link against moznss again (#1187742)

Revert "link against openssl by default"

This reverts commit 72da77adb6.
This commit is contained in:
Jan Synacek 2015-02-20 11:01:37 +01:00
parent 1fb41f2a59
commit 592250ebfb
12 changed files with 1654 additions and 21 deletions

View File

@ -0,0 +1,49 @@
Use pkg-config for Mozilla NSS library detection
Author: Jan Vcelak <jvcelak@redhat.com>
---
configure.in | 22 +++++-----------------
1 file changed, 5 insertions(+), 17 deletions(-)
diff --git a/configure.in b/configure.in
index ecffe30..2a9cfb4 100644
--- a/configure.in
+++ b/configure.in
@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
fi
fi
-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
-dnl are not in the default system location
if test $ol_link_tls = no ; then
if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
- have_moznss=no
- AC_CHECK_HEADERS([nssutil.h])
- if test "$ac_cv_header_nssutil_h" = yes ; then
- AC_CHECK_LIB([nss3], [NSS_Initialize],
- [ have_moznss=yes ], [ have_moznss=no ])
- fi
+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
- if test "$have_moznss" = yes ; then
+ if test $have_moznss = yes ; then
ol_with_tls=moznss
ol_link_tls=yes
- AC_DEFINE(HAVE_MOZNSS, 1,
- [define if you have MozNSS])
- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
- else
- if test $ol_with_tls = moznss ; then
- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
- fi
+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
+ TLS_LIBS="$MOZNSS_LIBS"
+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
fi
fi
fi
--
1.7.11.7

View File

@ -0,0 +1,47 @@
Accept nss certificate name in the form of tokenname:certnickname
Author: Rich Megginson <rmeggins@redhat.com>
Upstream ITS: #7360
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 5022efb..7377bb1 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2102,6 +2102,22 @@ tlsm_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return 0;
}
+/* returns true if the given string looks like
+ "tokenname" ":" "certnickname"
+ This is true if there is a ':' colon character
+ in the string and the colon is not the first
+ or the last character in the string
+*/
+static int
+tlsm_is_tokenname_certnick( const char *certfile )
+{
+ if ( certfile ) {
+ const char *ptr = PL_strchr( certfile, ':' );
+ return ptr && (ptr != certfile) && (*(ptr+1));
+ }
+ return 0;
+}
+
static int
tlsm_deferred_ctx_init( void *arg )
{
@@ -2268,7 +2284,10 @@ tlsm_deferred_ctx_init( void *arg )
} else {
char *tmp_certname;
- if (ctx->tc_certdb_slot) {
+ if (tlsm_is_tokenname_certnick(lt->lt_certfile)) {
+ /* assume already in form tokenname:certnickname */
+ tmp_certname = PL_strdup(lt->lt_certfile);
+ } else if (ctx->tc_certdb_slot) {
tmp_certname = PR_smprintf(TLSM_CERTDB_DESC_FMT ":%s", ctx->tc_unique, lt->lt_certfile);
} else {
tmp_certname = PR_smprintf("%s", lt->lt_certfile);
--
1.7.11.4

View File

@ -0,0 +1,86 @@
MozNSS: load certificates from certdb, fallback to PEM
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.
This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7389
Resolves: #857455
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 6847bea..8339391 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
/* prefer unlocked key, then key from opened certdb, then any other */
if ( unlocked_key )
ctx->tc_private_key = unlocked_key;
- else if ( ctx->tc_certdb_slot )
+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
else
ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
}
return -1;
}
-
- ctx->tc_using_pem = PR_TRUE;
}
NSS_SetDomesticPolicy();
@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
/* set up our cert and key, if any */
if ( lt->lt_certfile ) {
- /* if using the PEM module, load the PEM file specified by lt_certfile */
- /* otherwise, assume this is the name of a cert already in the db */
- if ( ctx->tc_using_pem ) {
- /* this sets ctx->tc_certificate to the correct value */
- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
- if ( rc ) {
- return rc;
- }
- } else {
+
+ /* first search in certdb (lt_certfile is nickname) */
+ if ( ctx->tc_certdb ) {
char *tmp_certname;
if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
Debug( LDAP_DEBUG_ANY,
"TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ }
+ }
+
+ /* fallback to PEM module (lt_certfile is filename) */
+ if ( !ctx->tc_certificate ) {
+ if ( !pem_module && tlsm_init_pem_module() ) {
+ int pem_errcode = PORT_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
return -1;
}
+
+ /* this sets ctx->tc_certificate to the correct value */
+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
+ ctx->tc_using_pem = PR_TRUE;
+ }
+ }
+
+ if ( ctx->tc_certificate ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
+ } else {
+ return -1;
}
}

View File

@ -0,0 +1,34 @@
MozNSS: default cipher suite always selected
Author: Tim Strobell <tim.strobell.ctr@nrl.navy.mil>
Upstream ITS: #7285
Upstream commit: 2c2bb2e7aee1b2167f383a8344985a1cf66aff3f
Resolves: #828790
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 23d843c..b608551 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2218,12 +2218,13 @@ tlsm_deferred_ctx_init( void *arg )
return -1;
}
- if ( lt->lt_ciphersuite &&
- tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not set cipher list %s.\n",
- lt->lt_ciphersuite, 0, 0 );
- return -1;
+ if ( lt->lt_ciphersuite ) {
+ if ( tlsm_parse_ciphers( ctx, lt->lt_ciphersuite ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not set cipher list %s.\n",
+ lt->lt_ciphersuite, 0, 0 );
+ return -1;
+ }
} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list DEFAULT.\n",
--
1.7.10.4

View File

@ -0,0 +1,47 @@
MozNSS: ignore certdb database type prefix when checking existence of the directory
If the certdb is specified including the database type prefix (e.g.
sql:, dbm:), the prefix has to be ignored when checking the
certificate directory existence.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7388
Resolves: #857373
---
libraries/libldap/tls_m.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 49a3f8f..5ee21a2 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
{
char sep = PR_GetDirectorySeparator();
char *ptr = NULL;
+ char *chkpath = NULL;
struct PRFileInfo prfi;
PRStatus prc;
@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
return;
}
- prc = PR_GetFileInfo( certdir, &prfi );
+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
+ chkpath = strchr( certdir, ':' );
+ if ( chkpath != NULL ) {
+ chkpath += 1;
+ } else {
+ chkpath = certdir;
+ }
+
/* if certdir exists (file or directory) then it cannot specify a prefix */
+ prc = PR_GetFileInfo( chkpath, &prfi );
if ( prc == PR_SUCCESS ) {
return;
}
--
1.7.11.7

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,23 @@
Resolves: #929357
Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec
Author: Rich Megginson <rmeggins@redhat.com>
Date: Thu, 28 Mar 2013 19:05:02 -0600
Modified by: Jan Synacek <jsynacek@redhat.com>
This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39.
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 072d41d..c59d303 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2151,6 +2151,8 @@
"TLS: could not close certdb slot - error %d:%s.\n",
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
}
+ PK11_FreeSlot( c->tc_certdb_slot );
+ c->tc_certdb_slot = NULL;
}
if ( c->tc_pin_file ) {
PL_strfree( c->tc_pin_file );

View File

@ -0,0 +1,91 @@
MozNSS: better file name matching for hashed CA certificate directory
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name
should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used
to differentiate between two certificates with the same subject name.
Wit this patch, certificate file names are matched correctly (using regular expressions).
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7374
Resolves: #852786
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 5e49fc5..61d71d4 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -38,6 +38,7 @@
#include <ac/unistd.h>
#include <ac/param.h>
#include <ac/dirent.h>
+#include <ac/regex.h>
#include "ldap-int.h"
#include "ldap-tls.h"
@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
#define PEM_LIBRARY "nsspem"
#define PEM_MODULE "PEM"
-/* hash files for use with cacertdir have this file name suffix */
-#define PEM_CA_HASH_FILE_SUFFIX ".0"
-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
static SECMODModule *pem_module;
@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
PRDir *dir;
PRDirEntry *entry;
PRStatus fistatus = PR_FAILURE;
+ regex_t hashfile_re;
memset( &fi, 0, sizeof(fi) );
fistatus = PR_GetFileInfo( cacertdir, &fi );
@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
goto done;
}
+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
+ goto done;
+ }
+
do {
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
char *fullpath = NULL;
- char *ptr;
+ int match;
- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
+ if ( match == REG_NOMATCH ) {
Debug( LDAP_DEBUG_TRACE,
- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
- "directory file with a properly hashed file name - skipping.\n",
- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
+ "TLS: skipping '%s' - filename does not have expected format "
+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
+ continue;
+ } else if ( match != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: cannot execute regex for CA hash file matching (%d).\n",
+ match, 0, 0 );
continue;
}
+
fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
Debug( LDAP_DEBUG_TRACE,
@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
PR_smprintf_free( fullpath );
}
} while ( NULL != entry );
+ regfree ( &hashfile_re );
PR_CloseDir( dir );
}
done:
--
1.7.11.4

View File

@ -0,0 +1,193 @@
MozNSS: update list of supported cipher suites
The updated list includes all ciphers implemented in Mozilla NSS 3.13.15
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7374
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 1422ce2..5e49fc5 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -211,27 +211,34 @@ typedef struct {
int num; /* The cipher id */
int attr; /* cipher attributes: algorithms, etc */
int version; /* protocol version valid for this cipher */
- int bits; /* bits of strength */
- int alg_bits; /* bits of the algorithm */
int strength; /* LOW, MEDIUM, HIGH */
int enabled; /* Enabled by default? */
} cipher_properties;
/* cipher attributes */
-#define SSL_kRSA 0x00000001L
-#define SSL_aRSA 0x00000002L
-#define SSL_aDSS 0x00000004L
-#define SSL_DSS SSL_aDSS
-#define SSL_eNULL 0x00000008L
-#define SSL_DES 0x00000010L
-#define SSL_3DES 0x00000020L
-#define SSL_RC4 0x00000040L
-#define SSL_RC2 0x00000080L
-#define SSL_AES 0x00000100L
-#define SSL_MD5 0x00000200L
-#define SSL_SHA1 0x00000400L
-#define SSL_SHA SSL_SHA1
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+#define SSL_kRSA 0x00000001L
+#define SSL_aRSA 0x00000002L
+#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+#define SSL_aDSA 0x00000004L
+#define SSL_DSA SSL_aDSA
+#define SSL_eNULL 0x00000008L
+#define SSL_DES 0x00000010L
+#define SSL_3DES 0x00000020L
+#define SSL_RC4 0x00000040L
+#define SSL_RC2 0x00000080L
+#define SSL_AES128 0x00000100L
+#define SSL_AES256 0x00000200L
+#define SSL_AES (SSL_AES128|SSL_AES256)
+#define SSL_MD5 0x00000400L
+#define SSL_SHA1 0x00000800L
+#define SSL_kEDH 0x00001000L
+#define SSL_CAMELLIA128 0x00002000L
+#define SSL_CAMELLIA256 0x00004000L
+#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
+#define SSL_SEED 0x00008000L
+#define SSL_kECDH 0x00010000L
+#define SSL_kECDHE 0x00020000L
+#define SSL_aECDSA 0x00040000L
/* cipher strength */
#define SSL_NULL 0x00000001L
@@ -248,29 +255,70 @@ typedef struct {
/* Cipher translation */
static cipher_properties ciphers_def[] = {
- /* SSL 2 ciphers */
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
-
- /* SSL3 ciphers */
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
+
+ /*
+ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2
+ */
+
+ /* SSLv2 ciphers */
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED},
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED},
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED},
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED},
+
+ /* SSLv3 ciphers */
+ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
+ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED},
+ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
+ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
+ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED},
+ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED},
+ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
+ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED},
+ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
+ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
+ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED},
+ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED},
/* TLSv1 ciphers */
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED},
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED},
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED},
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED},
};
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))
@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RSA;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
+ } else if (!strcmp(cipher, "AES128")) {
+ mask |= SSL_AES128;
+ } else if (!strcmp(cipher, "AES256")) {
+ mask |= SSL_AES256;
} else if (!strcmp(cipher, "AES")) {
mask |= SSL_AES;
} else if (!strcmp(cipher, "3DES")) {
@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_MD5;
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
mask |= SSL_SHA1;
+ } else if (!strcmp(cipher, "EDH")) {
+ mask |= SSL_kEDH;
+ } else if (!strcmp(cipher, "DSS")) {
+ mask |= SSL_aDSA;
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
+ mask |= SSL_CAMELLIA128;
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
+ mask |= SSL_CAMELLIA256;
+ } else if (!strcmp(cipher, "CAMELLIA")) {
+ mask |= SSL_CAMELLIA;
+ } else if (!strcmp(cipher, "SEED")) {
+ mask |= SSL_SEED;
+ } else if (!strcmp(cipher, "ECDH")) {
+ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "ECDHE")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "ECDSA")) {
+ mask |= SSL_aECDSA;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
--
1.7.11.4

View File

@ -5,19 +5,18 @@ Backported-by: Jan Synacek <jsynacek@redhat.com>
Upstream ITS: #7979
Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
+++ openldap-2.4.40/include/ldap.h 2015-01-27 14:52:42.741364186 +0100
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:02:39.489493061 +0100
+++ openldap-2.4.40/libraries/libldap/tls_m.c 2014-11-14 09:23:07.239463097 +0100
@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
case SSL_ERROR_BAD_CERT_DOMAIN:
break;
default:
- success = SECFailure;
+ success = SECFailure;
break;
}
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100
--- openldap-2.4.40/libraries/libldap/tls_m.c 2014-09-19 03:48:49.000000000 +0200
+++ openldap-2.4.40/libraries/libldap/tls_m.c 2015-01-27 14:57:25.702243542 +0100
@@ -1639,6 +1639,8 @@ tlsm_deferred_init( void *arg )
@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
NSSInitContext *initctx = NULL;
PK11SlotInfo *certdb_slot = NULL;
#endif
@ -26,8 +25,8 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
SECStatus rc;
int done = 0;
@@ -1823,7 +1825,17 @@ tlsm_deferred_init( void *arg )
ctx->tc_using_pem = PR_TRUE;
@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
}
}
+ /*
@ -43,4 +42,13 @@ Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
NSS_SetDomesticPolicy();
PK11_SetPasswordFunc( tlsm_pin_prompt );
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100

View File

@ -5,7 +5,7 @@
Name: openldap
Version: 2.4.40
Release: 9%{?dist}
Release: 10%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@ -26,6 +26,13 @@ Patch2: openldap-reentrant-gethostby.patch
Patch3: openldap-smbk5pwd-overlay.patch
Patch4: openldap-man-sasl-nocanon.patch
Patch5: openldap-ai-addrconfig.patch
# nss patches, unlikely to ever get upstreamed
Patch11: openldap-nss-update-list-of-ciphers.patch
Patch12: openldap-tls-no-reuse-of-tls_session.patch
Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
Patch14: openldap-nss-ignore-certdb-type-prefix.patch
Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
Patch16: openldap-nss-pk11-freeslot.patch
# fix back_perl problems with lt_dlopen()
# might cause crashes because of symbol collisions
@ -43,13 +50,16 @@ Patch22: openldap-require-non-empty-attributelist.patch
Patch90: check-password-makefile.patch
Patch91: check-password.patch
# Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch
# GCC 5 cpp patch, pending upstream inclusion (ITS #8056)
Patch100: openldap-gcc-5.patch
Patch101: openldap-gcc-5.patch
BuildRequires: cyrus-sasl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)
# smbk5pwd overlay:
BuildRequires: openssl-devel
Requires: nss-tools
%description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@ -115,8 +125,14 @@ programs needed for accessing and modifying OpenLDAP directories.
pushd openldap-%{version}
# use pkg-config for Mozilla NSS library
%patch100 -p1
%patch101 -p1
# alternative include paths for Mozilla NSS
ln -s %{_includedir}/nss3 include/nss
ln -s %{_includedir}/nspr4 include/nspr
AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch0 -p1
@ -125,6 +141,12 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
@ -194,6 +216,7 @@ pushd openldap-%{version}
--without-fetch \
--with-threads \
--with-pic \
--with-tls=moznss \
--with-gnu-ld \
\
--libexecdir=%{_libdir}
@ -514,6 +537,9 @@ exit 0
%{_mandir}/man3/*
%changelog
* Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
- link against moznss again (#1187742)
* Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
- fix: Unknown Berkeley DB major version in db.h (#1191098)

View File

@ -9,9 +9,9 @@ cn: config
#
# TLS settings
#
#olcTLSCACertificatePath: /etc/openldap/certs/cacert.pem
#olcTLSCertificateFile: /etc/openldap/certs/servercert.pem
#olcTLSCertificateKeyFile: /etc/openldap/certs/serverkey.pem
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory