summaryrefslogtreecommitdiff
path: root/databases
diff options
context:
space:
mode:
authoradam <adam>2017-06-02 08:29:56 +0000
committeradam <adam>2017-06-02 08:29:56 +0000
commit614d11137a5a654570c70ffe9e914d94bcf02693 (patch)
tree9d8208e7fcb33259256b4b9ab978eb3b3fcf24c5 /databases
parentb60f1b36e5abfc4109ee065f877fd9ff5e55e03e (diff)
downloadpkgsrc-614d11137a5a654570c70ffe9e914d94bcf02693.tar.gz
OpenLDAP 2.4.45 Release (2017/06/01)
Added slapd support for OpenSSL 1.1.0 series (ITS-8353, ITS-8533, ITS-8634) Fixed libldap to fail ldap_result if the handle is already bad (ITS-8585) Fixed libldap to expose error if user specified CA doesn't exist (ITS-8529) Fixed libldap handling of Diffie-Hellman parameters (ITS-7506) Fixed libldap GnuTLS use after free (ITS-8385) Fixed libldap SASL initialization (ITS-8648) Fixed slapd bconfig rDN escape handling (ITS-8574) Fixed slapd segfault with invalid hostname (ITS-8631) Fixed slapd sasl SEGV rebind in same session (ITS-8568) Fixed slapd syncrepl filter handling (ITS-8413) Fixed slapd syncrepl infinite looping mods with delta-sync MMR (ITS-8432) Fixed slapd callback struct so older modules without writewait should function. Custom modules may need to be updated for sc_writewait callback (ITS-8435) Fixed slapd-ldap/meta broken LDAP_TAILQ macro (ITS-8576) Fixed slapd-mdb so it passes ITS6794 regression test (ITS-6794) Fixed slapd-mdb double free with size zero paged result (ITS-8655) Fixed slapd-meta uninitialized diagnostic message (ITS-8442) Fixed slapo-accesslog to honor pauses during purge for cn=config update (ITS-8423) Fixed slapo-accesslog with multiple modifications to the same attribute (ITS-6545) Fixed slapo-relay to correctly initialize sc_writewait (ITS-8428) Fixed slapo-sssvlv double free (ITS-8592) Fixed slapo-unique with empty modifications (ITS-8266) Build Environment Added test065 for proxyauthz (ITS-8571) Fix test008 to be portable (ITS-8414) Fix test064 to wait for slapd to start (ITS-8644) Fix its4336 regression test (ITS-8534) Fix its4337 regression test (ITS-8535) Fix regression tests to execute on all backends (ITS-8539) Contrib Added slapo-autogroup(5) man page (ITS-8569) Added passwd missing conversion scripts for apr1 (ITS-6826) Fixed contrib modules where the writewait callback was not correctly initialized (ITS-8435) Fixed smbk5pwd to build with newer OpenSSL releases (ITS-8525) Documentation admin24 fixed tls_cipher_suite bindconf option (ITS-8099) admin24 fixed typo cn=config to be slapd.d (ITS-8449) admin24 fixed slapo-syncprov information to be curent (ITS-8253) admin24 fixed typo in access control docs (ITS-7341, ITS-8391) admin24 fixed minor typo in tuning guide (ITS-8499) admin24 fixed information about the limits option (ITS-7700) admin24 fixed missing options for syncrepl configuration (ITS-7700) admin24 fixed accesslog documentation to note it should not be replicated (ITS-8344) Fixed ldap.conf(5) missing information on SASL_NOCANON option (ITS-7177) Fixed ldapsearch(1) information on the V[V] flag behavior (ITS-7177, ITS-6339) Fixed slapd-config(5), slapd.conf(5) clarification on interval keyword for refreshAndPersist (ITS-8538) Fixed slapd-config(5), slapd.conf(5) clarify serverID requirements (ITS-8635) Fixed slapd-config(5), slapd.conf(5) clarification on loglevel settings (ITS-8123) Fixed slapo-ppolicy(5) to clearly note rootdn requirement (ITS-8565) Fixed slapo-memberof(5) to note it is not safe to use with replication (ITS-8613) Fixed slapo-syncprov(5) documentation to be current (ITS-8253) Fixed slapadd(8) manpage to note slapd-mdb (ITS-8215) Fixed various minor grammar issues in the man pages (ITS-8544) Fixed various typos (ITS-8587)
Diffstat (limited to 'databases')
-rw-r--r--databases/openldap-client/Makefile3
-rw-r--r--databases/openldap-cloak/Makefile3
-rw-r--r--databases/openldap-doc/distinfo10
-rw-r--r--databases/openldap-nops/Makefile3
-rw-r--r--databases/openldap-server/Makefile3
-rw-r--r--databases/openldap-smbk5pwd/Makefile4
-rw-r--r--databases/openldap/Makefile3
-rw-r--r--databases/openldap/Makefile.version4
-rw-r--r--databases/openldap/distinfo17
-rw-r--r--databases/openldap/patches/patch-ag18
-rw-r--r--databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c54
-rw-r--r--databases/openldap/patches/patch-its7506222
-rw-r--r--databases/openldap/patches/patch-its759578
-rw-r--r--databases/openldap/patches/patch-libraries_liblmdb_mdb.c39
14 files changed, 58 insertions, 403 deletions
diff --git a/databases/openldap-client/Makefile b/databases/openldap-client/Makefile
index 86ba85c6ebb..1cf5cdaa984 100644
--- a/databases/openldap-client/Makefile
+++ b/databases/openldap-client/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.25 2016/12/13 10:38:06 he Exp $
+# $NetBSD: Makefile,v 1.26 2017/06/02 08:29:56 adam Exp $
PKGNAME= ${DISTNAME:S/-/-client-/}
-PKGREVISION= 3
COMMENT= Lightweight Directory Access Protocol libraries and client programs
CONFLICTS+= openldap<2.3.23nb1
diff --git a/databases/openldap-cloak/Makefile b/databases/openldap-cloak/Makefile
index bbb99a6fa47..a16c52443c4 100644
--- a/databases/openldap-cloak/Makefile
+++ b/databases/openldap-cloak/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.16 2016/03/05 11:28:12 jperkin Exp $
+# $NetBSD: Makefile,v 1.17 2017/06/02 08:29:56 adam Exp $
PKGNAME= ${DISTNAME:S/-/-cloak-/}
-PKGREVISION= 1
COMMENT= Hide specific attributes unless explicitely requested for OpenLDAP
CONFLICTS+= openldap<2.3.23nb1
diff --git a/databases/openldap-doc/distinfo b/databases/openldap-doc/distinfo
index 8a7c40911da..bd05f2d546a 100644
--- a/databases/openldap-doc/distinfo
+++ b/databases/openldap-doc/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.16 2016/02/07 08:42:59 adam Exp $
+$NetBSD: distinfo,v 1.17 2017/06/02 08:29:57 adam Exp $
-SHA1 (openldap-2.4.44.tgz) = 016a738d050a68d388602a74b5e991035cdba149
-RMD160 (openldap-2.4.44.tgz) = 6ea3139f630e93c6e0af60638672d88d6c535a6a
-SHA512 (openldap-2.4.44.tgz) = 132eb81798f59a364c9246d08697e1c7ebb6c2c3b983f786b14ec0233df09696cbad33a1f35f3076348b5efb77665a076ab854a24122c31e8b58310b7c7fd136
-Size (openldap-2.4.44.tgz) = 5658830 bytes
+SHA1 (openldap-2.4.45.tgz) = c98437385d3eaee80c9e2c09f3f0d4b7c140233d
+RMD160 (openldap-2.4.45.tgz) = a2f4483ffb958cc103a2aa0fb13c1f78e7951263
+SHA512 (openldap-2.4.45.tgz) = 1c9fc84efed8998f107ce6e1c6be3f5466388241afdca0cb3847720c9def0bc263a2dbc15bf0f9112d1b4c391fd01e8531a4fb08c5532c30fb86924c08daedab
+Size (openldap-2.4.45.tgz) = 5672845 bytes
diff --git a/databases/openldap-nops/Makefile b/databases/openldap-nops/Makefile
index 0527eeb8ccc..c03c7dd21f7 100644
--- a/databases/openldap-nops/Makefile
+++ b/databases/openldap-nops/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.19 2016/03/05 11:28:12 jperkin Exp $
+# $NetBSD: Makefile,v 1.20 2017/06/02 08:29:57 adam Exp $
PKGNAME= ${DISTNAME:S/-/-nops-/}
-PKGREVISION= 1
COMMENT= Remove null-ops for OpenLDAP
CONFLICTS+= openldap<2.3.23nb1
diff --git a/databases/openldap-server/Makefile b/databases/openldap-server/Makefile
index c29d4cbbf20..a3048695045 100644
--- a/databases/openldap-server/Makefile
+++ b/databases/openldap-server/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.50 2016/12/13 10:38:06 he Exp $
+# $NetBSD: Makefile,v 1.51 2017/06/02 08:29:57 adam Exp $
PKGNAME= ${DISTNAME:S/-/-server-/}
-PKGREVISION= 4
COMMENT= Lightweight Directory Access Protocol server suite
CONFLICTS+= openldap<2.3.23nb1
diff --git a/databases/openldap-smbk5pwd/Makefile b/databases/openldap-smbk5pwd/Makefile
index e74cc6e2486..7cf30f3c30a 100644
--- a/databases/openldap-smbk5pwd/Makefile
+++ b/databases/openldap-smbk5pwd/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.22 2016/12/12 14:22:02 wiz Exp $
+# $NetBSD: Makefile,v 1.23 2017/06/02 08:29:57 adam Exp $
PKGNAME= ${DISTNAME:S/-/-smbk5pwd-/}
-PKGREVISION= 2
COMMENT= Samba and Kerberos password sync for OpenLDAP
CONFLICTS+= openldap<2.3.23nb1
@@ -30,6 +29,7 @@ LIBS+= -lkrb5 -lkadm5srv
CPPFLAGS+= -DDO_SAMBA
.endif
+LIBS+= -L${BUILDLINK_PREFIX.openssl}/lib
MAKE_ENV+= EXTRA_LIBS=${LIBS:M*:Q}
.include "../../databases/openldap/Makefile.common"
diff --git a/databases/openldap/Makefile b/databases/openldap/Makefile
index ad6027ecd5d..d34e0d7da76 100644
--- a/databases/openldap/Makefile
+++ b/databases/openldap/Makefile
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.146 2016/12/13 10:38:06 he Exp $
+# $NetBSD: Makefile,v 1.147 2017/06/02 08:29:56 adam Exp $
-PKGREVISION= 2
.include "../../databases/openldap/Makefile.version"
DISTNAME= openldap-${OPENLDAP_VERSION}
diff --git a/databases/openldap/Makefile.version b/databases/openldap/Makefile.version
index 6adfb9acd5c..1cbccff0736 100644
--- a/databases/openldap/Makefile.version
+++ b/databases/openldap/Makefile.version
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile.version,v 1.13 2016/02/07 08:42:59 adam Exp $
+# $NetBSD: Makefile.version,v 1.14 2017/06/02 08:29:56 adam Exp $
# used by databases/openldap/Makefile
# used by databases/openldap/Makefile.common
# used by databases/openldap-docs/Makefile
-OPENLDAP_VERSION= 2.4.44
+OPENLDAP_VERSION= 2.4.45
diff --git a/databases/openldap/distinfo b/databases/openldap/distinfo
index 9c98acd8e7b..533c6a78e8a 100644
--- a/databases/openldap/distinfo
+++ b/databases/openldap/distinfo
@@ -1,26 +1,23 @@
-$NetBSD: distinfo,v 1.108 2016/12/13 10:38:06 he Exp $
+$NetBSD: distinfo,v 1.109 2017/06/02 08:29:56 adam Exp $
-SHA1 (openldap-2.4.44.tgz) = 016a738d050a68d388602a74b5e991035cdba149
-RMD160 (openldap-2.4.44.tgz) = 6ea3139f630e93c6e0af60638672d88d6c535a6a
-SHA512 (openldap-2.4.44.tgz) = 132eb81798f59a364c9246d08697e1c7ebb6c2c3b983f786b14ec0233df09696cbad33a1f35f3076348b5efb77665a076ab854a24122c31e8b58310b7c7fd136
-Size (openldap-2.4.44.tgz) = 5658830 bytes
+SHA1 (openldap-2.4.45.tgz) = c98437385d3eaee80c9e2c09f3f0d4b7c140233d
+RMD160 (openldap-2.4.45.tgz) = a2f4483ffb958cc103a2aa0fb13c1f78e7951263
+SHA512 (openldap-2.4.45.tgz) = 1c9fc84efed8998f107ce6e1c6be3f5466388241afdca0cb3847720c9def0bc263a2dbc15bf0f9112d1b4c391fd01e8531a4fb08c5532c30fb86924c08daedab
+Size (openldap-2.4.45.tgz) = 5672845 bytes
SHA1 (patch-ac) = 2995c518278b363bf9657e181c2340d3024d5980
SHA1 (patch-ad) = 24e7ec27d592dd76bdec1e4805801c5304951daf
SHA1 (patch-af) = 2e00b01bd813e73bdc1fb764a02e98d7755703de
-SHA1 (patch-ag) = ec8581f7145ba47712be65f97051ffd2d7299896
+SHA1 (patch-ag) = 380336d8b50dd6b3a277f2ea6a03eb88cc5919b8
SHA1 (patch-ah) = 7b5a9d042df36f17bcb503372e301a0c6554af68
SHA1 (patch-aj) = 857bbf14855d7d2a2911457bc6373d8beb69b751
SHA1 (patch-am) = fb8f3e7699f8b2ef55c066cdc6216522c101c7f3
SHA1 (patch-an) = 3e904d05a3e69930259329ca821d3bbf7dd54eb2
SHA1 (patch-ao) = 4fcbbfd4d6be792392e3646123022aeaf25923e3
-SHA1 (patch-contrib_modules_smbk5pwd-smbk5pwd.c) = c31fc75f94778c93dfb20e7b7fc6ab8c74212942
SHA1 (patch-contrib_slapd-modules_cloak_Makefile) = 47c81def0c013a360acb549ed69e9042f0bc1be3
SHA1 (patch-contrib_slapd-modules_nops_Makefile) = c51bccf34c3f3112232a134038622d31b6315628
SHA1 (patch-contrib_slapd-modules_nops_slapo-nops.5) = f32352f19361b7e9aa5b038ae8578def7c08fa47
SHA1 (patch-da) = 75e26bd08c6e66b69192ebfbb36db974d391ec3e
SHA1 (patch-dd) = 9c74118ff0b2232bda729c9917082fceef41dd16
-SHA1 (patch-its7506) = a50f9428d6d7dd28f71d21e11ae3f8b0f1372f75
-SHA1 (patch-its7595) = 9ea396adb7f2fd572d60190534caa80a01ef79d2
+SHA1 (patch-its7595) = 941b055bb5ac1f963b9d39384d3627a32f531cf1
SHA1 (patch-libraries_libldap_os-local.c) = 7cd4f8638456fae12499de0d36d7802e47d3d688
SHA1 (patch-libraries_libldap_tls__m.c) = 91dab1dcfa6560c30093094586ea9eabf2e977b8
-SHA1 (patch-libraries_liblmdb_mdb.c) = 590a059d784687f678ac44a577770551b11a2be5
diff --git a/databases/openldap/patches/patch-ag b/databases/openldap/patches/patch-ag
index 08cf76f1b7a..a2cabc6eabc 100644
--- a/databases/openldap/patches/patch-ag
+++ b/databases/openldap/patches/patch-ag
@@ -1,6 +1,9 @@
-$NetBSD: patch-ag,v 1.7 2012/03/13 19:57:11 adam Exp $
+$NetBSD: patch-ag,v 1.8 2017/06/02 08:29:56 adam Exp $
---- servers/slapd/Makefile.in.orig 2007-02-14 16:59:43.000000000 +0100
+slapd must be installed unstripped: on some platorms (Darwin) tcp_wrappers'
+ variable called "allow_severity" must not be stripped away.
+
+--- servers/slapd/Makefile.in.orig 2016-02-05 23:57:45.000000000 +0000
+++ servers/slapd/Makefile.in
@@ -76,6 +76,10 @@ XLIBS = $(SLAPD_STATIC_DEPENDS) $(SLAPD_
XXLIBS = $(SLAPD_LIBS) $(SECURITY_LIBS) $(LUTIL_LIBS)
@@ -13,7 +16,16 @@ $NetBSD: patch-ag,v 1.7 2012/03/13 19:57:11 adam Exp $
BUILD_OPT = "--enable-slapd"
BUILD_SRV = @BUILD_SLAPD@
-@@ -441,9 +445,7 @@ install-db-config: FORCE
+@@ -378,7 +382,7 @@ install-local-srv: install-slapd install
+ install-slapd: FORCE
+ -$(MKDIR) $(DESTDIR)$(libexecdir)
+ -$(MKDIR) $(DESTDIR)$(localstatedir)/run
+- $(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \
++ $(LTINSTALL) $(INSTALLFLAGS) -m 755 \
+ slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
+ @for i in $(SUBDIRS); do \
+ if test -d $$i && test -f $$i/Makefile ; then \
+@@ -447,9 +451,7 @@ install-db-config: FORCE
@-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
diff --git a/databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c b/databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c
deleted file mode 100644
index 2e7f48928df..00000000000
--- a/databases/openldap/patches/patch-contrib_modules_smbk5pwd-smbk5pwd.c
+++ /dev/null
@@ -1,54 +0,0 @@
-$NetBSD: patch-contrib_modules_smbk5pwd-smbk5pwd.c,v 1.1 2016/10/30 05:04:09 manu Exp $
-
-Submitted upstream as ITS#8525
-http://www.openldap.org/its/index.cgi/Incoming?id=8525
-
-From 1aad89bbdd1f58f3b2d794067cc8c4a60876f584 Mon Sep 17 00:00:00 2001
-From: Emmanuel Dreyfus <manu@netbsd.org>
-Date: Sun, 30 Oct 2016 05:34:58 +0100
-Subject: [PATCH] Use newer DES API so that smbk5pwd loads with newer OpenSSL
-
-OpenSSL removed old DES API which used des_* functions.
-https://github.com/openssl/openssl/commit/24956ca00f014a917fb181a8abc39b349f3f316f
-
-In order to link with libcrypto from recent OpenSSL releases, we need
-to replace the older API des_* functions by the newer API DES_* functions.
-
-Signed-off-by: Emmanuel Dreyfus <manu@netbsd.org>
----
- contrib/slapd-modules/smbk5pwd/smbk5pwd.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git contrib/slapd-modules/smbk5pwd/smbk5pwd.c contrib/slapd-modules/smbk5pwd/smbk5pwd.c
-index bec5e1b..97e0055 100644
---- contrib/slapd-modules/smbk5pwd/smbk5pwd.c
-+++ contrib/slapd-modules/smbk5pwd/smbk5pwd.c
-@@ -154,7 +154,7 @@ static void lmPasswd_to_key(
- k[7] = ((lpw[6]&0x7F)<<1);
-
- #ifdef HAVE_OPENSSL
-- des_set_odd_parity( key );
-+ DES_set_odd_parity( key );
- #endif
- }
-
-@@ -210,12 +210,12 @@ static void lmhash(
- des_set_key( &ctx, key );
- des_encrypt( &ctx, sizeof(key), hbuf[1], StdText );
- #elif defined(HAVE_OPENSSL)
-- des_set_key_unchecked( &key, schedule );
-- des_ecb_encrypt( &StdText, &hbuf[0], schedule , DES_ENCRYPT );
-+ DES_set_key_unchecked( &key, &schedule );
-+ DES_ecb_encrypt( &StdText, &hbuf[0], &schedule , DES_ENCRYPT );
-
- lmPasswd_to_key( &UcasePassword[7], &key );
-- des_set_key_unchecked( &key, schedule );
-- des_ecb_encrypt( &StdText, &hbuf[1], schedule , DES_ENCRYPT );
-+ DES_set_key_unchecked( &key, &schedule );
-+ DES_ecb_encrypt( &StdText, &hbuf[1], &schedule , DES_ENCRYPT );
- #endif
-
- hexify( (char *)hbuf, hash );
---
-2.3.2
-
diff --git a/databases/openldap/patches/patch-its7506 b/databases/openldap/patches/patch-its7506
deleted file mode 100644
index aad3ba86b60..00000000000
--- a/databases/openldap/patches/patch-its7506
+++ /dev/null
@@ -1,222 +0,0 @@
-$NetBSD: patch-its7506,v 1.1 2015/07/15 16:33:57 manu Exp $
-
-Upstream fix for ignored TLSDHParamFile option
-
-From 6f120920d359d3b880c5c56bde4c1b91c3bedb01 Mon Sep 17 00:00:00 2001
-From: Ben Jencks <ben@bjencks.net>
-Date: Sun, 27 Jan 2013 18:27:03 -0500
-Subject: [PATCH] ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage.
-
-If a DHParamFile or olcDHParamFile is specified, then it will be used,
-otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
-larger parameters; previously only 512 or 1024 bit parameters would ever be
-used.
-
-From cfeb28412c28ce9feeea6e6c055286f201bd0a34 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Sat, 7 Sep 2013 06:39:53 -0700
-Subject: [PATCH] ITS#7506 fix prev commit
-
-The patch unconditionally enabled DHparams, which is a significant
-change of behavior. Reverting to previous behavior, which only enables
-DH use if a DHparam file was configured.
-
---- libraries/libldap/tls_o.c.orig 2015-07-15 18:14:17.000000000 +0200
-+++ libraries/libldap/tls_o.c 2015-07-15 18:14:41.000000000 +0200
-@@ -58,26 +58,15 @@
- static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
- static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
- static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
-
--static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length );
--
--typedef struct dhplist {
-- struct dhplist *next;
-- int keylength;
-- DH *param;
--} dhplist;
--
--static dhplist *tlso_dhparams;
--
- static int tlso_seed_PRNG( const char *randfile );
-
- #ifdef LDAP_R_COMPILE
- /*
- * provide mutexes for the OpenSSL library.
- */
- static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS];
--static ldap_pvt_thread_mutex_t tlso_dh_mutex;
-
- static void tlso_locking_cb( int mode, int type, const char *file, int line )
- {
- if ( mode & CRYPTO_LOCK ) {
-@@ -106,9 +95,8 @@
-
- for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) {
- ldap_pvt_thread_mutex_init( &tlso_mutexes[i] );
- }
-- ldap_pvt_thread_mutex_init( &tlso_dh_mutex );
- CRYPTO_set_locking_callback( tlso_locking_cb );
- CRYPTO_set_id_callback( tlso_thread_self );
- }
- #endif /* LDAP_R_COMPILE */
-@@ -310,27 +298,27 @@
-
- if ( lo->ldo_tls_dhfile ) {
- DH *dh = NULL;
- BIO *bio;
-- dhplist *p;
-+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
-
- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not use DH parameters file `%s'.\n",
- lo->ldo_tls_dhfile,0,0);
- tlso_report_error();
- return -1;
- }
-- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
-- p = LDAP_MALLOC( sizeof(dhplist) );
-- if ( p != NULL ) {
-- p->keylength = DH_size( dh ) * 8;
-- p->param = dh;
-- p->next = tlso_dhparams;
-- tlso_dhparams = p;
-- }
-+ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) {
-+ Debug( LDAP_DEBUG_ANY,
-+ "TLS: could not read DH parameters file `%s'.\n",
-+ lo->ldo_tls_dhfile,0,0);
-+ tlso_report_error();
-+ BIO_free( bio );
-+ return -1;
- }
- BIO_free( bio );
-+ SSL_CTX_set_tmp_dh( ctx, dh );
- }
-
- if ( tlso_opt_trace ) {
- SSL_CTX_set_info_callback( ctx, tlso_info_cb );
-@@ -348,11 +336,8 @@
- SSL_CTX_set_verify( ctx, i,
- lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ?
- tlso_verify_ok : tlso_verify_cb );
- SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
-- if ( lo->ldo_tls_dhfile ) {
-- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb );
-- }
- #ifdef HAVE_OPENSSL_CRL
- if ( lo->ldo_tls_crlcheck ) {
- X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
- if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
-@@ -1159,110 +1144,8 @@
-
- return 0;
- }
-
--struct dhinfo {
-- int keylength;
-- const char *pem;
-- size_t size;
--};
--
--
--/* From the OpenSSL 0.9.7 distro */
--static const char tlso_dhpem512[] =
--"-----BEGIN DH PARAMETERS-----\n\
--MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\
--a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\
-------END DH PARAMETERS-----\n";
--
--static const char tlso_dhpem1024[] =
--"-----BEGIN DH PARAMETERS-----\n\
--MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\
--/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\
--/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\
-------END DH PARAMETERS-----\n";
--
--static const char tlso_dhpem2048[] =
--"-----BEGIN DH PARAMETERS-----\n\
--MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\
--AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\
--z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\
--pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\
--aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\
--Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\
-------END DH PARAMETERS-----\n";
--
--static const char tlso_dhpem4096[] =
--"-----BEGIN DH PARAMETERS-----\n\
--MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\
--vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\
--TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\
--bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\
--rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\
--EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\
--bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\
--W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\
--ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\
--NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\
--jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\
-------END DH PARAMETERS-----\n";
--
--static const struct dhinfo tlso_dhpem[] = {
-- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) },
-- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) },
-- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) },
-- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) },
-- { 0, NULL, 0 }
--};
--
--static DH *
--tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
--{
-- struct dhplist *p = NULL;
-- BIO *b = NULL;
-- DH *dh = NULL;
-- int i;
--
-- /* Do we have params of this length already? */
-- LDAP_MUTEX_LOCK( &tlso_dh_mutex );
-- for ( p = tlso_dhparams; p; p=p->next ) {
-- if ( p->keylength == key_length ) {
-- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
-- return p->param;
-- }
-- }
--
-- /* No - check for hardcoded params */
--
-- for (i=0; tlso_dhpem[i].keylength; i++) {
-- if ( tlso_dhpem[i].keylength == key_length ) {
-- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size );
-- break;
-- }
-- }
--
-- if ( b ) {
-- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL );
-- BIO_free( b );
-- }
--
-- /* Generating on the fly is expensive/slow... */
-- if ( !dh ) {
-- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL );
-- }
-- if ( dh ) {
-- p = LDAP_MALLOC( sizeof(struct dhplist) );
-- if ( p != NULL ) {
-- p->keylength = key_length;
-- p->param = dh;
-- p->next = tlso_dhparams;
-- tlso_dhparams = p;
-- }
-- }
--
-- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
-- return dh;
--}
-
- tls_impl ldap_int_tls_impl = {
- "OpenSSL",
-
diff --git a/databases/openldap/patches/patch-its7595 b/databases/openldap/patches/patch-its7595
index 69e7a7eb2f2..90f5e4b7ff3 100644
--- a/databases/openldap/patches/patch-its7595
+++ b/databases/openldap/patches/patch-its7595
@@ -1,4 +1,4 @@
-$NetBSD: patch-its7595,v 1.1 2015/09/14 16:32:26 manu Exp $
+$NetBSD: patch-its7595,v 1.2 2017/06/02 08:29:56 adam Exp $
ECDH support from upstream
@@ -19,10 +19,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
--- doc/guide/admin/tls.sdf.orig
+++ doc/guide/admin/tls.sdf
-@@ -200,8 +200,20 @@
- > openssl dhparam [-dsaparam] -out <filename> <numbits>
+@@ -203,6 +203,18 @@
- This directive is ignored with GnuTLS and Mozilla NSS.
+ This directive is ignored with Mozilla NSS.
+H4: TLSECName <name>
+
@@ -39,12 +38,10 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
H4: TLSVerifyClient { never | allow | try | demand }
This directive specifies what checks to perform on client certificates
- in an incoming TLS session, if any. This option is set to {{EX:never}}
--- doc/man/man5/slapd-config.5.orig
+++ doc/man/man5/slapd-config.5
-@@ -917,8 +917,15 @@
- from the default, otherwise no certificate exchanges or verification will
- be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly
+@@ -922,6 +922,13 @@
+ When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B olcTLSECName: <name>
@@ -57,13 +54,11 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
- the SSL handshake will fail.
--- doc/man/man5/slapd.conf.5.orig
+++ doc/man/man5/slapd.conf.5
-@@ -1148,8 +1148,15 @@
- from the default, otherwise no certificate exchanges or verification will
- be done. When using GnuTLS these parameters are always generated randomly so
- this directive is ignored. This directive is ignored when using Mozilla NSS.
+@@ -1153,6 +1153,13 @@
+ When using Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
.TP
+.B TLSECName <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
@@ -75,11 +70,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
- the SSL handshake will fail.
--- include/ldap.h.orig
+++ include/ldap.h
-@@ -157,8 +157,9 @@
- #define LDAP_OPT_X_TLS_DHFILE 0x600e
+@@ -158,6 +158,7 @@
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
@@ -87,11 +80,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
- #define LDAP_OPT_X_TLS_DEMAND 2
--- libraries/libldap/ldap-int.h.orig
+++ libraries/libldap/ldap-int.h
-@@ -164,8 +164,9 @@
- char *lt_cacertdir;
+@@ -165,6 +165,7 @@
char *lt_ciphersuite;
char *lt_crlfile;
char *lt_randfile; /* OpenSSL only */
@@ -99,9 +90,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
int lt_protocol_min;
};
#endif
-
-@@ -249,8 +250,9 @@
- struct ldaptls ldo_tls_info;
+@@ -250,6 +251,7 @@
#define ldo_tls_certfile ldo_tls_info.lt_certfile
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile
@@ -109,11 +98,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
- #define ldo_tls_protocol_min ldo_tls_info.lt_protocol_min
--- libraries/libldap/tls2.c.orig
+++ libraries/libldap/tls2.c
-@@ -117,8 +117,12 @@
- if ( lo->ldo_tls_dhfile ) {
+@@ -118,6 +118,10 @@
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
@@ -124,9 +111,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
- }
-@@ -231,8 +235,12 @@
- if ( lts.lt_dhfile ) {
+@@ -232,6 +236,10 @@
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
@@ -137,9 +122,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
- Debug( LDAP_DEBUG_ANY,
-@@ -256,8 +264,9 @@
- LDAP_FREE( lts.lt_keyfile );
+@@ -257,6 +265,7 @@
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
@@ -147,9 +130,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
#endif
return rc;
}
-
-@@ -633,8 +642,12 @@
- case LDAP_OPT_X_TLS_DHFILE:
+@@ -634,6 +643,10 @@
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
@@ -160,9 +141,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
- break;
-@@ -752,8 +765,12 @@
- case LDAP_OPT_X_TLS_DHFILE:
+@@ -753,6 +766,10 @@
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
@@ -173,11 +152,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
- return 0;
--- libraries/libldap/tls_o.c.orig
+++ libraries/libldap/tls_o.c
-@@ -295,12 +295,11 @@
- tlso_report_error();
+@@ -327,10 +327,9 @@
return -1;
}
@@ -190,9 +167,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
- "TLS: could not use DH parameters file `%s'.\n",
-@@ -317,8 +316,40 @@
- return -1;
+@@ -349,6 +348,38 @@
}
BIO_free( bio );
SSL_CTX_set_tmp_dh( ctx, dh );
@@ -231,11 +206,9 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
}
if ( tlso_opt_trace ) {
- SSL_CTX_set_info_callback( ctx, tlso_info_cb );
--- servers/slapd/bconfig.c.orig
+++ servers/slapd/bconfig.c
-@@ -193,8 +193,9 @@
- CFG_SYNTAX,
+@@ -194,6 +194,7 @@
CFG_ACL_ADD,
CFG_SYNC_SUBENTRY,
CFG_LTHREADS,
@@ -243,9 +216,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
CFG_LAST
};
-
-@@ -737,8 +738,16 @@
- ARG_IGNORED, NULL,
+@@ -738,6 +739,14 @@
#endif
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
@@ -260,9 +231,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
{ "TLSProtocolMin", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
- #else
-@@ -818,9 +827,9 @@
- "olcTCPBuffer $ "
+@@ -819,7 +828,7 @@
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
@@ -271,9 +240,7 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
- { "( OLcfgGlOc:2 "
-@@ -3823,8 +3832,9 @@
- case CFG_TLS_CERT_KEY: flag = LDAP_OPT_X_TLS_KEYFILE; break;
+@@ -3824,6 +3833,7 @@
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
@@ -281,4 +248,3 @@ Subject: [PATCH] ITS#7595 don't try to use EC if OpenSSL lacks it
#ifdef HAVE_GNUTLS
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
#endif
- default: Debug(LDAP_DEBUG_ANY, "%s: "
diff --git a/databases/openldap/patches/patch-libraries_liblmdb_mdb.c b/databases/openldap/patches/patch-libraries_liblmdb_mdb.c
deleted file mode 100644
index e30d5d6b87e..00000000000
--- a/databases/openldap/patches/patch-libraries_liblmdb_mdb.c
+++ /dev/null
@@ -1,39 +0,0 @@
-$NetBSD: patch-libraries_liblmdb_mdb.c,v 1.1 2016/06/17 14:01:58 jperkin Exp $
-
-Apply https://www.gulag.ch/www/download/0001-Solaris-robust-mutex-fix.patch
-
---- libraries/liblmdb/mdb.c.orig 2016-02-05 23:57:45.000000000 +0000
-+++ libraries/liblmdb/mdb.c
-@@ -257,7 +257,7 @@ typedef SSIZE_T ssize_t;
- # else
- # define MDB_USE_ROBUST 1
- /* glibc < 2.12 only provided _np API */
--# if defined(__GLIBC__) && GLIBC_VER < 0x02000c
-+# if (defined(__GLIBC__) && GLIBC_VER < 0x02000a) || defined(__SunOS_5_10)
- # define PTHREAD_MUTEX_ROBUST PTHREAD_MUTEX_ROBUST_NP
- # define pthread_mutexattr_setrobust(attr, flag) pthread_mutexattr_setrobust_np(attr, flag)
- # define pthread_mutex_consistent(mutex) pthread_mutex_consistent_np(mutex)
-@@ -4623,10 +4623,21 @@ mdb_env_setup_locks(MDB_env *env, char *
- || (rc = pthread_mutexattr_setpshared(&mattr, PTHREAD_PROCESS_SHARED))
- #ifdef MDB_ROBUST_SUPPORTED
- || (rc = pthread_mutexattr_setrobust(&mattr, PTHREAD_MUTEX_ROBUST))
--#endif
-+#else
-+ #ifndef __sun
- || (rc = pthread_mutex_init(env->me_txns->mti_rmutex, &mattr))
-- || (rc = pthread_mutex_init(env->me_txns->mti_wmutex, &mattr)))
-+ || (rc = pthread_mutex_init(env->me_txns->mti_wmutex, &mattr))
-+ #endif
-+#endif
-+ ) {
- goto fail;
-+ }
-+ #ifdef __sun
-+ rc = pthread_mutex_init(env->me_txns->mti_rmutex, &mattr);
-+ if (!(rc == EBUSY || rc == EINVAL)) goto fail;
-+ rc = pthread_mutex_init(env->me_txns->mti_wmutex, &mattr);
-+ if (!(rc == EBUSY || rc == EINVAL)) goto fail;
-+ #endif
- pthread_mutexattr_destroy(&mattr);
- #endif /* _WIN32 || MDB_USE_POSIX_SEM */
-