Apply fix from https://bugzilla.redhat.com/show_bug.cgi?id=1238322

Incorrect multi-keyword mode cipherstring parsing.
Fixes CVE-2015-3276.
Submitted upstream as ITS#8543, it apparently wasn't already(!)
http://www.openldap.org/its/index.cgi/Incoming?id=8543

Bump PKGREVISION for both openldap, openldap-server and openldap-client
(to be on the safe side...)

3 files changed, 48 insertions, 3 deletions

diff --git a/databases/openldap/Makefile b/databases/openldap/Makefile
index d1c2dc4a7bb..ad6027ecd5d 100644
--- a/databases/openldap/Makefile
+++ b/databases/openldap/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.145 2016/03/05 11:28:12 jperkin Exp $
+# $NetBSD: Makefile,v 1.146 2016/12/13 10:38:06 he Exp $
 
-PKGREVISION= 1
+PKGREVISION= 2
 .include "../../databases/openldap/Makefile.version"
 
 DISTNAME=	openldap-${OPENLDAP_VERSION}
diff --git a/databases/openldap/distinfo b/databases/openldap/distinfo
index f48dffcf017..9c98acd8e7b 100644
--- a/databases/openldap/distinfo
+++ b/databases/openldap/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.107 2016/10/30 05:04:09 manu Exp $
+$NetBSD: distinfo,v 1.108 2016/12/13 10:38:06 he Exp $
 
 SHA1 (openldap-2.4.44.tgz) = 016a738d050a68d388602a74b5e991035cdba149
 RMD160 (openldap-2.4.44.tgz) = 6ea3139f630e93c6e0af60638672d88d6c535a6a
@@ -22,4 +22,5 @@ SHA1 (patch-dd) = 9c74118ff0b2232bda729c9917082fceef41dd16
 SHA1 (patch-its7506) = a50f9428d6d7dd28f71d21e11ae3f8b0f1372f75
 SHA1 (patch-its7595) = 9ea396adb7f2fd572d60190534caa80a01ef79d2
 SHA1 (patch-libraries_libldap_os-local.c) = 7cd4f8638456fae12499de0d36d7802e47d3d688
+SHA1 (patch-libraries_libldap_tls__m.c) = 91dab1dcfa6560c30093094586ea9eabf2e977b8
 SHA1 (patch-libraries_liblmdb_mdb.c) = 590a059d784687f678ac44a577770551b11a2be5
diff --git a/databases/openldap/patches/patch-libraries_libldap_tls__m.c b/databases/openldap/patches/patch-libraries_libldap_tls__m.c
new file mode 100644
index 00000000000..c213793555d
--- /dev/null
+++ b/databases/openldap/patches/patch-libraries_libldap_tls__m.c
@@ -0,0 +1,44 @@
+$NetBSD: patch-libraries_libldap_tls__m.c,v 1.1 2016/12/13 10:38:06 he Exp $
+
+Incorrect multi-keyword mode cipherstring parsing.
+Lifted from https://bugzilla.redhat.com/show_bug.cgi?id=1238322
+Fixes CVE-2015-3276.
+Submitted upstream as ITS#8543
+http://www.openldap.org/its/index.cgi/Incoming?id=8543
+
+--- libraries/libldap/tls_m.c.orig	2016-02-05 23:57:45.000000000 +0000
++++ libraries/libldap/tls_m.c
+@@ -621,17 +621,23 @@ nss_parse_ciphers(const char *cipherstr,
+ 			 */
+ 			if (mask || strength || protocol) {
+ 				for (i=0; i<ciphernum; i++) {
+-					if (((ciphers_def[i].attr & mask) ||
+-						 (ciphers_def[i].strength & strength) ||
+-						 (ciphers_def[i].version & protocol)) &&
+-						(cipher_list[i] != -1)) {
+-						/* Enable the NULL ciphers only if explicity
+-						 * requested */
+-						if (ciphers_def[i].attr & SSL_eNULL) {
+-							if (mask & SSL_eNULL)
+-								cipher_list[i] = action;
+-						} else
++					/* if more than one mask is provided
++					 * then AND logic applies (to match openssl)
++					 */
++					if ( cipher_list[i] == -1) )
++						continue;
++					if ( mask && ! (ciphers_def[i].attr & mask) )
++						continue;
++					if ( strength && ! (ciphers_def[i].strength & strength) )
++						continue;
++					if ( protocol && ! (ciphers_def[i].version & protocol) )
++						continue;
++					/* Enable the NULL ciphers only if explicity requested */
++					if (ciphers_def[i].attr & SSL_eNULL) {
++						if (mask & SSL_eNULL)
+ 							cipher_list[i] = action;
++					} else
++						cipher_list[i] = action;
+ 					}
+ 				}
+ 			} else {