PACKAGE 0x6011
++#define LDAP_OPT_X_TLS_ECNAME 0x6012
+
+ #define LDAP_OPT_X_TLS_NEVER 0
+ #define LDAP_OPT_X_TLS_HARD 1
+ #define LDAP_OPT_X_TLS_DEMAND 2
+--- libraries/libldap/ldap-int.h.orig
++++ libraries/libldap/ldap-int.h
+@@ -164,8 +164,9 @@
+ char *lt_cacertdir;
+ char *lt_ciphersuite;
+ char *lt_crlfile;
+ char *lt_randfile; /* OpenSSL only */
++ char *lt_ecname; /* OpenSSL only */
+ int lt_protocol_min;
+ };
+ #endif
+
+@@ -249,8 +250,9 @@
+ struct ldaptls ldo_tls_info;
+ #define ldo_tls_certfile ldo_tls_info.lt_certfile
+ #define ldo_tls_keyfile ldo_tls_info.lt_keyfile
+ #define ldo_tls_dhfile ldo_tls_info.lt_dhfile
++#define ldo_tls_ecname ldo_tls_info.lt_ecname
+ #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
+ #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
+ #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
+ #define ldo_tls_protocol_min ldo_tls_info.lt_protocol_min
+--- libraries/libldap/tls2.c.orig
++++ libraries/libldap/tls2.c
+@@ -117,8 +117,12 @@
+ if ( lo->ldo_tls_dhfile ) {
+ LDAP_FREE( lo->ldo_tls_dhfile );
+ lo->ldo_tls_dhfile = NULL;
+ }
++ if ( lo->ldo_tls_ecname ) {
++ LDAP_FREE( lo->ldo_tls_ecname );
++ lo->ldo_tls_ecname = NULL;
++ }
+ if ( lo->ldo_tls_cacertfile ) {
+ LDAP_FREE( lo->ldo_tls_cacertfile );
+ lo->ldo_tls_cacertfile = NULL;
+ }
+@@ -231,8 +235,12 @@
+ if ( lts.lt_dhfile ) {
+ lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
+ __atoe( lts.lt_dhfile );
+ }
++ if ( lts.lt_ecname ) {
++ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
++ __atoe( lts.lt_ecname );
++ }
+ #endif
+ lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
+ if ( lo->ldo_tls_ctx == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+@@ -256,8 +264,9 @@
+ LDAP_FREE( lts.lt_keyfile );
+ LDAP_FREE( lts.lt_crlfile );
+ LDAP_FREE( lts.lt_cacertdir );
+ LDAP_FREE( lts.lt_dhfile );
++ LDAP_FREE( lts.lt_ecname );
+ #endif
+ return rc;
+ }
+
+@@ -633,8 +642,12 @@
+ case LDAP_OPT_X_TLS_DHFILE:
+ *(char **)arg = lo->ldo_tls_dhfile ?
+ LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
+ break;
++ case LDAP_OPT_X_TLS_ECNAME:
++ *(char **)arg = lo->ldo_tls_ecname ?
++ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
++ break;
+ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
+ *(char **)arg = lo->ldo_tls_crlfile ?
+ LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
+ break;
+@@ -752,8 +765,12 @@
+ case LDAP_OPT_X_TLS_DHFILE:
+ if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
+ lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
++ case LDAP_OPT_X_TLS_ECNAME:
++ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
++ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++ return 0;
+ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
+ if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
+ lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
+--- libraries/libldap/tls_o.c.orig
++++ libraries/libldap/tls_o.c
+@@ -295,12 +295,11 @@
+ tlso_report_error();
+ return -1;
+ }
+
+- if ( lo->ldo_tls_dhfile ) {
+- DH *dh = NULL;
++ if ( is_server && lo->ldo_tls_dhfile ) {
++ DH *dh;
+ BIO *bio;
+- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+
+ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use DH parameters file `%s'.\n",
+@@ -317,8 +316,40 @@
+ return -1;
+ }
+ BIO_free( bio );
+ SSL_CTX_set_tmp_dh( ctx, dh );
++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
++ DH_free( dh );
++ }
++
++ if ( is_server && lo->ldo_tls_ecname ) {
++#ifdef OPENSSL_NO_EC
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
++ return -1;
++#else
++ EC_KEY *ecdh;
++
++ int nid = OBJ_sn2nid( lt->lt_ecname );
++ if ( nid == NID_undef ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use EC name `%s'.\n",
++ lo->ldo_tls_ecname,0,0);
++ tlso_report_error();
++ return -1;
++ }
++ ecdh = EC_KEY_new_by_curve_name( nid );
++ if ( ecdh == NULL ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not generate key for EC name `%s'.\n",
++ lo->ldo_tls_ecname,0,0);
++ tlso_report_error();
++ return -1;
++ }
++ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
++ EC_KEY_free( ecdh );
++#endif
+ }
+
+ if ( tlso_opt_trace ) {
+ SSL_CTX_set_info_callback( ctx, tlso_info_cb );
+--- servers/slapd/bconfig.c.orig
++++ servers/slapd/bconfig.c
+@@ -193,8 +193,9 @@
+ CFG_SYNTAX,
+ CFG_ACL_ADD,
+ CFG_SYNC_SUBENTRY,
+ CFG_LTHREADS,
++ CFG_TLS_ECNAME,
+
+ CFG_LAST
+ };
+
+@@ -737,8 +738,16 @@
+ ARG_IGNORED, NULL,
+ #endif
+ "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
++ { "TLSECName", NULL, 2, 2, 0,
++#ifdef HAVE_TLS
++ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
++#else
++ ARG_IGNORED, NULL,
++#endif
++ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSProtocolMin", NULL, 2, 2, 0,
+ #ifdef HAVE_TLS
+ CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
+ #else
+@@ -818,9 +827,9 @@
+ "olcTCPBuffer $ "
+ "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
+ "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
+ "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
+- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
++ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
+ "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
+ "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
+ "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
+ { "( OLcfgGlOc:2 "
+@@ -3823,8 +3832,9 @@
+ case CFG_TLS_CERT_KEY: flag = LDAP_OPT_X_TLS_KEYFILE; break;
+ case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
+ case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
+ case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
++ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
+ #ifdef HAVE_GNUTLS
+ case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
+ #endif
+ default: Debug(LDAP_DEBUG_ANY, "%s: "