diff options
-rw-r--r-- | databases/openldap-client/Makefile | 3 | ||||
-rw-r--r-- | databases/openldap/distinfo | 3 | ||||
-rw-r--r-- | databases/openldap/patches/patch-its7506 | 222 |
3 files changed, 226 insertions, 2 deletions
diff --git a/databases/openldap-client/Makefile b/databases/openldap-client/Makefile index 6ec24a31b9f..295bb0fcf1a 100644 --- a/databases/openldap-client/Makefile +++ b/databases/openldap-client/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.18 2014/10/01 08:32:31 adam Exp $ +# $NetBSD: Makefile,v 1.19 2015/07/15 16:33:57 manu Exp $ PKGNAME= ${DISTNAME:S/-/-client-/} +PKGREVISION= 1 COMMENT= Lightweight Directory Access Protocol libraries and client programs CONFLICTS+= openldap<2.3.23nb1 diff --git a/databases/openldap/distinfo b/databases/openldap/distinfo index a4bbd67ceeb..83a299f0626 100644 --- a/databases/openldap/distinfo +++ b/databases/openldap/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.97 2014/10/01 08:32:31 adam Exp $ +$NetBSD: distinfo,v 1.98 2015/07/15 16:33:57 manu Exp $ SHA1 (openldap-2.4.40.tgz) = 0cfac3b024b99de2e2456cc7254481b6644e0b96 RMD160 (openldap-2.4.40.tgz) = 38a914d785040730e9e595fe007ea4a0d0635344 @@ -18,4 +18,5 @@ SHA1 (patch-contrib_slapd-modules_nops_slapo-nops.5) = f32352f19361b7e9aa5b038ae SHA1 (patch-da) = 880b25a9266ee057f7269c5be46ef3c3fecf16b4 SHA1 (patch-dd) = 9c74118ff0b2232bda729c9917082fceef41dd16 SHA1 (patch-de) = f371fc2bd2534832bf57c363095eecacb5cb1fe3 +SHA1 (patch-its7506) = a50f9428d6d7dd28f71d21e11ae3f8b0f1372f75 SHA1 (patch-libraries_libldap_os-local.c) = 7cd4f8638456fae12499de0d36d7802e47d3d688 diff --git a/databases/openldap/patches/patch-its7506 b/databases/openldap/patches/patch-its7506 new file mode 100644 index 00000000000..aad3ba86b60 --- /dev/null +++ b/databases/openldap/patches/patch-its7506 @@ -0,0 +1,222 @@ +$NetBSD: patch-its7506,v 1.1 2015/07/15 16:33:57 manu Exp $ + +Upstream fix for ignored TLSDHParamFile option + +From 6f120920d359d3b880c5c56bde4c1b91c3bedb01 Mon Sep 17 00:00:00 2001 +From: Ben Jencks <ben@bjencks.net> +Date: Sun, 27 Jan 2013 18:27:03 -0500 +Subject: [PATCH] ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. + +If a DHParamFile or olcDHParamFile is specified, then it will be used, +otherwise a hardcoded 1024 bit parameter will be used. This allows the use of +larger parameters; previously only 512 or 1024 bit parameters would ever be +used. + +From cfeb28412c28ce9feeea6e6c055286f201bd0a34 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sat, 7 Sep 2013 06:39:53 -0700 +Subject: [PATCH] ITS#7506 fix prev commit + +The patch unconditionally enabled DHparams, which is a significant +change of behavior. Reverting to previous behavior, which only enables +DH use if a DHparam file was configured. + +--- libraries/libldap/tls_o.c.orig 2015-07-15 18:14:17.000000000 +0200 ++++ libraries/libldap/tls_o.c 2015-07-15 18:14:41.000000000 +0200 +@@ -58,26 +58,15 @@ + static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); + static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); + static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); + +-static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); +- +-typedef struct dhplist { +- struct dhplist *next; +- int keylength; +- DH *param; +-} dhplist; +- +-static dhplist *tlso_dhparams; +- + static int tlso_seed_PRNG( const char *randfile ); + + #ifdef LDAP_R_COMPILE + /* + * provide mutexes for the OpenSSL library. + */ + static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; +-static ldap_pvt_thread_mutex_t tlso_dh_mutex; + + static void tlso_locking_cb( int mode, int type, const char *file, int line ) + { + if ( mode & CRYPTO_LOCK ) { +@@ -106,9 +95,8 @@ + + for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { + ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); + } +- ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); + CRYPTO_set_locking_callback( tlso_locking_cb ); + CRYPTO_set_id_callback( tlso_thread_self ); + } + #endif /* LDAP_R_COMPILE */ +@@ -310,27 +298,27 @@ + + if ( lo->ldo_tls_dhfile ) { + DH *dh = NULL; + BIO *bio; +- dhplist *p; ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); + + if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use DH parameters file `%s'.\n", + lo->ldo_tls_dhfile,0,0); + tlso_report_error(); + return -1; + } +- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { +- p = LDAP_MALLOC( sizeof(dhplist) ); +- if ( p != NULL ) { +- p->keylength = DH_size( dh ) * 8; +- p->param = dh; +- p->next = tlso_dhparams; +- tlso_dhparams = p; +- } ++ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not read DH parameters file `%s'.\n", ++ lo->ldo_tls_dhfile,0,0); ++ tlso_report_error(); ++ BIO_free( bio ); ++ return -1; + } + BIO_free( bio ); ++ SSL_CTX_set_tmp_dh( ctx, dh ); + } + + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); +@@ -348,11 +336,8 @@ + SSL_CTX_set_verify( ctx, i, + lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? + tlso_verify_ok : tlso_verify_cb ); + SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); +- if ( lo->ldo_tls_dhfile ) { +- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); +- } + #ifdef HAVE_OPENSSL_CRL + if ( lo->ldo_tls_crlcheck ) { + X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); + if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { +@@ -1159,110 +1144,8 @@ + + return 0; + } + +-struct dhinfo { +- int keylength; +- const char *pem; +- size_t size; +-}; +- +- +-/* From the OpenSSL 0.9.7 distro */ +-static const char tlso_dhpem512[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ +-a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem1024[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ +-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ +-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem2048[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ +-AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ +-z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ +-pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ +-aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ +-Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem4096[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ +-vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ +-TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ +-bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ +-rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ +-EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ +-bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ +-W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ +-ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ +-NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ +-jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ +------END DH PARAMETERS-----\n"; +- +-static const struct dhinfo tlso_dhpem[] = { +- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, +- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, +- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, +- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, +- { 0, NULL, 0 } +-}; +- +-static DH * +-tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) +-{ +- struct dhplist *p = NULL; +- BIO *b = NULL; +- DH *dh = NULL; +- int i; +- +- /* Do we have params of this length already? */ +- LDAP_MUTEX_LOCK( &tlso_dh_mutex ); +- for ( p = tlso_dhparams; p; p=p->next ) { +- if ( p->keylength == key_length ) { +- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); +- return p->param; +- } +- } +- +- /* No - check for hardcoded params */ +- +- for (i=0; tlso_dhpem[i].keylength; i++) { +- if ( tlso_dhpem[i].keylength == key_length ) { +- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); +- break; +- } +- } +- +- if ( b ) { +- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); +- BIO_free( b ); +- } +- +- /* Generating on the fly is expensive/slow... */ +- if ( !dh ) { +- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); +- } +- if ( dh ) { +- p = LDAP_MALLOC( sizeof(struct dhplist) ); +- if ( p != NULL ) { +- p->keylength = key_length; +- p->param = dh; +- p->next = tlso_dhparams; +- tlso_dhparams = p; +- } +- } +- +- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); +- return dh; +-} + + tls_impl ldap_int_tls_impl = { + "OpenSSL", + |