[openldap: 4/4] enhancement: support TLSv1 and later (#1160466)

Fri Nov 14 09:07:51 UTC 2014

commit 4b2abac9db548c3ce7f44df72517eec50d68eefc
Author: Jan Synacek <jsynacek at redhat.com>
Date:   Fri Nov 14 09:46:06 2014 +0100

    enhancement: support TLSv1 and later (#1160466)

 openldap-support-tlsv1-and-later.patch |   54 ++++++++++++++++++++++++++++++++
 openldap.spec                          |    8 ++++-
 2 files changed, 61 insertions(+), 1 deletions(-)
---

diff --git a/openldap-support-tlsv1-and-later.patch b/openldap-support-tlsv1-and-later.patch
new file mode 100644
index 0000000..b8cc0f8
--- /dev/null
+++ b/openldap-support-tlsv1-and-later.patch
@@ -0,0 +1,54 @@
+Support TLSv1 and later.
+
+Author: Mark Reynolds <mreynolds at redhat.com>
+Backported-by: Jan Synacek <jsynacek at redhat.com>
+Upstream ITS: #7979
+Upstream commit: 7a7d9419432954cac18a582bed85a7c489d90f00
+
+--- openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:02:39.489493061 +0100
++++ openldap-2.4.40/libraries/libldap/tls_m.c	2014-11-14 09:23:07.239463097 +0100
+@@ -790,7 +790,7 @@ tlsm_bad_cert_handler(void *arg, PRFileD
+ 	case SSL_ERROR_BAD_CERT_DOMAIN:
+ 		break;
+ 	default:
+-		success = SECFailure;
++ 		success = SECFailure;
+ 		break;
+ 	}
+ 
+@@ -1729,6 +1729,8 @@ tlsm_deferred_init( void *arg )
+ 	NSSInitContext *initctx = NULL;
+ 	PK11SlotInfo *certdb_slot = NULL;
+ #endif
++	SSLVersionRange range;
++	SSLProtocolVariant variant;
+ 	SECStatus rc;
+ 	int done = 0;
+ 
+@@ -1911,6 +1913,16 @@ tlsm_deferred_init( void *arg )
+ 			}
+ 		}
+ 
++		/*
++		 * Set the SSL version range.  MozNSS SSL versions are the same as openldap's:
++		 *
++		 * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_*
++		 */
++		SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */
++		range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min;
++		variant = ssl_variant_stream;
++		SSL_VersionRangeSetDefault(variant, &range);
++
+ 		NSS_SetDomesticPolicy();
+ 
+ 		PK11_SetPasswordFunc( tlsm_pin_prompt );
+--- openldap-2.4.40/include/ldap.h	2014-09-19 03:48:49.000000000 +0200
++++ openldap-2.4.40/include/ldap.h	2014-11-14 09:25:54.560801030 +0100
+@@ -176,6 +176,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0		((3 << 8) + 1)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
++#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3		((3 << 8) + 4)
+ 
+ /* OpenLDAP SASL options */
+ #define LDAP_OPT_X_SASL_MECH			0x6100
diff --git a/openldap.spec b/openldap.spec
index 6d7462b..f2d51ce 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -5,7 +5,7 @@
 
 Name: openldap
 Version: 2.4.40
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -46,6 +46,8 @@ Patch16: openldap-nss-pk11-freeslot.patch
 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
 # ldapi sasl fix pending upstream inclusion
 Patch20: openldap-ldapi-sasl.patch
+# TLSv1 support, already included upstream
+Patch21: openldap-support-tlsv1-and-later.patch
 
 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -161,6 +163,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch16 -p1
 %patch19 -p1
 %patch20 -p1
+%patch21 -p1
 
 %patch102 -p1
 
@@ -573,6 +576,9 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Fri Nov 14 2014 Jan Synáček <jsynacek at redhat.com> - 2.4.40-2
+- enhancement: support TLSv1 and later (#1160466)
+
 * Mon Oct  6 2014 Jan Synáček <jsynacek at redhat.com> - 2.4.40-1
 - new upstream release (#1147877)
 
