rpms
/
openldap
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Build with OpenSSL with MozNSS compatibility layer 

Resolves: #1400570
This commit is contained in:
Matúš Honěk 2017-02-02 15:27:22 +01:00
parent 671ba8f100
commit a33df4e168
19 changed files with 1787 additions and 2149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
openldap-autoconf-pkgconfig-nss.patch
View File

@ -1,49 +0,0 @@
Use pkg-config for Mozilla NSS library detection
Author: Jan Vcelak <jvcelak@redhat.com>
---
configure.in | 22 +++++-----------------
1 file changed, 5 insertions(+), 17 deletions(-)
diff --git a/configure.in b/configure.in
index ecffe30..2a9cfb4 100644
--- a/configure.in
+++ b/configure.in
@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then
fi
fi
-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3
-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs
-dnl are not in the default system location
if test $ol_link_tls = no ; then
if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then
- have_moznss=no
- AC_CHECK_HEADERS([nssutil.h])
- if test "$ac_cv_header_nssutil_h" = yes ; then
- AC_CHECK_LIB([nss3], [NSS_Initialize],
- [ have_moznss=yes ], [ have_moznss=no ])
- fi
+ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no])
- if test "$have_moznss" = yes ; then
+ if test $have_moznss = yes ; then
ol_with_tls=moznss
ol_link_tls=yes
- AC_DEFINE(HAVE_MOZNSS, 1,
- [define if you have MozNSS])
- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
- else
- if test $ol_with_tls = moznss ; then
- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)])
- fi
+ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS])
+ TLS_LIBS="$MOZNSS_LIBS"
+ CFLAGS="$CFLAGS $MOZNSS_CFLAGS"
fi
fi
fi
--
1.7.11.7

36
openldap-doc1.patch
View File

@ -1,36 +0,0 @@
Upstream ITS: #7568
From 6be982c000133ccf9da949d39eed23a93bc7bfc5 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 9 Apr 2013 12:41:38 +0200
Subject: [PATCH 1/2] Fix typos in ldap.conf.5
---
doc/man/man5/ldap.conf.5 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cfde143..8f7fecd 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -297,7 +297,7 @@ Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG)
should be used. The default is off.
.TP
.B GSSAPI_ALLOW_REMOTE_PRINCIPAL <on/true/yes/off/false/no>
-Specifies if GSSAPI based authentification should try to form the
+Specifies if GSSAPI based authentication should try to form the
target principal name out of the ldapServiceName or dnsHostName
attribute of the targets RootDSE entry. The default is off.
.SH TLS OPTIONS
@@ -354,7 +354,7 @@ it is of critical importance that the key file is protected carefully.
When using Mozilla NSS, TLS_KEY specifies the name of a file that contains
the password for the key for the certificate specified with TLS_CERT. The
modutil command can be used to turn off password protection for the cert/key
-database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as
+database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as
the location of the cert/key database, use modutil to change the password
to the empty string:
.nf
--
1.8.1.4

27
openldap-doc2.patch
View File

@ -1,27 +0,0 @@
Upstream ITS: #7568
From 05c726c62785b2c307f9c5343a253d43ec7322c6 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 9 Apr 2013 12:42:31 +0200
Subject: [PATCH 2/2] Add -Q to slaptest's help
---
servers/slapd/slapcommon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
index 714e2bc..153310f 100644
--- a/servers/slapd/slapcommon.c
+++ b/servers/slapd/slapcommon.c
@@ -92,7 +92,7 @@ usage( int tool, const char *progname )
break;
case SLAPTEST:
- options = " [-n databasenumber] [-u]\n";
+ options = " [-n databasenumber] [-u] [-Q]\n";
break;
case SLAPSCHEMA:
--
1.8.1.4

27
openldap-loglevel2bvarray.patch
View File

@ -1,27 +0,0 @@
From 4313b91b0bc2fe6585656cd69a03f9755b5af3c4 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Wed, 29 May 2013 10:21:40 +0200
Subject: [PATCH] Fix loglevel2bvarray
---
servers/slapd/bconfig.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 4e1f1b5..def6daf 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -3622,6 +3622,10 @@ loglevel2bvarray( int l, BerVarray *bva )
loglevel_init();
}
+ if ( l == 0 ) {
+ return value_add_one( bva, ber_bvstr( "0" ) );
+ }
+
return mask_to_verbs( loglevel_ops, l, bva );
}
--
1.8.1.4

47
openldap-nss-allow-certname-with-token-name.patch
View File

@ -1,47 +0,0 @@
Accept nss certificate name in the form of tokenname:certnickname
Author: Rich Megginson <rmeggins@redhat.com>
Upstream ITS: #7360
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 5022efb..7377bb1 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2102,6 +2102,22 @@ tlsm_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return 0;
}
+/* returns true if the given string looks like
+ "tokenname" ":" "certnickname"
+ This is true if there is a ':' colon character
+ in the string and the colon is not the first
+ or the last character in the string
+*/
+static int
+tlsm_is_tokenname_certnick( const char *certfile )
+{
+ if ( certfile ) {
+ const char *ptr = PL_strchr( certfile, ':' );
+ return ptr && (ptr != certfile) && (*(ptr+1));
+ }
+ return 0;
+}
+
static int
tlsm_deferred_ctx_init( void *arg )
{
@@ -2268,7 +2284,10 @@ tlsm_deferred_ctx_init( void *arg )
} else {
char *tmp_certname;
- if (ctx->tc_certdb_slot) {
+ if (tlsm_is_tokenname_certnick(lt->lt_certfile)) {
+ /* assume already in form tokenname:certnickname */
+ tmp_certname = PL_strdup(lt->lt_certfile);
+ } else if (ctx->tc_certdb_slot) {
tmp_certname = PR_smprintf(TLSM_CERTDB_DESC_FMT ":%s", ctx->tc_unique, lt->lt_certfile);
} else {
tmp_certname = PR_smprintf("%s", lt->lt_certfile);
--
1.7.11.4

86
openldap-nss-certs-from-certdb-fallback-pem.patch
View File

@ -1,86 +0,0 @@
MozNSS: load certificates from certdb, fallback to PEM
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.
This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7389
Resolves: #857455
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 6847bea..8339391 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx )
/* prefer unlocked key, then key from opened certdb, then any other */
if ( unlocked_key )
ctx->tc_private_key = unlocked_key;
- else if ( ctx->tc_certdb_slot )
+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
else
ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg )
}
return -1;
}
-
- ctx->tc_using_pem = PR_TRUE;
}
NSS_SetDomesticPolicy();
@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg )
/* set up our cert and key, if any */
if ( lt->lt_certfile ) {
- /* if using the PEM module, load the PEM file specified by lt_certfile */
- /* otherwise, assume this is the name of a cert already in the db */
- if ( ctx->tc_using_pem ) {
- /* this sets ctx->tc_certificate to the correct value */
- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
- if ( rc ) {
- return rc;
- }
- } else {
+
+ /* first search in certdb (lt_certfile is nickname) */
+ if ( ctx->tc_certdb ) {
char *tmp_certname;
if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg )
Debug( LDAP_DEBUG_ANY,
"TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ }
+ }
+
+ /* fallback to PEM module (lt_certfile is filename) */
+ if ( !ctx->tc_certificate ) {
+ if ( !pem_module && tlsm_init_pem_module() ) {
+ int pem_errcode = PORT_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
return -1;
}
+
+ /* this sets ctx->tc_certificate to the correct value */
+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
+ ctx->tc_using_pem = PR_TRUE;
+ }
+ }
+
+ if ( ctx->tc_certificate ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
+ } else {
+ return -1;
}
}

95
openldap-nss-cipher-attributes.patch
View File

@ -1,95 +0,0 @@
Update MozNSS cipher attributes definitions
Author: Matus Honek <mhonek@redhat.com>
PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -210,27 +210,44 @@ typedef struct {
int num; /* The cipher id */
int attr; /* cipher attributes: algorithms, etc */
int version; /* protocol version valid for this cipher */
- int bits; /* bits of strength */
- int alg_bits; /* bits of the algorithm */
int strength; /* LOW, MEDIUM, HIGH */
int enabled; /* Enabled by default? */
} cipher_properties;
/* cipher attributes */
-#define SSL_kRSA 0x00000001L
-#define SSL_aRSA 0x00000002L
-#define SSL_aDSS 0x00000004L
-#define SSL_DSS SSL_aDSS
-#define SSL_eNULL 0x00000008L
-#define SSL_DES 0x00000010L
-#define SSL_3DES 0x00000020L
-#define SSL_RC4 0x00000040L
-#define SSL_RC2 0x00000080L
-#define SSL_AES 0x00000100L
-#define SSL_MD5 0x00000200L
-#define SSL_SHA1 0x00000400L
-#define SSL_SHA SSL_SHA1
-#define SSL_RSA (SSL_kRSA|SSL_aRSA)
+#define SSL_kRSA 0x00000001L
+#define SSL_aRSA 0x00000002L
+#define SSL_aDSA 0x00000004L
+#define SSL_DSA SSL_aDSA
+#define SSL_eNULL 0x00000008L
+#define SSL_DES 0x00000010L
+#define SSL_3DES 0x00000020L
+#define SSL_RC4 0x00000040L
+#define SSL_RC2 0x00000080L
+#define SSL_AES128 0x00000100L
+#define SSL_AES256 0x00000200L
+#define SSL_MD5 0x00000400L
+#define SSL_SHA1 0x00000800L
+#define SSL_kEDH 0x00001000L
+#define SSL_CAMELLIA128 0x00002000L
+#define SSL_CAMELLIA256 0x00004000L
+#define SSL_SEED 0x00008000L
+#define SSL_kECDH 0x00010000L
+#define SSL_kECDHE 0x00020000L
+#define SSL_aECDSA 0x00040000L
+#define SSL_SHA256 0x00080000L
+#define SSL_SHA384 0x00100000L
+#define SSL_kEECDH 0x00200000L
+#define SSL_AESGCM 0x00400000L
+#define SSL_AEAD 0x00800000L
+#define SSL_aPSK 0x01000000L
+#define SSL_CHACHA20POLY1305 0x02000000L
+
+/* cipher attributes non-unique - do not use for definitions */
+#define SSL_RSA 0x00000001L
+#define SSL_AES 0x00000002L
+#define SSL_CAMELLIA 0x00000004L
+#define SSL_ECDH 0x00000008L
/* cipher strength */
#define SSL_NULL 0x00000001L
@@ -240,10 +257,15 @@ typedef struct {
#define SSL_MEDIUM 0x00000010L
#define SSL_HIGH 0x00000020L
+/* cipher strengths non-unique - do not use for definitions */
+#define SSL_EXPORT 0x00000001L
+
#define SSL2 0x00000001L
#define SSL3 0x00000002L
/* OpenSSL treats SSL3 and TLSv1 the same */
#define TLS1 SSL3
+#define TLS1_2 0x00000004L
+#define TLS1_3 0x00000008L
/* Cipher translation */
static cipher_properties ciphers_def[] = {
--- openldap-2.4.40/include/ldap.h 2014-09-19 03:48:49.000000000 +0200
+++ openldap-2.4.40/include/ldap.h 2014-11-14 09:25:54.560801030 +0100
@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0 ((3 << 8) + 1)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3 ((3 << 8) + 4)
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100

139
openldap-nss-ciphers-definitions.patch
View File

@ -1,139 +0,0 @@
Update MozNSS definitions of ciphers
Author: Matus Honek <mhonek@redhat.com>
PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -268,29 +268,109 @@ typedef struct {
/* Cipher translation */
static cipher_properties ciphers_def[] = {
- /* SSL 2 ciphers */
- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
-
- /* SSL3 ciphers */
- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED},
- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED},
- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED},
- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED},
- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED},
- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED},
+
+ /* SSLv2 ciphers */
+ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW},
+ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH},
+ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM},
+ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM},
+ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40},
+ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40},
+
+ /* SSLv3 ciphers */
+ {"NULL-MD5", TLS_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_MD5 */
+ {"NULL-SHA", TLS_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL}, /* SSL_RSA_WITH_NULL_SHA */
+ {"DES-CBC-SHA", TLS_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_RSA_WITH_DES_CBC_SHA */
+ {"DES-CBC3-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_RSA_WITH_3DES_EDE_CBC_SHA */
+ {"RC4-MD5", TLS_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM}, /* SSL_RSA_WITH_RC4_128_MD5 */
+ {"RC4-SHA", TLS_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM}, /* SSL_RSA_WITH_RC4_128_SHA */
+ {"EXP-RC2-CBC-MD5", TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40}, /* SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 */
+ {"EXP-RC4-MD5", TLS_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40}, /* SSL_RSA_EXPORT_WITH_RC4_40_MD5 */
+ {"EDH-RSA-DES-CBC-SHA", TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_DHE_RSA_WITH_DES_CBC_SHA */
+ {"EDH-RSA-DES-CBC3-SHA", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA */
+ {"EDH-DSS-DES-CBC-SHA", TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW}, /* SSL_DHE_DSS_WITH_DES_CBC_SHA */
+ {"EDH-DSS-DES-CBC3-SHA", TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH}, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA */
/* TLSv1 ciphers */
- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED},
- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED},
- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED},
+ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56},
+ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56},
+ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL},
+ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM},
+ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH},
+
+ // Ciphers commented out are not in NSS yet.
+
+ {"NULL-SHA256", TLS_RSA_WITH_NULL_SHA256, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA256, TLS1_2, SSL_NULL},
+ {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"AES128-GCM-SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"AES256-GCM-SHA384", 0x009d /* TLS_RSA_WITH_AES_256_GCM_SHA384 */, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES128-GCM-SHA256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-RSA-AES256-GCM-SHA384", 0x009f /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"DHE-DSS-AES128-SHA256", TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES256-SHA256", TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES128-GCM-SHA256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"DHE-DSS-AES128-GCM-SHA256", 0x00a3 /* TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ //{"DHE-DSS-AES128-GCM-SHA384", TLS_DHE_DSS_WITH_AES_128_GCM_SHA384, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA256, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES128-GCM-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES128-GCM-SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-GCM-SHA384", 0xc02c /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES256-GCM-SHA384", 0xc030 /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-ECDSA-AES256-SHA384", 0xc024 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
+ {"ECDHE-RSA-AES256-SHA384", 0xc028 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA384, TLS1_2, SSL_HIGH},
+
+ {"ECDHE-PSK-AES128-GCM-SHA256", 0xd001 /* TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 */, SSL_kECDHE|SSL_aPSK|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-PSK-CHACHA20-POLY1305", 0xccac /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aPSK|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"ECDHE-PSK-AES256-GCM-SHA384", 0xd002 /* TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 */, SSL_kECDHE|SSL_aPSK|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"", 0x00aa /* TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 */, SSL_kEDH|SSL_aPSK|SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"", 0xccad /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aPSK|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ {"", 0x00ab /* TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 */, SSL_kEDH|SSL_aPSK|SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_2, SSL_HIGH},
+ //{"ECDHE-ECDSA-CHACHA20-POLY1305", 0xcca9 /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aECDSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ //{"ECDHE-RSA-CHACHA20-POLY1305", 0xcca8 /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kECDHE|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+ //{"DHE-RSA-CHACHA20-POLY1305", 0xccaa /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */, SSL_kEDH|SSL_aRSA|SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_2, SSL_HIGH},
+
+ // TLSv1.3
+ {"TLS13-AES-128-GCM-SHA256", 0x1301 /* TLS_AES_128_GCM_SHA256 */, SSL_AES128|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH},
+ {"TLS13-AES-256-GCM-SHA384", 0x1302 /* TLS_AES_256_GCM_SHA384 */, SSL_AES256|SSL_AESGCM|SSL_AEAD, TLS1_3, SSL_HIGH},
+ {"TLS13-CHACHA20-POLY1305-SHA256", 0x1303 /* TLS_CHACHA20_POLY1305_SHA256 */, SSL_CHACHA20POLY1305|SSL_AEAD, TLS1_3, SSL_HIGH},
};
#define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties))

196
openldap-nss-ciphers-parsing.patch
View File

@ -1,196 +0,0 @@
Update MozNSS OpenSSL-like parsing code
Author: Matus Honek <mhonek@redhat.com>
PreviousAuthor: Jan Vcelak <jvcelak@redhat.com>
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -617,10 +617,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
while ((*cipher) && (isspace(*cipher)))
++cipher;
- action = 1;
switch(*cipher) {
- case '+': /* Add something */
- action = 1;
+ case '+': /* Do nothig. NSS does not support ordering. */
+ Debug( LDAP_DEBUG_ARGS,
+ "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n",
+ 0, 0, 0 );
+ action = 2;
cipher++;
break;
case '-': /* Subtract something */
@@ -631,8 +633,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
action = -1;
cipher++;
break;
- default:
- /* do nothing */
+ default: /* Add something */
+ action = 1;
break;
}
@@ -666,7 +668,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
}
} else {
int mask = 0;
+ int multi_mask = 0;
+ int negative_mask = 0;
int strength = 0;
+ int multi_strength = 0;
int protocol = 0;
char *c;
@@ -677,12 +682,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
*c++ = '\0';
}
- if (!strcmp(cipher, "RSA")) {
- mask |= SSL_RSA;
+ if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) {
+ mask |= SSL_kRSA;
+ } else if (!strcmp(cipher, "aRSA")) {
+ mask |= SSL_aRSA;
+ negative_mask |= SSL_kECDH;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
+ } else if (!strcmp(cipher, "AES128")) {
+ mask |= SSL_AES128;
+ } else if (!strcmp(cipher, "AES256")) {
+ mask |= SSL_AES256;
+ } else if (!strcmp(cipher, "AESGCM")) {
+ mask |= SSL_AESGCM;
} else if (!strcmp(cipher, "AES")) {
- mask |= SSL_AES;
+ multi_mask |= SSL_AES;
} else if (!strcmp(cipher, "3DES")) {
mask |= SSL_3DES;
} else if (!strcmp(cipher, "DES")) {
@@ -693,26 +707,69 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
mask |= SSL_RC2;
} else if (!strcmp(cipher, "MD5")) {
mask |= SSL_MD5;
+ } else if (!strcmp(cipher, "SHA256")) {
+ mask |= SSL_SHA256;
+ } else if (!strcmp(cipher, "SHA384")) {
+ mask |= SSL_SHA384;
} else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) {
mask |= SSL_SHA1;
+ } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) {
+ mask |= SSL_kEDH;
+ } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) {
+ mask |= SSL_aDSA;
+ } else if (!strcmp(cipher, "CAMELLIA128")) {
+ mask |= SSL_CAMELLIA128;
+ } else if (!strcmp(cipher, "CAMELLIA256")) {
+ mask |= SSL_CAMELLIA256;
+ } else if (!strcmp(cipher, "CAMELLIA")) {
+ multi_mask |= SSL_CAMELLIA;
+ } else if (!strcmp(cipher, "SEED")) {
+ mask |= SSL_SEED;
+ } else if (!strcmp(cipher, "kECDHe")) {
+ mask |= SSL_kECDH|SSL_aECDSA;
+ } else if (!strcmp(cipher, "kECDHr")) {
+ mask |= SSL_kECDH|SSL_aRSA;
+ } else if (!strcmp(cipher, "kECDH")) {
+ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "aECDH")) {
+ mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "EECDH")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "kEECDH")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "ECDHE")) {
+ mask |= SSL_kECDHE;
+ } else if (!strcmp(cipher, "ECDH")) {
+ multi_mask |= SSL_ECDH;
+ } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) {
+ mask |= SSL_aECDSA;
+ negative_mask |= SSL_kECDH;
+ } else if (!strcmp(cipher, "PSK")) {
+ mask |= SSL_aPSK;
+ } else if (!strcmp(cipher, "CHACHA20POLY1305")) {
+ mask |= SSL_CHACHA20POLY1305;
} else if (!strcmp(cipher, "SSLv2")) {
protocol |= SSL2;
} else if (!strcmp(cipher, "SSLv3")) {
protocol |= SSL3;
} else if (!strcmp(cipher, "TLSv1")) {
protocol |= TLS1;
+ } else if (!strcmp(cipher, "TLSv1.2")) {
+ protocol |= TLS1_2;
+ } else if (!strcmp(cipher, "TLSv1.3")) {
+ protocol |= TLS1_3;
} else if (!strcmp(cipher, "HIGH")) {
strength |= SSL_HIGH;
} else if (!strcmp(cipher, "MEDIUM")) {
strength |= SSL_MEDIUM;
} else if (!strcmp(cipher, "LOW")) {
strength |= SSL_LOW;
- } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
- strength |= SSL_EXPORT40|SSL_EXPORT56;
} else if (!strcmp(cipher, "EXPORT40")) {
strength |= SSL_EXPORT40;
} else if (!strcmp(cipher, "EXPORT56")) {
strength |= SSL_EXPORT56;
+ } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) {
+ multi_strength |= SSL_EXPORT;
}
if (c)
@@ -720,23 +775,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
} /* while */
+ /* NSS does not support ordering */
+ if (action == 2)
+ continue;
+
/* If we have a mask, apply it. If not then perhaps they provided
* a specific cipher to enable.
+ * if more than one mask is provided then AND logic applies (to match openssl)
*/
- if (mask || strength || protocol) {
+ if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) {
for (i=0; i<ciphernum; i++) {
- if (((ciphers_def[i].attr & mask) ||
- (ciphers_def[i].strength & strength) ||
- (ciphers_def[i].version & protocol)) &&
- (cipher_list[i] != -1)) {
- /* Enable the NULL ciphers only if explicity
- * requested */
- if (ciphers_def[i].attr & SSL_eNULL) {
- if (mask & SSL_eNULL)
- cipher_list[i] = action;
- } else
- cipher_list[i] = action;
- }
+ if ( cipher_list[i] == -1 )
+ continue;
+ if ( mask != (ciphers_def[i].attr & mask) )
+ continue;
+ if ( strength != (ciphers_def[i].strength & strength) )
+ continue;
+ if ( protocol != (ciphers_def[i].version & protocol) )
+ continue;
+ if ((multi_mask & SSL_AES) &&
+ !(ciphers_def[i].attr & (SSL_AES128|SSL_AES256|SSL_AESGCM)))
+ continue;
+ if ((multi_mask & SSL_ECDH) &&
+ !(ciphers_def[i].attr & (SSL_kECDH|SSL_kECDHE)))
+ continue;
+ if ((multi_mask & SSL_CAMELLIA) &&
+ !(ciphers_def[i].attr & (SSL_CAMELLIA128|SSL_CAMELLIA256)))
+ continue;
+ if ((multi_strength & SSL_EXPORT) &&
+ !(ciphers_def[i].strength & (SSL_EXPORT40|SSL_EXPORT56)))
+ continue;
+ if ( negative_mask & ciphers_def[i].attr )
+ continue;
+ cipher_list[i] = action;
}
} else {
for (i=0; i<ciphernum; i++) {

27
openldap-nss-ciphers-use-nss-defaults.patch
View File

@ -1,27 +0,0 @@
Use what NSS considers default for DEFAULT cipher string.
Author: Matus Honek <mhonek@redhat.com>
Resolves: #1387868
Backports: #1245279 #1300701
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -645,7 +645,16 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
}
} else if (!strcmp(cipher, "DEFAULT")) {
for (i=0; i<ciphernum; i++) {
- cipher_list[i] = ciphers_def[i].enabled == SSL_ALLOWED ? 1 : 0;
+ PRBool enabled;
+ if (SSL_CipherPrefGetDefault(ciphers_def[i].num, &enabled) == SECSuccess) {
+ if (!(ciphers_def[i].attr & SSL_eNULL)) {
+ cipher_list[i] = enabled == SSL_ALLOWED ? 1 : 0;
+ } else {
+ cipher_list[i] = -1;
+ }
+ } else {
+ cipher_list[i] = -1;
+ }
}
} else {
int mask = 0;

34
openldap-nss-default-cipher-suite-always-selected.patch
View File

@ -1,34 +0,0 @@
MozNSS: default cipher suite always selected
Author: Tim Strobell <tim.strobell.ctr@nrl.navy.mil>
Upstream ITS: #7285
Upstream commit: 2c2bb2e7aee1b2167f383a8344985a1cf66aff3f
Resolves: #828790
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 23d843c..b608551 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2218,12 +2218,13 @@ tlsm_deferred_ctx_init( void *arg )
return -1;
}
- if ( lt->lt_ciphersuite &&
- tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not set cipher list %s.\n",
- lt->lt_ciphersuite, 0, 0 );
- return -1;
+ if ( lt->lt_ciphersuite ) {
+ if ( tlsm_parse_ciphers( ctx, lt->lt_ciphersuite ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not set cipher list %s.\n",
+ lt->lt_ciphersuite, 0, 0 );
+ return -1;
+ }
} else if ( tlsm_parse_ciphers( ctx, "DEFAULT" ) ) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list DEFAULT.\n",
--
1.7.10.4

47
openldap-nss-ignore-certdb-type-prefix.patch
View File

@ -1,47 +0,0 @@
MozNSS: ignore certdb database type prefix when checking existence of the directory
If the certdb is specified including the database type prefix (e.g.
sql:, dbm:), the prefix has to be ignored when checking the
certificate directory existence.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7388
Resolves: #857373
---
libraries/libldap/tls_m.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 49a3f8f..5ee21a2 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
{
char sep = PR_GetDirectorySeparator();
char *ptr = NULL;
+ char *chkpath = NULL;
struct PRFileInfo prfi;
PRStatus prc;
@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix )
return;
}
- prc = PR_GetFileInfo( certdir, &prfi );
+ /* ignore database type prefix (e.g. sql:, dbm:) if provided */
+ chkpath = strchr( certdir, ':' );
+ if ( chkpath != NULL ) {
+ chkpath += 1;
+ } else {
+ chkpath = certdir;
+ }
+
/* if certdir exists (file or directory) then it cannot specify a prefix */
+ prc = PR_GetFileInfo( chkpath, &prfi );
if ( prc == PR_SUCCESS ) {
return;
}
--
1.7.11.7

1029
openldap-nss-multiple-tls-contexts.patch
View File

File diff suppressed because it is too large Load Diff

23
openldap-nss-pk11-freeslot.patch
View File

@ -1,23 +0,0 @@
Resolves: #929357
Upstream commit: 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec
Author: Rich Megginson <rmeggins@redhat.com>
Date: Thu, 28 Mar 2013 19:05:02 -0600
Modified by: Jan Synacek <jsynacek@redhat.com>
This patch has been re-diffed so it clearly applies to OpenLDAP 2.4.39.
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 072d41d..c59d303 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2151,6 +2151,8 @@
"TLS: could not close certdb slot - error %d:%s.\n",
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
}
+ PK11_FreeSlot( c->tc_certdb_slot );
+ c->tc_certdb_slot = NULL;
}
if ( c->tc_pin_file ) {
PL_strfree( c->tc_pin_file );

71
openldap-nss-protocol-version-new-api.patch
View File

@ -1,71 +0,0 @@
Implement new API for setting TLS protocol version.
The code being deleted has been misplaced and it's effect has been
mangled by a code later on. This patch puts the code at the correct
place and introduces some more logging and error checking.
Author: Matus Honek <mhonek@redhat.com>
RHBZ: #1375432
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2421,6 +2411,58 @@ tlsm_deferred_ctx_init( void *arg )
0, 0, 0 );
return -1;
}
+ if ( lt->lt_protocol_min >= LDAP_OPT_X_TLS_PROTOCOL_SSL3 ) {
+ SSLVersionRange supported_range, default_range, selected_range;
+ if ( SECSuccess != SSL_VersionRangeGetSupported(ssl_variant_stream, &supported_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL supported version range (SSL_VersionRangeGetSupported).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL supported protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetSupported).\n",
+ supported_range.min, supported_range.max, 0);
+ }
+ if ( SECSuccess != SSL_VersionRangeGetDefault(ssl_variant_stream, &default_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get SSL default protocol version range (SSL_VersionRangeGetDefault).\n",
+ 0, 0, 0 );
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL default protocol version range is (%#04x, %#04x) (SSL_VersionRangeGetDefault).\n",
+ default_range.min, default_range.max, 0);
+ }
+ selected_range.min = lt->lt_protocol_min;
+ selected_range.max = default_range.max;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: TLS configured protocol minimal version is %#04x, the maximal version (the NSS default) is %#04x.\n",
+ selected_range.min, selected_range.max, 0);
+ if ( (selected_range.min > supported_range.max) ||
+ (selected_range.max < supported_range.min) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: selected protocol version range out of NSS-supported version range.\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ if ( SECSuccess != SSL_VersionRangeSet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not set protocol version range (SSL_VersionRangeSet).\n",
+ 0, 0, 0);
+ return -1;
+ }
+ if ( SECSuccess != SSL_VersionRangeGet(ctx->tc_model, &selected_range) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not get protocol version range (SSL_VersionRangeGet).\n",
+ 0, 0, 0);
+ return -1;
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: info: SSL set protocol version range is (%#04x, %#04x) (SSL_VersionRangeGet).\n",
+ selected_range.min, selected_range.max, 0);
+ }
+ }
+ }
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !ctx->tc_is_server ) ) {
Debug( LDAP_DEBUG_ANY,

91
openldap-nss-regex-search-hashed-cacert-dir.patch
View File

@ -1,91 +0,0 @@
MozNSS: better file name matching for hashed CA certificate directory
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name
should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used
to differentiate between two certificates with the same subject name.
Wit this patch, certificate file names are matched correctly (using regular expressions).
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7374
Resolves: #852786
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 5e49fc5..61d71d4 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -38,6 +38,7 @@
#include <ac/unistd.h>
#include <ac/param.h>
#include <ac/dirent.h>
+#include <ac/regex.h>
#include "ldap-int.h"
#include "ldap-tls.h"
@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods;
#define PEM_LIBRARY "nsspem"
#define PEM_MODULE "PEM"
-/* hash files for use with cacertdir have this file name suffix */
-#define PEM_CA_HASH_FILE_SUFFIX ".0"
-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2
+#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$"
static SECMODModule *pem_module;
@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
PRDir *dir;
PRDirEntry *entry;
PRStatus fistatus = PR_FAILURE;
+ regex_t hashfile_re;
memset( &fi, 0, sizeof(fi) );
fistatus = PR_GetFileInfo( cacertdir, &fi );
@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
goto done;
}
+ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 );
+ goto done;
+ }
+
do {
entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN );
if ( ( NULL != entry ) && ( NULL != entry->name ) ) {
char *fullpath = NULL;
- char *ptr;
+ int match;
- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX );
- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) {
+ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 );
+ if ( match == REG_NOMATCH ) {
Debug( LDAP_DEBUG_TRACE,
- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate "
- "directory file with a properly hashed file name - skipping.\n",
- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 );
+ "TLS: skipping '%s' - filename does not have expected format "
+ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 );
+ continue;
+ } else if ( match != 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: cannot execute regex for CA hash file matching (%d).\n",
+ match, 0, 0 );
continue;
}
+
fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name );
if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) {
Debug( LDAP_DEBUG_TRACE,
@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
PR_smprintf_free( fullpath );
}
} while ( NULL != entry );
+ regfree ( &hashfile_re );
PR_CloseDir( dir );
}
done:
--
1.7.11.4

92
openldap-tls-no-reuse-of-tls_session.patch
View File

@ -1,92 +0,0 @@
TLS: do not reuse tls_session if hostname check fails
If multiple servers are specified, the connection to the first one succeeds, and the hostname verification fails,
*tls_session is not dropped, but reused when connecting to the second server.
This is a problem with Mozilla NSS backend because another handshake cannot be performed on the same file descriptor.
From this reason, hostname checking was moved into ldap_int_tls_connect() before connection error handling.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7373
Resolves: #852476
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 10b993b..a3cd590 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -320,7 +320,7 @@ update_flags( Sockbuf *sb, tls_session * ssl, int rc )
*/
static int
-ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
+ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
{
Sockbuf *sb = conn->lconn_sb;
int err;
@@ -365,6 +365,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
errno = WSAGetLastError();
#endif
+ if ( err == 0 ) {
+ err = ldap_pvt_tls_check_hostname( ld, ssl, host );
+ }
+
if ( err < 0 )
{
char buf[256], *msg;
@@ -495,7 +499,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
{
tls_session *session = s;
- return tls_imp->ti_session_chkhost( ld, session, name_in );
+ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
+ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
+ ld->ld_errno = tls_imp->ti_session_chkhost( ld, session, name_in );
+ if (ld->ld_errno != LDAP_SUCCESS) {
+ return ld->ld_errno;
+ }
+ }
+
+ return LDAP_SUCCESS;
}
int
@@ -857,7 +869,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
#endif /* LDAP_USE_NON_BLOCKING_TLS */
ld->ld_errno = LDAP_SUCCESS;
- ret = ldap_int_tls_connect( ld, conn );
+ ret = ldap_int_tls_connect( ld, conn, host );
#ifdef LDAP_USE_NON_BLOCKING_TLS
while ( ret > 0 ) { /* this should only happen for non-blocking io */
@@ -878,7 +890,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
} else {
/* ldap_int_poll called ldap_pvt_ndelay_off */
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb );
- ret = ldap_int_tls_connect( ld, conn );
+ ret = ldap_int_tls_connect( ld, conn, host );
if ( ret > 0 ) { /* need to call tls_connect once more */
struct timeval curr_time_tv, delta_tv;
@@ -935,20 +947,6 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
return (ld->ld_errno);
}
- ssl = ldap_pvt_tls_sb_ctx( sb );
- assert( ssl != NULL );
-
- /*
- * compare host with name(s) in certificate
- */
- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
- ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
- ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
- if (ld->ld_errno != LDAP_SUCCESS) {
- return ld->ld_errno;
- }
- }
-
return LDAP_SUCCESS;
}

1776
openldap-tlsmc.patch Normal file
View File

File diff suppressed because it is too large Load Diff

44
openldap.spec
View File

@ -5,7 +5,7 @@
Name: openldap
Version: 2.4.45
Release: 3%{?dist}
Release: 4%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@ -27,12 +27,6 @@ Patch1: openldap-sql-linking.patch
Patch2: openldap-reentrant-gethostby.patch
Patch3: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ai-addrconfig.patch
# nss patches, unlikely to ever get upstreamed
Patch12: openldap-tls-no-reuse-of-tls_session.patch
Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch
Patch14: openldap-nss-ignore-certdb-type-prefix.patch
Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch
Patch16: openldap-nss-pk11-freeslot.patch
Patch17: openldap-allop-overlay.patch
# fix back_perl problems with lt_dlopen()
@ -42,24 +36,16 @@ Patch17: openldap-allop-overlay.patch
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch
Patch22: openldap-nss-protocol-version-new-api.patch
Patch50: openldap-nss-cipher-attributes.patch
Patch51: openldap-nss-ciphers-parsing.patch
Patch52: openldap-nss-ciphers-use-nss-defaults.patch
Patch53: openldap-nss-ciphers-definitions.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
Patch91: check-password.patch
# Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch
# MozNSS compatibility layer
Patch100: openldap-tlsmc.patch
BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: cyrus-sasl-devel, nss-devel, openssl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
# smbk5pwd overlay:
BuildRequires: openssl-devel
Recommends: nss-tools
%description
@ -126,13 +112,12 @@ programs needed for accessing and modifying OpenLDAP directories.
pushd openldap-%{version}
# use pkg-config for Mozilla NSS library
%patch100 -p1
# alternative include paths for Mozilla NSS
ln -s %{_includedir}/nss3 include/nss
ln -s %{_includedir}/nspr4 include/nspr
%patch100 -p1
AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch0 -p1
@ -140,20 +125,9 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch2 -p1
%patch3 -p1
%patch5 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch19 -p1
%patch20 -p1
%patch22 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -219,11 +193,12 @@ pushd openldap-%{version}
\
--disable-static \
\
--enable-moznss-compatibility=yes \
\
--with-cyrus-sasl \
--without-fetch \
--with-threads \
--with-pic \
--with-tls=moznss \
--with-gnu-ld \
\
--libexecdir=%{_libdir}
@ -546,6 +521,9 @@ exit 0
%{_mandir}/man3/*
%changelog
* Fri Nov 3 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-4
- Build with OpenSSL with MozNSS compatibility layer (#1400570)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild