diff options
author | adam <adam> | 2017-06-02 08:29:56 +0000 |
---|---|---|
committer | adam <adam> | 2017-06-02 08:29:56 +0000 |
commit | 614d11137a5a654570c70ffe9e914d94bcf02693 (patch) | |
tree | 9d8208e7fcb33259256b4b9ab978eb3b3fcf24c5 /databases/openldap | |
parent | b60f1b36e5abfc4109ee065f877fd9ff5e55e03e (diff) | |
download | pkgsrc-614d11137a5a654570c70ffe9e914d94bcf02693.tar.gz |
OpenLDAP 2.4.45 Release (2017/06/01)
Added slapd support for OpenSSL 1.1.0 series (ITS-8353, ITS-8533, ITS-8634)
Fixed libldap to fail ldap_result if the handle is already bad (ITS-8585)
Fixed libldap to expose error if user specified CA doesn't exist (ITS-8529)
Fixed libldap handling of Diffie-Hellman parameters (ITS-7506)
Fixed libldap GnuTLS use after free (ITS-8385)
Fixed libldap SASL initialization (ITS-8648)
Fixed slapd bconfig rDN escape handling (ITS-8574)
Fixed slapd segfault with invalid hostname (ITS-8631)
Fixed slapd sasl SEGV rebind in same session (ITS-8568)
Fixed slapd syncrepl filter handling (ITS-8413)
Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS-8432)
Fixed slapd callback struct so older modules without writewait should function.
Custom modules may need to be updated for sc_writewait callback (ITS-8435)
Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS-8576)
Fixed slapd-mdb so it passes ITS6794 regression test (ITS-6794)
Fixed slapd-mdb double free with size zero paged result (ITS-8655)
Fixed slapd-meta uninitialized diagnostic message (ITS-8442)
Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS-8423)
Fixed slapo-accesslog with multiple modifications to the same attribute (ITS-6545)
Fixed slapo-relay to correctly initialize sc_writewait (ITS-8428)
Fixed slapo-sssvlv double free (ITS-8592)
Fixed slapo-unique with empty modifications (ITS-8266)
Build Environment
Added test065 for proxyauthz (ITS-8571)
Fix test008 to be portable (ITS-8414)
Fix test064 to wait for slapd to start (ITS-8644)
Fix its4336 regression test (ITS-8534)
Fix its4337 regression test (ITS-8535)
Fix regression tests to execute on all backends (ITS-8539)
Contrib
Added slapo-autogroup(5) man page (ITS-8569)
Added passwd missing conversion scripts for apr1 (ITS-6826)
Fixed contrib modules where the writewait callback was not correctly initialized (ITS-8435)
Fixed smbk5pwd to build with newer OpenSSL releases (ITS-8525)
Documentation
admin24 fixed tls_cipher_suite bindconf option (ITS-8099)
admin24 fixed typo cn=config to be slapd.d (ITS-8449)
admin24 fixed slapo-syncprov information to be curent (ITS-8253)
admin24 fixed typo in access control docs (ITS-7341, ITS-8391)
admin24 fixed minor typo in tuning guide (ITS-8499)
admin24 fixed information about the limits option (ITS-7700)
admin24 fixed missing options for syncrepl configuration (ITS-7700)
admin24 fixed accesslog documentation to note it should not be replicated (ITS-8344)
Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS-7177)
Fixed ldapsearch(1) information on the V[V] flag behavior (ITS-7177, ITS-6339)
Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS-8538)
Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS-8635)
Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS-8123)
Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS-8565)
Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS-8613)
Fixed slapo-syncprov(5) documentation to be current (ITS-8253)
Fixed slapadd(8) manpage to note slapd-mdb (ITS-8215)
Fixed various minor grammar issues in the man pages (ITS-8544)
Fixed various typos (ITS-8587)
Diffstat (limited to 'databases/openldap')
-rw-r--r-- | databases/openldap/Makefile | 3 | ||||
-rw-r--r-- | databases/openldap/Makefile.version | 4 | ||||
-rw-r--r-- | databases/openldap/distinfo | 17 | ||||
-rw-r--r-- | databases/openldap/patches/patch-ag | 18 | ||||
-rw-r--r-- | databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c | 54 | ||||
-rw-r--r-- | databases/openldap/patches/patch-its7506 | 222 | ||||
-rw-r--r-- | databases/openldap/patches/patch-its7595 | 78 | ||||
-rw-r--r-- | databases/openldap/patches/patch-libraries_liblmdb_mdb.c | 39 |
8 files changed, 47 insertions, 388 deletions
diff --git a/databases/openldap/Makefile b/databases/openldap/Makefile index ad6027ecd5d..d34e0d7da76 100644 --- a/databases/openldap/Makefile +++ b/databases/openldap/Makefile @@ -1,6 +1,5 @@ -# $NetBSD: Makefile,v 1.146 2016/12/13 10:38:06 he Exp $ +# $NetBSD: Makefile,v 1.147 2017/06/02 08:29:56 adam Exp $ -PKGREVISION= 2 .include "../../databases/openldap/Makefile.version" DISTNAME= openldap-${OPENLDAP_VERSION} diff --git a/databases/openldap/Makefile.version b/databases/openldap/Makefile.version index 6adfb9acd5c..1cbccff0736 100644 --- a/databases/openldap/Makefile.version +++ b/databases/openldap/Makefile.version @@ -1,6 +1,6 @@ -# $NetBSD: Makefile.version,v 1.13 2016/02/07 08:42:59 adam Exp $ +# $NetBSD: Makefile.version,v 1.14 2017/06/02 08:29:56 adam Exp $ # used by databases/openldap/Makefile # used by databases/openldap/Makefile.common # used by databases/openldap-docs/Makefile -OPENLDAP_VERSION= 2.4.44 +OPENLDAP_VERSION= 2.4.45 diff --git a/databases/openldap/distinfo b/databases/openldap/distinfo index 9c98acd8e7b..533c6a78e8a 100644 --- a/databases/openldap/distinfo +++ b/databases/openldap/distinfo @@ -1,26 +1,23 @@ -$NetBSD: distinfo,v 1.108 2016/12/13 10:38:06 he Exp $ +$NetBSD: distinfo,v 1.109 2017/06/02 08:29:56 adam Exp $ -SHA1 (openldap-2.4.44.tgz) = 016a738d050a68d388602a74b5e991035cdba149 -RMD160 (openldap-2.4.44.tgz) = 6ea3139f630e93c6e0af60638672d88d6c535a6a -SHA512 (openldap-2.4.44.tgz) = 132eb81798f59a364c9246d08697e1c7ebb6c2c3b983f786b14ec0233df09696cbad33a1f35f3076348b5efb77665a076ab854a24122c31e8b58310b7c7fd136 -Size (openldap-2.4.44.tgz) = 5658830 bytes +SHA1 (openldap-2.4.45.tgz) = c98437385d3eaee80c9e2c09f3f0d4b7c140233d +RMD160 (openldap-2.4.45.tgz) = a2f4483ffb958cc103a2aa0fb13c1f78e7951263 +SHA512 (openldap-2.4.45.tgz) = 1c9fc84efed8998f107ce6e1c6be3f5466388241afdca0cb3847720c9def0bc263a2dbc15bf0f9112d1b4c391fd01e8531a4fb08c5532c30fb86924c08daedab +Size (openldap-2.4.45.tgz) = 5672845 bytes SHA1 (patch-ac) = 2995c518278b363bf9657e181c2340d3024d5980 SHA1 (patch-ad) = 24e7ec27d592dd76bdec1e4805801c5304951daf SHA1 (patch-af) = 2e00b01bd813e73bdc1fb764a02e98d7755703de -SHA1 (patch-ag) = ec8581f7145ba47712be65f97051ffd2d7299896 +SHA1 (patch-ag) = 380336d8b50dd6b3a277f2ea6a03eb88cc5919b8 SHA1 (patch-ah) = 7b5a9d042df36f17bcb503372e301a0c6554af68 SHA1 (patch-aj) = 857bbf14855d7d2a2911457bc6373d8beb69b751 SHA1 (patch-am) = fb8f3e7699f8b2ef55c066cdc6216522c101c7f3 SHA1 (patch-an) = 3e904d05a3e69930259329ca821d3bbf7dd54eb2 SHA1 (patch-ao) = 4fcbbfd4d6be792392e3646123022aeaf25923e3 -SHA1 (patch-contrib_modules_smbk5pwd-smbk5pwd.c) = c31fc75f94778c93dfb20e7b7fc6ab8c74212942 SHA1 (patch-contrib_slapd-modules_cloak_Makefile) = 47c81def0c013a360acb549ed69e9042f0bc1be3 SHA1 (patch-contrib_slapd-modules_nops_Makefile) = c51bccf34c3f3112232a134038622d31b6315628 SHA1 (patch-contrib_slapd-modules_nops_slapo-nops.5) = f32352f19361b7e9aa5b038ae8578def7c08fa47 SHA1 (patch-da) = 75e26bd08c6e66b69192ebfbb36db974d391ec3e SHA1 (patch-dd) = 9c74118ff0b2232bda729c9917082fceef41dd16 -SHA1 (patch-its7506) = a50f9428d6d7dd28f71d21e11ae3f8b0f1372f75 -SHA1 (patch-its7595) = 9ea396adb7f2fd572d60190534caa80a01ef79d2 +SHA1 (patch-its7595) = 941b055bb5ac1f963b9d39384d3627a32f531cf1 SHA1 (patch-libraries_libldap_os-local.c) = 7cd4f8638456fae12499de0d36d7802e47d3d688 SHA1 (patch-libraries_libldap_tls__m.c) = 91dab1dcfa6560c30093094586ea9eabf2e977b8 -SHA1 (patch-libraries_liblmdb_mdb.c) = 590a059d784687f678ac44a577770551b11a2be5 diff --git a/databases/openldap/patches/patch-ag b/databases/openldap/patches/patch-ag index 08cf76f1b7a..a2cabc6eabc 100644 --- a/databases/openldap/patches/patch-ag +++ b/databases/openldap/patches/patch-ag @@ -1,6 +1,9 @@ -$NetBSD: patch-ag,v 1.7 2012/03/13 19:57:11 adam Exp $ +$NetBSD: patch-ag,v 1.8 2017/06/02 08:29:56 adam Exp $ ---- servers/slapd/Makefile.in.orig 2007-02-14 16:59:43.000000000 +0100 +slapd must be installed unstripped: on some platorms (Darwin) tcp_wrappers' + variable called "allow_severity" must not be stripped away. + +--- servers/slapd/Makefile.in.orig 2016-02-05 23:57:45.000000000 +0000 +++ servers/slapd/Makefile.in @@ -76,6 +76,10 @@ XLIBS = $(SLAPD_STATIC_DEPENDS) $(SLAPD_ XXLIBS = $(SLAPD_LIBS) $(SECURITY_LIBS) $(LUTIL_LIBS) @@ -13,7 +16,16 @@ $NetBSD: patch-ag,v 1.7 2012/03/13 19:57:11 adam Exp $ BUILD_OPT = "--enable-slapd" BUILD_SRV = @BUILD_SLAPD@ -@@ -441,9 +445,7 @@ install-db-config: FORCE +@@ -378,7 +382,7 @@ install-local-srv: install-slapd install + install-slapd: FORCE + -$(MKDIR) $(DESTDIR)$(libexecdir) + -$(MKDIR) $(DESTDIR)$(localstatedir)/run +- $(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \ ++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 \ + slapd$(EXEEXT) $(DESTDIR)$(libexecdir) + @for i in $(SUBDIRS); do \ + if test -d $$i && test -f $$i/Makefile ; then \ +@@ -447,9 +451,7 @@ install-db-config: FORCE @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ diff --git a/databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c b/databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c deleted file mode 100644 index 2e7f48928df..00000000000 --- a/databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c +++ /dev/null @@ -1,54 +0,0 @@ -$NetBSD: patch-contrib_modules_smbk5pwd-smbk5pwd.c,v 1.1 2016/10/30 05:04:09 manu Exp $ - -Submitted upstream as ITS#8525 -http://www.openldap.org/its/index.cgi/Incoming?id=8525 - -From 1aad89bbdd1f58f3b2d794067cc8c4a60876f584 Mon Sep 17 00:00:00 2001 -From: Emmanuel Dreyfus <manu@netbsd.org> -Date: Sun, 30 Oct 2016 05:34:58 +0100 -Subject: [PATCH] Use newer DES API so that smbk5pwd loads with newer OpenSSL - -OpenSSL removed old DES API which used des_* functions. -https://github.com/openssl/openssl/commit/24956ca00f014a917fb181a8abc39b349f3f316f - -In order to link with libcrypto from recent OpenSSL releases, we need -to replace the older API des_* functions by the newer API DES_* functions. - -Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org> ---- - contrib/slapd-modules/smbk5pwd/smbk5pwd.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git contrib/slapd-modules/smbk5pwd/smbk5pwd.c contrib/slapd-modules/smbk5pwd/smbk5pwd.c -index bec5e1b..97e0055 100644 ---- contrib/slapd-modules/smbk5pwd/smbk5pwd.c -+++ contrib/slapd-modules/smbk5pwd/smbk5pwd.c -@@ -154,7 +154,7 @@ static void lmPasswd_to_key( - k[7] = ((lpw[6]&0x7F)<<1); - - #ifdef HAVE_OPENSSL -- des_set_odd_parity( key ); -+ DES_set_odd_parity( key ); - #endif - } - -@@ -210,12 +210,12 @@ static void lmhash( - des_set_key( &ctx, key ); - des_encrypt( &ctx, sizeof(key), hbuf[1], StdText ); - #elif defined(HAVE_OPENSSL) -- des_set_key_unchecked( &key, schedule ); -- des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT ); -+ DES_set_key_unchecked( &key, &schedule ); -+ DES_ecb_encrypt( &StdText, &hbuf[0], &schedule , DES_ENCRYPT ); - - lmPasswd_to_key( &UcasePassword[7], &key ); -- des_set_key_unchecked( &key, schedule ); -- des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT ); -+ DES_set_key_unchecked( &key, &schedule ); -+ DES_ecb_encrypt( &StdText, &hbuf[1], &schedule , DES_ENCRYPT ); - #endif - - hexify( (char *)hbuf, hash ); --- -2.3.2 - diff --git a/databases/openldap/patches/patch-its7506 b/databases/openldap/patches/patch-its7506 deleted file mode 100644 index aad3ba86b60..00000000000 --- a/databases/openldap/patches/patch-its7506 +++ /dev/null @@ -1,222 +0,0 @@ -$NetBSD: patch-its7506,v 1.1 2015/07/15 16:33:57 manu Exp $ - -Upstream fix for ignored TLSDHParamFile option - -From 6f120920d359d3b880c5c56bde4c1b91c3bedb01 Mon Sep 17 00:00:00 2001 -From: Ben Jencks <ben@bjencks.net> -Date: Sun, 27 Jan 2013 18:27:03 -0500 -Subject: [PATCH] ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. - -If a DHParamFile or olcDHParamFile is specified, then it will be used, -otherwise a hardcoded 1024 bit parameter will be used. This allows the use of -larger parameters; previously only 512 or 1024 bit parameters would ever be -used. - -From cfeb28412c28ce9feeea6e6c055286f201bd0a34 Mon Sep 17 00:00:00 2001 -From: Howard Chu <hyc@openldap.org> -Date: Sat, 7 Sep 2013 06:39:53 -0700 -Subject: [PATCH] ITS#7506 fix prev commit - -The patch unconditionally enabled DHparams, which is a significant -change of behavior. Reverting to previous behavior, which only enables -DH use if a DHparam file was configured. - ---- libraries/libldap/tls_o.c.orig 2015-07-15 18:14:17.000000000 +0200 -+++ libraries/libldap/tls_o.c 2015-07-15 18:14:41.000000000 +0200 -@@ -58,26 +58,15 @@ - static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); - static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); - static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); - --static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); -- --typedef struct dhplist { -- struct dhplist *next; -- int keylength; -- DH *param; --} dhplist; -- --static dhplist *tlso_dhparams; -- - static int tlso_seed_PRNG( const char *randfile ); - - #ifdef LDAP_R_COMPILE - /* - * provide mutexes for the OpenSSL library. - */ - static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; --static ldap_pvt_thread_mutex_t tlso_dh_mutex; - - static void tlso_locking_cb( int mode, int type, const char *file, int line ) - { - if ( mode & CRYPTO_LOCK ) { -@@ -106,9 +95,8 @@ - - for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { - ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); - } -- ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); - CRYPTO_set_locking_callback( tlso_locking_cb ); - CRYPTO_set_id_callback( tlso_thread_self ); - } - #endif /* LDAP_R_COMPILE */ -@@ -310,27 +298,27 @@ - - if ( lo->ldo_tls_dhfile ) { - DH *dh = NULL; - BIO *bio; -- dhplist *p; -+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); - - if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not use DH parameters file `%s'.\n", - lo->ldo_tls_dhfile,0,0); - tlso_report_error(); - return -1; - } -- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { -- p = LDAP_MALLOC( sizeof(dhplist) ); -- if ( p != NULL ) { -- p->keylength = DH_size( dh ) * 8; -- p->param = dh; -- p->next = tlso_dhparams; -- tlso_dhparams = p; -- } -+ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not read DH parameters file `%s'.\n", -+ lo->ldo_tls_dhfile,0,0); -+ tlso_report_error(); -+ BIO_free( bio ); -+ return -1; - } - BIO_free( bio ); -+ SSL_CTX_set_tmp_dh( ctx, dh ); - } - - if ( tlso_opt_trace ) { - SSL_CTX_set_info_callback( ctx, tlso_info_cb ); -@@ -348,11 +336,8 @@ - SSL_CTX_set_verify( ctx, i, - lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? - tlso_verify_ok : tlso_verify_cb ); - SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); -- if ( lo->ldo_tls_dhfile ) { -- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); -- } - #ifdef HAVE_OPENSSL_CRL - if ( lo->ldo_tls_crlcheck ) { - X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); - if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { -@@ -1159,110 +1144,8 @@ - - return 0; - } - --struct dhinfo { -- int keylength; -- const char *pem; -- size_t size; --}; -- -- --/* From the OpenSSL 0.9.7 distro */ --static const char tlso_dhpem512[] = --"-----BEGIN DH PARAMETERS-----\n\ --MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ --a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ -------END DH PARAMETERS-----\n"; -- --static const char tlso_dhpem1024[] = --"-----BEGIN DH PARAMETERS-----\n\ --MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ --/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ --/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ -------END DH PARAMETERS-----\n"; -- --static const char tlso_dhpem2048[] = --"-----BEGIN DH PARAMETERS-----\n\ --MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ --AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ --z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ --pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ --aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ --Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ -------END DH PARAMETERS-----\n"; -- --static const char tlso_dhpem4096[] = --"-----BEGIN DH PARAMETERS-----\n\ --MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ --vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ --TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ --bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ --rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ --EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ --bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ --W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ --ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ --NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ --jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ -------END DH PARAMETERS-----\n"; -- --static const struct dhinfo tlso_dhpem[] = { -- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, -- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, -- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, -- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, -- { 0, NULL, 0 } --}; -- --static DH * --tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) --{ -- struct dhplist *p = NULL; -- BIO *b = NULL; -- DH *dh = NULL; -- int i; -- -- /* Do we have params of this length already? */ -- LDAP_MUTEX_LOCK( &tlso_dh_mutex ); -- for ( p = tlso_dhparams; p; p=p->next ) { -- if ( p->keylength == key_length ) { -- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); -- return p->param; -- } -- } -- -- /* No - check for hardcoded params */ -- -- for (i=0; tlso_dhpem[i].keylength; i++) { -- if ( tlso_dhpem[i].keylength == key_length ) { -- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); -- break; -- } -- } -- -- if ( b ) { -- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); -- BIO_free( b ); -- } -- -- /* Generating on the fly is expensive/slow... */ -- if ( !dh ) { -- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); -- } -- if ( dh ) { -- p = LDAP_MALLOC( sizeof(struct dhplist) ); -- if ( p != NULL ) { -- p->keylength = key_length; -- p->param = dh; -- p->next = tlso_dhparams; -- tlso_dhparams = p; -- } -- } -- -- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); -- return dh; --} - - tls_impl ldap_int_tls_impl = { - "OpenSSL", - diff --git a/databases/openldap/patches/patch-its7595 b/databases/openldap/patches/patch-its7595 index 69e7a7eb2f2..90f5e4b7ff3 100644 --- a/databases/openldap/patches/patch-its7595 +++ b/databases/openldap/patches/patch-its7595 @@ -1,4 +1,4 @@ -$NetBSD: patch-its7595,v 1.1 2015/09/14 16:32:26 manu Exp $ +$NetBSD: patch-its7595,v 1.2 2017/06/02 08:29:56 adam Exp $ ECDH support from upstream @@ -19,10 +19,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it --- doc/guide/admin/tls.sdf.orig +++ doc/guide/admin/tls.sdf -@@ -200,8 +200,20 @@ - > openssl dhparam [-dsaparam] -out <filename> <numbits> +@@ -203,6 +203,18 @@ - This directive is ignored with GnuTLS and Mozilla NSS. + This directive is ignored with Mozilla NSS. +H4: TLSECName <name> + @@ -39,12 +38,10 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it H4: TLSVerifyClient { never | allow | try | demand } This directive specifies what checks to perform on client certificates - in an incoming TLS session, if any. This option is set to {{EX:never}} --- doc/man/man5/slapd-config.5.orig +++ doc/man/man5/slapd-config.5 -@@ -917,8 +917,15 @@ - from the default, otherwise no certificate exchanges or verification will - be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly +@@ -922,6 +922,13 @@ + When using Mozilla NSS these parameters are always generated randomly so this directive is ignored. .TP +.B olcTLSECName: <name> @@ -57,13 +54,11 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it .B olcTLSProtocolMin: <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, - the SSL handshake will fail. --- doc/man/man5/slapd.conf.5.orig +++ doc/man/man5/slapd.conf.5 -@@ -1148,8 +1148,15 @@ - from the default, otherwise no certificate exchanges or verification will - be done. When using GnuTLS these parameters are always generated randomly so - this directive is ignored. This directive is ignored when using Mozilla NSS. +@@ -1153,6 +1153,13 @@ + When using Mozilla NSS these parameters are always generated randomly + so this directive is ignored. .TP +.B TLSECName <name> +Specify the name of a curve to use for Elliptic curve Diffie-Hellman @@ -75,11 +70,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it .B TLSProtocolMin <major>[.<minor>] Specifies minimum SSL/TLS protocol version that will be negotiated. If the server doesn't support at least that version, - the SSL handshake will fail. --- include/ldap.h.orig +++ include/ldap.h -@@ -157,8 +157,9 @@ - #define LDAP_OPT_X_TLS_DHFILE 0x600e +@@ -158,6 +158,7 @@ #define LDAP_OPT_X_TLS_NEWCTX 0x600f #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ #define LDAP_OPT_X_TLS_PACKAGE 0x6011 @@ -87,11 +80,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it #define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_HARD 1 - #define LDAP_OPT_X_TLS_DEMAND 2 --- libraries/libldap/ldap-int.h.orig +++ libraries/libldap/ldap-int.h -@@ -164,8 +164,9 @@ - char *lt_cacertdir; +@@ -165,6 +165,7 @@ char *lt_ciphersuite; char *lt_crlfile; char *lt_randfile; /* OpenSSL only */ @@ -99,9 +90,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it int lt_protocol_min; }; #endif - -@@ -249,8 +250,9 @@ - struct ldaptls ldo_tls_info; +@@ -250,6 +251,7 @@ #define ldo_tls_certfile ldo_tls_info.lt_certfile #define ldo_tls_keyfile ldo_tls_info.lt_keyfile #define ldo_tls_dhfile ldo_tls_info.lt_dhfile @@ -109,11 +98,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite - #define ldo_tls_protocol_min ldo_tls_info.lt_protocol_min --- libraries/libldap/tls2.c.orig +++ libraries/libldap/tls2.c -@@ -117,8 +117,12 @@ - if ( lo->ldo_tls_dhfile ) { +@@ -118,6 +118,10 @@ LDAP_FREE( lo->ldo_tls_dhfile ); lo->ldo_tls_dhfile = NULL; } @@ -124,9 +111,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it if ( lo->ldo_tls_cacertfile ) { LDAP_FREE( lo->ldo_tls_cacertfile ); lo->ldo_tls_cacertfile = NULL; - } -@@ -231,8 +235,12 @@ - if ( lts.lt_dhfile ) { +@@ -232,6 +236,10 @@ lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); __atoe( lts.lt_dhfile ); } @@ -137,9 +122,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it #endif lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); if ( lo->ldo_tls_ctx == NULL ) { - Debug( LDAP_DEBUG_ANY, -@@ -256,8 +264,9 @@ - LDAP_FREE( lts.lt_keyfile ); +@@ -257,6 +265,7 @@ LDAP_FREE( lts.lt_crlfile ); LDAP_FREE( lts.lt_cacertdir ); LDAP_FREE( lts.lt_dhfile ); @@ -147,9 +130,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it #endif return rc; } - -@@ -633,8 +642,12 @@ - case LDAP_OPT_X_TLS_DHFILE: +@@ -634,6 +643,10 @@ *(char **)arg = lo->ldo_tls_dhfile ? LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; break; @@ -160,9 +141,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ *(char **)arg = lo->ldo_tls_crlfile ? LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; - break; -@@ -752,8 +765,12 @@ - case LDAP_OPT_X_TLS_DHFILE: +@@ -753,6 +766,10 @@ if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; return 0; @@ -173,11 +152,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; - return 0; --- libraries/libldap/tls_o.c.orig +++ libraries/libldap/tls_o.c -@@ -295,12 +295,11 @@ - tlso_report_error(); +@@ -327,10 +327,9 @@ return -1; } @@ -190,9 +167,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { Debug( LDAP_DEBUG_ANY, - "TLS: could not use DH parameters file `%s'.\n", -@@ -317,8 +316,40 @@ - return -1; +@@ -349,6 +348,38 @@ } BIO_free( bio ); SSL_CTX_set_tmp_dh( ctx, dh ); @@ -231,11 +206,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it } if ( tlso_opt_trace ) { - SSL_CTX_set_info_callback( ctx, tlso_info_cb ); --- servers/slapd/bconfig.c.orig +++ servers/slapd/bconfig.c -@@ -193,8 +193,9 @@ - CFG_SYNTAX, +@@ -194,6 +194,7 @@ CFG_ACL_ADD, CFG_SYNC_SUBENTRY, CFG_LTHREADS, @@ -243,9 +216,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it CFG_LAST }; - -@@ -737,8 +738,16 @@ - ARG_IGNORED, NULL, +@@ -738,6 +739,14 @@ #endif "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, @@ -260,9 +231,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it { "TLSProtocolMin", NULL, 2, 2, 0, #ifdef HAVE_TLS CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, - #else -@@ -818,9 +827,9 @@ - "olcTCPBuffer $ " +@@ -819,7 +828,7 @@ "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " "olcTLSCACertificatePath $ olcTLSCertificateFile $ " "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " @@ -271,9 +240,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, - { "( OLcfgGlOc:2 " -@@ -3823,8 +3832,9 @@ - case CFG_TLS_CERT_KEY: flag = LDAP_OPT_X_TLS_KEYFILE; break; +@@ -3824,6 +3833,7 @@ case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break; case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break; case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break; @@ -281,4 +248,3 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it #ifdef HAVE_GNUTLS case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; #endif - default: Debug(LDAP_DEBUG_ANY, "%s: " diff --git a/databases/openldap/patches/patch-libraries_liblmdb_mdb.c b/databases/openldap/patches/patch-libraries_liblmdb_mdb.c deleted file mode 100644 index e30d5d6b87e..00000000000 --- a/databases/openldap/patches/patch-libraries_liblmdb_mdb.c +++ /dev/null @@ -1,39 +0,0 @@ -$NetBSD: patch-libraries_liblmdb_mdb.c,v 1.1 2016/06/17 14:01:58 jperkin Exp $ - -Apply https://www.gulag.ch/www/download/0001-Solaris-robust-mutex-fix.patch - ---- libraries/liblmdb/mdb.c.orig 2016-02-05 23:57:45.000000000 +0000 -+++ libraries/liblmdb/mdb.c -@@ -257,7 +257,7 @@ typedef SSIZE_T ssize_t; - # else - # define MDB_USE_ROBUST 1 - /* glibc < 2.12 only provided _np API */ --# if defined(__GLIBC__) && GLIBC_VER < 0x02000c -+# if (defined(__GLIBC__) && GLIBC_VER < 0x02000a) || defined(__SunOS_5_10) - # define PTHREAD_MUTEX_ROBUST PTHREAD_MUTEX_ROBUST_NP - # define pthread_mutexattr_setrobust(attr, flag) pthread_mutexattr_setrobust_np(attr, flag) - # define pthread_mutex_consistent(mutex) pthread_mutex_consistent_np(mutex) -@@ -4623,10 +4623,21 @@ mdb_env_setup_locks(MDB_env *env, char * - || (rc = pthread_mutexattr_setpshared(&mattr, PTHREAD_PROCESS_SHARED)) - #ifdef MDB_ROBUST_SUPPORTED - || (rc = pthread_mutexattr_setrobust(&mattr, PTHREAD_MUTEX_ROBUST)) --#endif -+#else -+ #ifndef __sun - || (rc = pthread_mutex_init(env->me_txns->mti_rmutex, &mattr)) -- || (rc = pthread_mutex_init(env->me_txns->mti_wmutex, &mattr))) -+ || (rc = pthread_mutex_init(env->me_txns->mti_wmutex, &mattr)) -+ #endif -+#endif -+ ) { - goto fail; -+ } -+ #ifdef __sun -+ rc = pthread_mutex_init(env->me_txns->mti_rmutex, &mattr); -+ if (!(rc == EBUSY || rc == EINVAL)) goto fail; -+ rc = pthread_mutex_init(env->me_txns->mti_wmutex, &mattr); -+ if (!(rc == EBUSY || rc == EINVAL)) goto fail; -+ #endif - pthread_mutexattr_destroy(&mattr); - #endif /* _WIN32 || MDB_USE_POSIX_SEM */ - |