head 1.2; access; symbols pkgsrc-2017Q1:1.1.0.14 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.12 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.10 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.8 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.6 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.4 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.2 pkgsrc-2015Q3-base:1.1; locks; strict; comment @# @; 1.2 date 2017.06.02.08.29.56; author adam; state dead; branches; next 1.1; commitid xS726DHG1IWG7MTz; 1.1 date 2015.07.15.16.33.57; author manu; state Exp; branches; next ; commitid VUDIXwFgpaHSUoty; desc @@ 1.2 log @OpenLDAP 2.4.45 Release (2017/06/01) Added slapd support for OpenSSL 1.1.0 series (ITS-8353, ITS-8533, ITS-8634) Fixed libldap to fail ldap_result if the handle is already bad (ITS-8585) Fixed libldap to expose error if user specified CA doesn't exist (ITS-8529) Fixed libldap handling of Diffie-Hellman parameters (ITS-7506) Fixed libldap GnuTLS use after free (ITS-8385) Fixed libldap SASL initialization (ITS-8648) Fixed slapd bconfig rDN escape handling (ITS-8574) Fixed slapd segfault with invalid hostname (ITS-8631) Fixed slapd sasl SEGV rebind in same session (ITS-8568) Fixed slapd syncrepl filter handling (ITS-8413) Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS-8432) Fixed slapd callback struct so older modules without writewait should function. Custom modules may need to be updated for sc_writewait callback (ITS-8435) Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS-8576) Fixed slapd-mdb so it passes ITS6794 regression test (ITS-6794) Fixed slapd-mdb double free with size zero paged result (ITS-8655) Fixed slapd-meta uninitialized diagnostic message (ITS-8442) Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS-8423) Fixed slapo-accesslog with multiple modifications to the same attribute (ITS-6545) Fixed slapo-relay to correctly initialize sc_writewait (ITS-8428) Fixed slapo-sssvlv double free (ITS-8592) Fixed slapo-unique with empty modifications (ITS-8266) Build Environment Added test065 for proxyauthz (ITS-8571) Fix test008 to be portable (ITS-8414) Fix test064 to wait for slapd to start (ITS-8644) Fix its4336 regression test (ITS-8534) Fix its4337 regression test (ITS-8535) Fix regression tests to execute on all backends (ITS-8539) Contrib Added slapo-autogroup(5) man page (ITS-8569) Added passwd missing conversion scripts for apr1 (ITS-6826) Fixed contrib modules where the writewait callback was not correctly initialized (ITS-8435) Fixed smbk5pwd to build with newer OpenSSL releases (ITS-8525) Documentation admin24 fixed tls_cipher_suite bindconf option (ITS-8099) admin24 fixed typo cn=config to be slapd.d (ITS-8449) admin24 fixed slapo-syncprov information to be curent (ITS-8253) admin24 fixed typo in access control docs (ITS-7341, ITS-8391) admin24 fixed minor typo in tuning guide (ITS-8499) admin24 fixed information about the limits option (ITS-7700) admin24 fixed missing options for syncrepl configuration (ITS-7700) admin24 fixed accesslog documentation to note it should not be replicated (ITS-8344) Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS-7177) Fixed ldapsearch(1) information on the V[V] flag behavior (ITS-7177, ITS-6339) Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS-8538) Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS-8635) Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS-8123) Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS-8565) Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS-8613) Fixed slapo-syncprov(5) documentation to be current (ITS-8253) Fixed slapadd(8) manpage to note slapd-mdb (ITS-8215) Fixed various minor grammar issues in the man pages (ITS-8544) Fixed various typos (ITS-8587) @ text @$NetBSD: patch-its7506,v 1.1 2015/07/15 16:33:57 manu Exp $ Upstream fix for ignored TLSDHParamFile option From 6f120920d359d3b880c5c56bde4c1b91c3bedb01 Mon Sep 17 00:00:00 2001 From: Ben Jencks Date: Sun, 27 Jan 2013 18:27:03 -0500 Subject: [PATCH] ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. If a DHParamFile or olcDHParamFile is specified, then it will be used, otherwise a hardcoded 1024 bit parameter will be used. This allows the use of larger parameters; previously only 512 or 1024 bit parameters would ever be used. From cfeb28412c28ce9feeea6e6c055286f201bd0a34 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 7 Sep 2013 06:39:53 -0700 Subject: [PATCH] ITS#7506 fix prev commit The patch unconditionally enabled DHparams, which is a significant change of behavior. Reverting to previous behavior, which only enables DH use if a DHparam file was configured. --- libraries/libldap/tls_o.c.orig 2015-07-15 18:14:17.000000000 +0200 +++ libraries/libldap/tls_o.c 2015-07-15 18:14:41.000000000 +0200 @@@@ -58,26 +58,15 @@@@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); -static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); - -typedef struct dhplist { - struct dhplist *next; - int keylength; - DH *param; -} dhplist; - -static dhplist *tlso_dhparams; - static int tlso_seed_PRNG( const char *randfile ); #ifdef LDAP_R_COMPILE /* * provide mutexes for the OpenSSL library. */ static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; -static ldap_pvt_thread_mutex_t tlso_dh_mutex; static void tlso_locking_cb( int mode, int type, const char *file, int line ) { if ( mode & CRYPTO_LOCK ) { @@@@ -106,9 +95,8 @@@@ for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); } - ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); CRYPTO_set_locking_callback( tlso_locking_cb ); CRYPTO_set_id_callback( tlso_thread_self ); } #endif /* LDAP_R_COMPILE */ @@@@ -310,27 +298,27 @@@@ if ( lo->ldo_tls_dhfile ) { DH *dh = NULL; BIO *bio; - dhplist *p; + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { Debug( LDAP_DEBUG_ANY, "TLS: could not use DH parameters file `%s'.\n", lo->ldo_tls_dhfile,0,0); tlso_report_error(); return -1; } - while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { - p = LDAP_MALLOC( sizeof(dhplist) ); - if ( p != NULL ) { - p->keylength = DH_size( dh ) * 8; - p->param = dh; - p->next = tlso_dhparams; - tlso_dhparams = p; - } + if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not read DH parameters file `%s'.\n", + lo->ldo_tls_dhfile,0,0); + tlso_report_error(); + BIO_free( bio ); + return -1; } BIO_free( bio ); + SSL_CTX_set_tmp_dh( ctx, dh ); } if ( tlso_opt_trace ) { SSL_CTX_set_info_callback( ctx, tlso_info_cb ); @@@@ -348,11 +336,8 @@@@ SSL_CTX_set_verify( ctx, i, lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? tlso_verify_ok : tlso_verify_cb ); SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); - if ( lo->ldo_tls_dhfile ) { - SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); - } #ifdef HAVE_OPENSSL_CRL if ( lo->ldo_tls_crlcheck ) { X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { @@@@ -1159,110 +1144,8 @@@@ return 0; } -struct dhinfo { - int keylength; - const char *pem; - size_t size; -}; - - -/* From the OpenSSL 0.9.7 distro */ -static const char tlso_dhpem512[] = -"-----BEGIN DH PARAMETERS-----\n\ -MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ -a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem1024[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ -/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ -/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem2048[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ -AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ -z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ -pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ -aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ -Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ ------END DH PARAMETERS-----\n"; - -static const char tlso_dhpem4096[] = -"-----BEGIN DH PARAMETERS-----\n\ -MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ -vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ -TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ -bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ -rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ -EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ -bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ -W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ -ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ -NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ -jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ ------END DH PARAMETERS-----\n"; - -static const struct dhinfo tlso_dhpem[] = { - { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, - { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, - { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, - { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, - { 0, NULL, 0 } -}; - -static DH * -tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) -{ - struct dhplist *p = NULL; - BIO *b = NULL; - DH *dh = NULL; - int i; - - /* Do we have params of this length already? */ - LDAP_MUTEX_LOCK( &tlso_dh_mutex ); - for ( p = tlso_dhparams; p; p=p->next ) { - if ( p->keylength == key_length ) { - LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); - return p->param; - } - } - - /* No - check for hardcoded params */ - - for (i=0; tlso_dhpem[i].keylength; i++) { - if ( tlso_dhpem[i].keylength == key_length ) { - b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); - break; - } - } - - if ( b ) { - dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); - BIO_free( b ); - } - - /* Generating on the fly is expensive/slow... */ - if ( !dh ) { - dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); - } - if ( dh ) { - p = LDAP_MALLOC( sizeof(struct dhplist) ); - if ( p != NULL ) { - p->keylength = key_length; - p->param = dh; - p->next = tlso_dhparams; - tlso_dhparams = p; - } - } - - LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); - return dh; -} tls_impl ldap_int_tls_impl = { "OpenSSL", @ 1.1 log @Upstream fix for ignored TLSDHParamFile option From 6f120920d359d3b880c5c56bde4c1b91c3bedb01 Mon Sep 17 00:00:00 2001 From: Ben Jencks Date: Sun, 27 Jan 2013 18:27:03 -0500 Subject: [PATCH] ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. If a DHParamFile or olcDHParamFile is specified, then it will be used, otherwise a hardcoded 1024 bit parameter will be used. This allows the use of larger parameters; previously only 512 or 1024 bit parameters would ever be used. From cfeb28412c28ce9feeea6e6c055286f201bd0a34 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sat, 7 Sep 2013 06:39:53 -0700 Subject: [PATCH] ITS#7506 fix prev commit The patch unconditionally enabled DHparams, which is a significant change of behavior. Reverting to previous behavior, which only enables DH use if a DHparam file was configured. @ text @d1 1 a1 1 $NetBSD$ @