Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2020-05-09 19:51:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Sat May 9 19:51:38 2020 rev:152 rq:800855 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2020-02-03 11:10:48.597768864 +0100 +++ /work/SRC/openSUSE:Factory/.openldap2.new.2738/openldap2.changes 2020-05-09 19:51:52.172775432 +0200 @@ -1,0 +2,32 @@ +Wed May 6 17:59:58 UTC 2020 - Michael Ströder <[email protected]> + +- updated to 2.4.50 +- added 0014-ITS-8650-fix-debug-usage.patch +- enabled new contrib overlay pw-argon2 +- replaced FTP by HTTPS download URL for source +- removed 0009-Fix-ldap-host-lookup-ipv6.patch (see bsc#1171127) + +OpenLDAP 2.4.50 Release (2020/04/28) + Fixed client benign typos (ITS#8890) + Fixed libldap type cast (ITS#9175) + Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) + Fixed libldap_r race on Windows mutex initialization (ITS#9181) + Fixed liblunicode memory leak (ITS#9198) + Fixed slapd benign typos (ITS#8890) + Fixed slapd to limit depth of nested filters (ITS#9202) + Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214) + Fixed slapo-pcache database initialization (ITS#9182) + Fixed slapo-ppolicy callback (ITS#9171) + Build + Fix olcDatabaseDummy initialization for windows (ITS#7074) + Fix detection for ws2tcpip.h for windows (ITS#8383) + Fix back-mdb types for windows (ITS#7878) + Contrib + Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855) + Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206) + Documentation + slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003) + slapd-meta(5) - Remove client-pr option (ITS#8683) + slapdinex(8) - Fix truncate option information for back-mdb (ITS#9230) + +------------------------------------------------------------------- Old: ---- 0009-Fix-ldap-host-lookup-ipv6.patch openldap-2.4.49.tgz New: ---- 0014-ITS-8650-fix-debug-usage.patch openldap-2.4.50.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.ivtsA0/_old 2020-05-09 19:51:54.088779545 +0200 +++ /var/tmp/diff_new_pack.ivtsA0/_new 2020-05-09 19:51:54.092779554 +0200 @@ -22,7 +22,7 @@ %endif %define run_test_suite 0 -%define version_main 2.4.49 +%define version_main 2.4.50 %if %{suse_version} >= 1310 && %{suse_version} != 1315 %define _rundir /run/slapd @@ -40,8 +40,8 @@ Group: Productivity/Networking/LDAP/Servers Version: %{version_main} Release: 0 -Url: http://www.openldap.org -Source: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-%{version_main}.tgz +Url: https://www.openldap.org +Source: https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version_main}.tgz Source1: slapd.conf Source2: slapd.conf.olctemplate Source3: DB_CONFIG @@ -61,8 +61,8 @@ Patch5: 0005-pie-compile.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch -Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch Patch11: 0011-openldap-re24-its7796.patch +Patch14: 0014-ITS-8650-fix-debug-usage.patch Patch15: openldap-r-only.dif Patch16: 0016-Clear-shared-key-only-in-close-function.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz @@ -76,6 +76,7 @@ BuildRequires: db-devel BuildRequires: groff BuildRequires: libopenssl-devel +BuildRequires: libsodium-devel BuildRequires: libtool BuildRequires: openslp-devel BuildRequires: unixODBC-devel @@ -166,6 +167,7 @@ denyop lastbind writes last bind timestamp to entry noopsrch handles no-op search control +pw-argon2 generates/validates Argon2 password hashes pw-sha2 generates/validates SHA-2 password hashes pw-pbkdf2 generates/validates PBKDF2 password hashes smbk5pwd generates Samba3 password hashes (heimdal krb disabled) @@ -256,8 +258,8 @@ %patch5 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 %patch11 -p1 +%patch14 -p1 %patch15 -p1 %patch16 -p1 cp %{SOURCE5} . @@ -307,7 +309,7 @@ make depend make %{?_smp_mflags} # Build selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace do make -C contrib/slapd-modules/${SLAPO_NAME} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" done @@ -351,9 +353,9 @@ # Additional symbolic link to slapd executable in /usr/sbin/ ln -s %{_libdir}/slapd %{buildroot}/usr/sbin/slapd # Install selected contrib overlays -for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/sha2 passwd/pbkdf2 trace +for SLAPO_NAME in addpartial allowed allop autogroup lastbind denyop cloak noopsrch passwd/argon2 passwd/sha2 passwd/pbkdf2 trace do - make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install + make -C contrib/slapd-modules/${SLAPO_NAME} STRIP="" DESTDIR="%{buildroot}" "mandir=%{_mandir}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install done # slapo-smbk5pwd only for Samba password hashes make -C contrib/slapd-modules/smbk5pwd STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" install @@ -581,12 +583,14 @@ %{_libdir}/openldap/autogroup.* %{_libdir}/openldap/lastbind.* %{_libdir}/openldap/noopsrch.* +%{_libdir}/openldap/pw-argon2.* %{_libdir}/openldap/pw-sha2.* %{_libdir}/openldap/pw-pbkdf2.* %{_libdir}/openldap/denyop.* %{_libdir}/openldap/cloak.* %{_libdir}/openldap/smbk5pwd.* %{_libdir}/openldap/trace.* +%doc %{_mandir}/man5/slapd-pw-argon2.* %files client %defattr(-,root,root) ++++++ 0014-ITS-8650-fix-debug-usage.patch ++++++ >From 85fc8974f5c32a9a052baafaa9499c8484e043c2 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount <[email protected]> Date: Tue, 28 Apr 2020 20:49:53 +0000 Subject: ITS#8650 - Fix Debug usage to follow RE24 format diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c index c1f15cbc1..ebe5bf125 100644 --- a/libraries/libldap/tls2.c +++ b/libraries/libldap/tls2.c @@ -907,8 +907,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) } else if ( sb->sb_trans_needs_write ) { wr=1; } - Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", - wr ? "write": "read" ); + Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", + wr ? "write": "read", 0, 0 ); /* This is mostly copied from result.c:wait4msg(), should * probably be moved into a separate function */ @@ -946,7 +946,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) start_time_tv.tv_sec = curr_time_tv.tv_sec; start_time_tv.tv_usec = curr_time_tv.tv_usec; tv = tv0; - Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", + Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); ret = ldap_int_poll( ld, sd, &tv, wr); if ( ret < 0 ) { ++++++ openldap-2.4.49.tgz -> openldap-2.4.50.tgz ++++++ ++++ 6250 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/CHANGES new/openldap-2.4.50/CHANGES --- old/openldap-2.4.49/CHANGES 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/CHANGES 2020-04-28 16:05:54.000000000 +0200 @@ -1,6 +1,29 @@ OpenLDAP 2.4 Change Log -OpenLDAP 2.4.49 (2020/01/30) +OpenLDAP 2.4.50 Release (2020/04/28) + Fixed client benign typos (ITS#8890) + Fixed libldap type cast (ITS#9175) + Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) + Fixed libldap_r race on Windows mutex initialization (ITS#9181) + Fixed liblunicode memory leak (ITS#9198) + Fixed slapd benign typos (ITS#8890) + Fixed slapd to limit depth of nested filters (ITS#9202) + Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214) + Fixed slapo-pcache database initialization (ITS#9182) + Fixed slapo-ppolicy callback (ITS#9171) + Build + Fix olcDatabaseDummy initialization for windows (ITS#7074) + Fix detection for ws2tcpip.h for windows (ITS#8383) + Fix back-mdb types for windows (ITS#7878) + Contrib + Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855) + Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206) + Documentation + slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003) + slapd-meta(5) - Remove client-pr option (ITS#8683) + slapdinex(8) - Fix truncate option information for back-mdb (ITS#9230) + +OpenLDAP 2.4.49 Release (2020/01/30) Added slapd-monitor database entry count for slapd-mdb (ITS#9154) Fixed client tools to not add controls on cancel/abandon (ITS#9145) Fixed client tools SyncInfo message to be LDIF compliant (ITS#8116) @@ -33,7 +56,7 @@ slapd-ldap(5) - Document "tls none" option (ITS#9071) slapo-ppolicy(5) - Correctly document pwdGraceAuthnLimit (ITS#9065) -OpenLDAP 2.4.48 (2019/07/24) +OpenLDAP 2.4.48 Release (2019/07/24) Added libldap OpenSSL Elliptic Curve support (ITS#7595) Added libldap Expose OpenLDAP specific interfaces via openldap.h (ITS#8671) Added slapd-monitor support for slapd-mdb (ITS#7770) @@ -57,7 +80,6 @@ Fixed slapd syncrepl for relax with delta-syncrepl (ITS#8037) Fixed slapd to restrict rootDN proxyauthz to its own databases (ITS#9038) Fixed slapd to initialize SASL SSF per connection (ITS#9052) - Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Fixed slapd-ldap starttls connections timeout behavior (ITS#8963) Fixed slapd-ldap segfault when entry result doesn't match filter (ITS#8997) Fixed slapd-meta conversion from slapd.conf to cn=config (ITS#8743) @@ -65,6 +87,7 @@ Fixed slapd-mdb fix bitshift integer overflow (ITS#8989) Fixed slapd-mdb index cleanup with cn=config (ITS#8472) Fixed slapd-mdb to improve performance with alias deref (ITS#7657) + Fixed slapo-accesslog with SLAP_MOD_SOFT modifications (ITS#8990) Fixed slapo-accesslog possible assert with exops (ITS#8971) Fixed slapo-chain to correctly reject multiple chaining URIs (ITS#8637) Fixed slapo-chain conversion from slapd.conf to cn=config (ITS#8799) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/build/version.var new/openldap-2.4.50/build/version.var --- old/openldap-2.4.49/build/version.var 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/build/version.var 2020-04-28 16:05:54.000000000 +0200 @@ -15,9 +15,9 @@ ol_package=OpenLDAP ol_major=2 ol_minor=4 -ol_patch=49 -ol_api_inc=20449 +ol_patch=50 +ol_api_inc=20450 ol_api_current=12 -ol_api_revision=12 +ol_api_revision=13 ol_api_age=10 -ol_release_date="2020/01/30" +ol_release_date="2020/04/28" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/clients/tools/common.c new/openldap-2.4.50/clients/tools/common.c --- old/openldap-2.4.49/clients/tools/common.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/clients/tools/common.c 2020-04-28 16:05:54.000000000 +0200 @@ -2327,7 +2327,7 @@ /* known controls */ for ( j = 0; tool_ctrl_response[j].oid != NULL; j++ ) { if ( strcmp( tool_ctrl_response[j].oid, ctrls[i]->ldctl_oid ) == 0 ) { - if ( !tool_ctrl_response[j].mask & tool_type ) { + if ( !(tool_ctrl_response[j].mask & tool_type )) { /* this control should not appear * with this tool; warning? */ } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/configure.in new/openldap-2.4.50/configure.in --- old/openldap-2.4.49/configure.in 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/configure.in 2020-04-28 16:05:54.000000000 +0200 @@ -25,7 +25,7 @@ dnl Configure.in for OpenLDAP AC_COPYRIGHT([[Copyright 1998-2020 The OpenLDAP Foundation. All rights reserved. Restrictions apply, see COPYRIGHT and LICENSE files.]]) -AC_REVISION([$Id: b9cf43515fc1cb3f6d884525dde92e60d857b5a8 $]) +AC_REVISION([$Id: 37293e618797a957ebe6b5f7b9479e9165e1362b $]) AC_INIT([OpenLDAP],,[http://www.openldap.org/its/]) m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>]) AC_CONFIG_SRCDIR(build/version.sh)dnl @@ -2259,6 +2259,9 @@ AC_CHECK_TYPE([socklen_t],,, [$ac_includes_default #ifdef HAVE_SYS_SOCKET_H #include <sys/socket.h> +#endif +#ifdef HAVE_WINSOCK2 +#include <ws2tcpip.h> #endif]) dnl socklen_t-like type in accept(), default socklen_t or int: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/Makefile new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/Makefile --- old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/Makefile 1970-01-01 01:00:00.000000000 +0100 +++ new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/Makefile 2020-04-28 16:05:54.000000000 +0200 @@ -0,0 +1,72 @@ +# $OpenLDAP$ + +LDAP_SRC = ../../../.. +LDAP_BUILD = ../../../.. +LDAP_INC = -I$(LDAP_BUILD)/include -I$(LDAP_SRC)/include -I$(LDAP_SRC)/servers/slapd +LDAP_LIB = $(LDAP_BUILD)/libraries/libldap_r/libldap_r.la \ + $(LDAP_BUILD)/libraries/liblber/liblber.la + +LIBTOOL = $(LDAP_BUILD)/libtool +INSTALL = /usr/bin/install +CC = gcc +OPT = -g -O2 -Wall +#DEFS = -DSLAPD_ARGON2_DEBUG + +INCS = $(LDAP_INC) +LIBS = $(LDAP_LIB) + +implementation = sodium + +ifeq ($(implementation),argon2) +LIBS += -largon2 +DEFS += -DSLAPD_ARGON2_USE_ARGON2 +else ifeq ($(implementation),sodium) +LIBS += -lsodium +DEFS += -DSLAPD_ARGON2_USE_SODIUM +else +$(error Unsupported implementation $(implementation)) +endif + +PROGRAMS = pw-argon2.la +MANPAGES = slapd-pw-argon2.5 +LTVER = 0:0:0 + +#prefix=/usr/local +prefix=`grep -e "^prefix =" $(LDAP_BUILD)/Makefile | cut -d= -f2` + +exec_prefix=$(prefix) +ldap_subdir=/openldap + +libdir=$(exec_prefix)/lib +libexecdir=$(exec_prefix)/libexec +moduledir = $(libexecdir)$(ldap_subdir) +mandir = $(exec_prefix)/share/man +man5dir = $(mandir)/man5 + +.SUFFIXES: .c .o .lo + +.c.lo: + $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< + +all: $(PROGRAMS) + +pw-argon2.la: pw-argon2.lo + $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + +clean: + rm -rf *.o *.lo *.la .libs + +install: install-lib install-man FORCE + +install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + +install-man: $(MANPAGES) + mkdir -p $(DESTDIR)$(man5dir) + $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) + +FORCE: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/README new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/README --- old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/README 1970-01-01 01:00:00.000000000 +0100 +++ new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/README 2020-04-28 16:05:54.000000000 +0200 @@ -0,0 +1,109 @@ +Argon2 OpenLDAP support +---------------------- + +pw-argon2.c provides support for ARGON2 hashed passwords in OpenLDAP. For +instance, one could have the LDAP attribute: + +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng + +or: + +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw + +Both hash the password "secret", the first using the salt "saltsalt", the second using the salt "saltsaltsalt" + +Building +-------- + +1) Customize the OPENLDAP variable in Makefile to point to the OpenLDAP +source root. + +For initial testing you might also want to edit DEFS to define +SLAPD_ARGON2_DEBUG, which enables logging to stderr (don't leave this on +in production, as it prints passwords in cleartext). + +2) Run 'make' to produce pw-argon2.so + +3) Copy pw-argon2.so somewhere permanent. + +4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: + +moduleload ...path/to/pw-argon2.so + +5) Restart slapd. + + +Configuring +----------- + +The {ARGON2} password scheme should now be recognised. + +You can also tell OpenLDAP to use one of this scheme when processing LDAP +Password Modify Extended Operations, thanks to the password-hash option in +slapd.conf: + +password-hash {ARGON2} + + +Testing +------- + +A quick way to test whether it's working is to customize the rootdn and +rootpw in slapd.conf, eg: + +rootdn "cn=admin,dc=example,dc=com" + +# This hashes the string 'secret', with a random salt +rootpw {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$uJyf0UfB25SQTfX7oCyK2w$U45DJqEFwD0yFaLvTVyACHLvGMwzNGf19dvzPR8XvGc + + +Then to test, run something like: + +ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -x -w secret + + +-- Test hashes: + +Test hashes can be generated with argon2: +$ echo -n "secret" | argon2 "saltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng + +$ echo -n "secret" | argon2 "saltsaltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw + +$ echo -n "secretsecret" | argon2 "saltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$U0Pd/wEsssZ9bHezDA8oxHnWe01xftykEy+7ehM2vic + +$ echo -n "secretsecret" | argon2 "saltsaltsalt" -e +$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$fkvoOwKgVtlX9ZDqcHFyyArBvqnAM0Igca8SScB4Jsc + + + +Alternatively we could modify an existing user's password with +ldappasswd, and then test binding as that user: + +$ ldappasswd -D "cn=admin,dc=example,dc=com" -x -W -S uid=jturner,ou=People,dc=example,dc=com +New password: secret +Re-enter new password: secret +Enter LDAP Password: <cn=admin's password> + +$ ldapsearch -b "dc=example,dc=com" -D "uid=jturner,ou=People,dc=example,dc=com" -x -w secret + + + +--- + +This work is part of OpenLDAP Software <http://www.openldap.org/>. + +Copyright 2017 The OpenLDAP Foundation. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted only as authorized by the OpenLDAP +Public License. + +A copy of this license is available in the file LICENSE in the +top-level directory of the distribution or, alternatively, at +<http://www.OpenLDAP.org/license.html>. + +--- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/pw-argon2.c new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/pw-argon2.c --- old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/pw-argon2.c 1970-01-01 01:00:00.000000000 +0100 +++ new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/pw-argon2.c 2020-04-28 16:05:54.000000000 +0200 @@ -0,0 +1,220 @@ +/* pw-argon2.c - Password module for argon2 */ +/* $OpenLDAP$ */ +/* This work is part of OpenLDAP Software <http://www.openldap.org/>. + * + * Copyright 2017 The OpenLDAP Foundation. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted only as authorized by the OpenLDAP + * Public License. + * + * A copy of this license is available in the file LICENSE in the + * top-level directory of the distribution or, alternatively, at + * <http://www.OpenLDAP.org/license.html>. + */ + +#include "portable.h" +#include "ac/string.h" +#include "lber_pvt.h" +#include "lutil.h" + +#include <stdint.h> +#include <stdlib.h> + +#ifdef SLAPD_ARGON2_USE_ARGON2 +#include <argon2.h> + +/* + * For now, we hardcode the default values from the argon2 command line tool + * (as of argon2 release 20161029) + */ +#define SLAPD_ARGON2_ITERATIONS 3 +#define SLAPD_ARGON2_MEMORY (1 << 12) +#define SLAPD_ARGON2_PARALLELISM 1 +#define SLAPD_ARGON2_SALT_LENGTH 16 +#define SLAPD_ARGON2_HASH_LENGTH 32 + +#else /* !SLAPD_ARGON2_USE_ARGON2 */ +#include <sodium.h> + +/* + * Or libsodium interactive settings + */ +#define SLAPD_ARGON2_ITERATIONS crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE +#define SLAPD_ARGON2_MEMORY (crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE / 1024) +#define SLAPD_ARGON2_PARALLELISM 1 +#define SLAPD_ARGON2_SALT_LENGTH crypto_pwhash_argon2id_SALTBYTES +#define SLAPD_ARGON2_HASH_LENGTH 32 + +#endif + +static unsigned long iterations = SLAPD_ARGON2_ITERATIONS; +static unsigned long memory = SLAPD_ARGON2_MEMORY; +static unsigned long parallelism = SLAPD_ARGON2_PARALLELISM; + +const struct berval slapd_argon2_scheme = BER_BVC("{ARGON2}"); + +static int +slapd_argon2_hash( + const struct berval *scheme, + const struct berval *passwd, + struct berval *hash, + const char **text ) +{ + + /* + * Duplicate these values here so future code which allows + * configuration has an easier time. + */ + uint32_t salt_length, hash_length; + char *p; + int rc = LUTIL_PASSWD_ERR; + +#ifdef SLAPD_ARGON2_USE_ARGON2 + struct berval salt; + size_t encoded_length; + + salt_length = SLAPD_ARGON2_SALT_LENGTH; + hash_length = SLAPD_ARGON2_HASH_LENGTH; + + encoded_length = argon2_encodedlen( iterations, memory, parallelism, + salt_length, hash_length, Argon2_id ); + + salt.bv_len = salt_length; + salt.bv_val = ber_memalloc( salt.bv_len ); + + if ( salt.bv_val == NULL ) { + return LUTIL_PASSWD_ERR; + } + + if ( lutil_entropy( (unsigned char*)salt.bv_val, salt.bv_len ) ) { + ber_memfree( salt.bv_val ); + return LUTIL_PASSWD_ERR; + } + + p = hash->bv_val = ber_memalloc( scheme->bv_len + encoded_length ); + if ( p == NULL ) { + ber_memfree( salt.bv_val ); + return LUTIL_PASSWD_ERR; + } + + AC_MEMCPY( p, scheme->bv_val, scheme->bv_len ); + p += scheme->bv_len; + + /* + * Do the actual heavy lifting + */ + if ( argon2i_hash_encoded( iterations, memory, parallelism, + passwd->bv_val, passwd->bv_len, + salt.bv_val, salt_length, hash_length, + p, encoded_length ) == 0 ) { + rc = LUTIL_PASSWD_OK; + } + hash->bv_len = scheme->bv_len + encoded_length; + ber_memfree( salt.bv_val ); + +#else /* !SLAPD_ARGON2_USE_ARGON2 */ + /* Not exposed by libsodium + salt_length = SLAPD_ARGON2_SALT_LENGTH; + hash_length = SLAPD_ARGON2_HASH_LENGTH; + */ + + p = hash->bv_val = ber_memalloc( scheme->bv_len + crypto_pwhash_STRBYTES ); + if ( p == NULL ) { + return LUTIL_PASSWD_ERR; + } + + AC_MEMCPY( hash->bv_val, scheme->bv_val, scheme->bv_len ); + p += scheme->bv_len; + + if ( crypto_pwhash_str_alg( p, passwd->bv_val, passwd->bv_len, + iterations, memory * 1024, + crypto_pwhash_ALG_ARGON2ID13 ) == 0 ) { + hash->bv_len = strlen( hash->bv_val ); + rc = LUTIL_PASSWD_OK; + } +#endif + + if ( rc ) { + ber_memfree( hash->bv_val ); + return LUTIL_PASSWD_ERR; + } + + return LUTIL_PASSWD_OK; +} + +static int +slapd_argon2_verify( + const struct berval *scheme, + const struct berval *passwd, + const struct berval *cred, + const char **text ) +{ + int rc = LUTIL_PASSWD_ERR; + +#ifdef SLAPD_ARGON2_USE_ARGON2 + if ( strncmp( passwd->bv_val, "$argon2i$", STRLENOF("$argon2i$") ) == 0 ) { + rc = argon2i_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); + } else if ( strncmp( passwd->bv_val, "$argon2d$", STRLENOF("$argon2d$") ) == 0 ) { + rc = argon2d_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); + } else if ( strncmp( passwd->bv_val, "$argon2id$", STRLENOF("$argon2id$") ) == 0 ) { + rc = argon2id_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); + } +#else /* !SLAPD_ARGON2_USE_ARGON2 */ + rc = crypto_pwhash_str_verify( passwd->bv_val, cred->bv_val, cred->bv_len ); +#endif + + if ( rc ) { + return LUTIL_PASSWD_ERR; + } + return LUTIL_PASSWD_OK; +} + +int init_module( int argc, char *argv[] ) +{ + int i; + +#ifndef SLAPD_ARGON2_USE_ARGON2 + if ( sodium_init() == -1 ) { + return -1; + } +#endif + + for ( i=0; i < argc; i++ ) { + char *p; + unsigned long value; + + switch ( *argv[i] ) { + case 'm': + p = strchr( argv[i], '=' ); + if ( !p || lutil_atoulx( &value, p+1, 0 ) ) { + return -1; + } + memory = value; + break; + + case 't': + p = strchr( argv[i], '=' ); + if ( !p || lutil_atoulx( &value, p+1, 0 ) ) { + return -1; + } + iterations = value; + break; + + case 'p': + p = strchr( argv[i], '=' ); + if ( !p || lutil_atoulx( &value, p+1, 0 ) ) { + return -1; + } + parallelism = value; + break; + + default: + return -1; + } + } + + return lutil_passwd_add( (struct berval *)&slapd_argon2_scheme, + slapd_argon2_verify, slapd_argon2_hash ); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 --- old/openldap-2.4.49/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 1970-01-01 01:00:00.000000000 +0100 +++ new/openldap-2.4.50/contrib/slapd-modules/passwd/argon2/slapd-pw-argon2.5 2020-04-28 16:05:54.000000000 +0200 @@ -0,0 +1,122 @@ +.TH SLAPD-PW-ARGON2 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2020 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapd-pw-argon2 \- Argon2 password module to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.RS +.LP +.B moduleload pw-argon2 +.RI [ <parameters> ] +.RE +.SH DESCRIPTION +.LP +The +.B pw-argon2 +module to +.BR slapd (8) +provides support for the use of the key derivation function Argon2, +that was selected as the winner of the Password Hashing Competition in July 2015, +in hashed passwords in OpenLDAP. +.LP +It does so by providing the additional password scheme +.B {ARGON2} +for use in slapd. + +.SH CONFIGURATION +The +.B pw-argon2 +module does not need any configuration, +but it can be configured by giving the following parameters: +.TP +.BI m= <memory> +Set memory usage to +.I <memory> +kiB. +.TP +.BI p= <parallelism> +Set parallelism to +.I <parallelism> +threads. +.TP +.BI t= <iterations> +Set the number of iterations to +.IR <iterations> . +.LP +These replace defaults when preparing hashes for new passwords where possible. +.LP +After loading the module, the password scheme +.B {ARGON2} +will be recognised in values of the +.I userPassword +attribute. +.LP +You can then instruct OpenLDAP to use this scheme when processing +the LDAPv3 Password Modify (RFC 3062) extended operations by using the +.BR password-hash +option in +.BR slapd.conf (5): +.RS +.LP +.B password\-hash {ARGON2} +.RE +.LP + +.SS NOTES +If you want to use the scheme described here with +.BR slappasswd (8), +remember to load the module using its command line options. +The relevant option/value is: +.RS +.LP +.B \-o +.BR module\-load = pw-argon2 +.LP +.RE +Depending on +.BR pw-argon2 's +location, you may also need: +.RS +.LP +.B \-o +.BR module\-path = \fIpathspec\fP +.RE + +.SH EXAMPLES +Both userPassword LDAP attributes below encode the password +.RI ' secret ' +using different salts: +.EX +.LP +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng +.LP +userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw +.EE + +.SH SEE ALSO +.BR slapd.conf (5), +.BR ldappasswd (1), +.BR slappasswd (8), +.BR ldap (3), +.LP +.UR http://www.OpenLDAP.org/doc/ +"OpenLDAP Administrator's Guide" +.UE +.LP + +.SH ACKNOWLEDGEMENTS +This manual page has been written by Peter Marschall based on the +module's README file written by +.MT [email protected] +Simon Levermann +.ME . +.LP +.B OpenLDAP +is developed and maintained by +.UR http://www.openldap.org/ +The OpenLDAP Project +.UE . +.B OpenLDAP +is derived from University of Michigan LDAP 3.3 Release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/doc/guide/admin/guide.html new/openldap-2.4.50/doc/guide/admin/guide.html --- old/openldap-2.4.49/doc/guide/admin/guide.html 2020-01-30 19:03:24.000000000 +0100 +++ new/openldap-2.4.50/doc/guide/admin/guide.html 2020-04-28 18:01:52.000000000 +0200 @@ -23,7 +23,7 @@ <DIV CLASS="title"> <H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1> <ADDRESS CLASS="doc-author">The OpenLDAP Project <<A HREF="http://www.openldap.org/";>http://www.openldap.org/</A>></ADDRESS> -<ADDRESS CLASS="doc-modified">30 January 2020</ADDRESS> +<ADDRESS CLASS="doc-modified">28 April 2020</ADDRESS> <BR CLEAR="All"> </DIV> <DIV CLASS="contents"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/doc/man/man5/slapd-ldap.5 new/openldap-2.4.50/doc/man/man5/slapd-ldap.5 --- old/openldap-2.4.49/doc/man/man5/slapd-ldap.5 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/doc/man/man5/slapd-ldap.5 2020-04-28 16:05:54.000000000 +0200 @@ -203,14 +203,16 @@ identities are authorized to exploit the identity assertion feature. The string .B <authz-regexp> -follows the rules defined for the +mostly follows the rules defined for the .I authzFrom attribute. See .BR slapd.conf (5), section related to .BR authz\-policy , -for details on the syntax of this field. +for details on the syntax of this field. This parameter differs from +the documented behavior in relation to the meaning of *, which in this +case allows anonymous rather than denies. .HP .hy 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/doc/man/man5/slapd-meta.5 new/openldap-2.4.50/doc/man/man5/slapd-meta.5 --- old/openldap-2.4.49/doc/man/man5/slapd-meta.5 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/doc/man/man5/slapd-meta.5 2020-04-28 16:05:54.000000000 +0200 @@ -312,25 +312,6 @@ overridden by any per-target directive. .TP -.B client\-pr {accept-unsolicited|DISABLE|<size>} -This feature allows one to use RFC 2696 Paged Results control when performing -search operations with a specific target, -irrespective of the client's request. -When set to a numeric value, Paged Results control is always -used with \fIsize\fP as the page size. -When set to \fIaccept-unsolicited\fP, unsolicited Paged Results -control responses are accepted and honored -for compatibility with broken remote DSAs. -The client is not exposed to paged results handling -between -.BR slapd\-meta (5) -and the remote servers. -By default (disabled), Paged Results control is not used -and responses are not accepted. -If set before any target specification, it affects all targets, unless -overridden by any per-target directive. - -.TP .B default\-target [<target>] The "default\-target" directive can also be used during target specification. With no arguments it marks the current target as the default. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/doc/man/man8/slapindex.8 new/openldap-2.4.50/doc/man/man8/slapindex.8 --- old/openldap-2.4.49/doc/man/man8/slapindex.8 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/doc/man/man8/slapindex.8 2020-04-28 16:05:54.000000000 +0200 @@ -138,7 +138,8 @@ .TP .B \-t enable truncate mode. Truncates (empties) an index database before indexing -any entries. May only be used with Quick mode. +any entries. For back-bdb/hdb, may only be used with quick mode. For back-mdb +it is usable with and without quick mode. .TP .B \-v enable verbose mode. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/include/ldap_int_thread.h new/openldap-2.4.50/include/ldap_int_thread.h --- old/openldap-2.4.49/include/ldap_int_thread.h 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/include/ldap_int_thread.h 2020-04-28 16:05:54.000000000 +0200 @@ -180,10 +180,13 @@ typedef HANDLE ldap_int_thread_cond_t; typedef DWORD ldap_int_thread_key_t; +LDAP_F( int ) +ldap_int_mutex_firstcreate LDAP_P(( ldap_int_thread_mutex_t *mutex )); + #ifndef LDAP_INT_MUTEX_NULL #define LDAP_INT_MUTEX_NULL ((HANDLE)0) #define LDAP_INT_MUTEX_FIRSTCREATE(m) \ - ((void) ((m) || ldap_pvt_thread_mutex_init(&(m)))) + ldap_int_mutex_firstcreate(&(m)) #endif LDAP_END_DECL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/libraries/libldap/getattr.c new/openldap-2.4.50/libraries/libldap/getattr.c --- old/openldap-2.4.49/libraries/libldap/getattr.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/libraries/libldap/getattr.c 2020-04-28 16:05:54.000000000 +0200 @@ -147,7 +147,7 @@ /* skip sequence, snarf attribute type */ tag = ber_scanf( ber, vals ? "{mM}" : "{mx}", attr, vals, - &siz, 0 ); + &siz, (ber_len_t)0 ); if( tag == LBER_ERROR ) { rc = ld->ld_errno = LDAP_DECODING_ERROR; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/libraries/libldap/tls2.c new/openldap-2.4.50/libraries/libldap/tls2.c --- old/openldap-2.4.49/libraries/libldap/tls2.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/libraries/libldap/tls2.c 2020-04-28 16:05:54.000000000 +0200 @@ -892,78 +892,71 @@ ld->ld_errno = LDAP_SUCCESS; ret = ldap_int_tls_connect( ld, conn, host ); + /* this mainly only happens for non-blocking io + * but can also happen when the handshake is too + * big for a single network message. + */ + while ( ret > 0 ) { #ifdef LDAP_USE_NON_BLOCKING_TLS - while ( ret > 0 ) { /* this should only happen for non-blocking io */ - int wr=0; - - if ( sb->sb_trans_needs_read ) { - wr=0; - } else if ( sb->sb_trans_needs_write ) { - wr=1; - } - Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", - wr ? "write": "read", 0, 0); - - ret = ldap_int_poll( ld, sd, &tv, wr); - if ( ret < 0 ) { - ld->ld_errno = LDAP_TIMEOUT; - break; - } else { - /* ldap_int_poll called ldap_pvt_ndelay_off if not async */ - if ( !async ) { - ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); + if ( async ) { + struct timeval curr_time_tv, delta_tv; + int wr=0; + + if ( sb->sb_trans_needs_read ) { + wr=0; + } else if ( sb->sb_trans_needs_write ) { + wr=1; } - ret = ldap_int_tls_connect( ld, conn, host ); - if ( ret > 0 ) { /* need to call tls_connect once more */ - struct timeval curr_time_tv, delta_tv; + Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", + wr ? "write": "read" ); - /* This is mostly copied from result.c:wait4msg(), should - * probably be moved into a separate function */ + /* This is mostly copied from result.c:wait4msg(), should + * probably be moved into a separate function */ #ifdef HAVE_GETTIMEOFDAY - gettimeofday( &curr_time_tv, NULL ); + gettimeofday( &curr_time_tv, NULL ); #else /* ! HAVE_GETTIMEOFDAY */ - time( &curr_time_tv.tv_sec ); - curr_time_tv.tv_usec = 0; + time( &curr_time_tv.tv_sec ); + curr_time_tv.tv_usec = 0; #endif /* ! HAVE_GETTIMEOFDAY */ - /* delta = curr - start */ - delta_tv.tv_sec = curr_time_tv.tv_sec - start_time_tv.tv_sec; - delta_tv.tv_usec = curr_time_tv.tv_usec - start_time_tv.tv_usec; - if ( delta_tv.tv_usec < 0 ) { - delta_tv.tv_sec--; - delta_tv.tv_usec += 1000000; - } - - /* tv0 < delta ? */ - if ( ( tv0.tv_sec < delta_tv.tv_sec ) || - ( ( tv0.tv_sec == delta_tv.tv_sec ) && - ( tv0.tv_usec < delta_tv.tv_usec ) ) ) - { - ret = -1; - ld->ld_errno = LDAP_TIMEOUT; - break; - } else { - /* timeout -= delta_time */ - tv0.tv_sec -= delta_tv.tv_sec; - tv0.tv_usec -= delta_tv.tv_usec; - if ( tv0.tv_usec < 0 ) { - tv0.tv_sec--; - tv0.tv_usec += 1000000; - } - start_time_tv.tv_sec = curr_time_tv.tv_sec; - start_time_tv.tv_usec = curr_time_tv.tv_usec; - } - tv = tv0; - Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", - (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); + /* delta = curr - start */ + delta_tv.tv_sec = curr_time_tv.tv_sec - start_time_tv.tv_sec; + delta_tv.tv_usec = curr_time_tv.tv_usec - start_time_tv.tv_usec; + if ( delta_tv.tv_usec < 0 ) { + delta_tv.tv_sec--; + delta_tv.tv_usec += 1000000; + } + + /* tv0 < delta ? */ + if ( ( tv0.tv_sec < delta_tv.tv_sec ) || + ( ( tv0.tv_sec == delta_tv.tv_sec ) && + ( tv0.tv_usec < delta_tv.tv_usec ) ) ) + { + ret = -1; + ld->ld_errno = LDAP_TIMEOUT; + break; + } + /* timeout -= delta_time */ + tv0.tv_sec -= delta_tv.tv_sec; + tv0.tv_usec -= delta_tv.tv_usec; + if ( tv0.tv_usec < 0 ) { + tv0.tv_sec--; + tv0.tv_usec += 1000000; + } + start_time_tv.tv_sec = curr_time_tv.tv_sec; + start_time_tv.tv_usec = curr_time_tv.tv_usec; + tv = tv0; + Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", + (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); + ret = ldap_int_poll( ld, sd, &tv, wr); + if ( ret < 0 ) { + ld->ld_errno = LDAP_TIMEOUT; + break; } } - } - /* Leave it nonblocking if async */ - if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { - ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, NULL ); - } #endif /* LDAP_USE_NON_BLOCKING_TLS */ + ret = ldap_int_tls_connect( ld, conn, host ); + } if ( ret < 0 ) { if ( ld->ld_errno == LDAP_SUCCESS ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/libraries/libldap_r/thr_nt.c new/openldap-2.4.50/libraries/libldap_r/thr_nt.c --- old/openldap-2.4.49/libraries/libldap_r/thr_nt.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/libraries/libldap_r/thr_nt.c 2020-04-28 16:05:54.000000000 +0200 @@ -54,6 +54,17 @@ return 0; } +int +ldap_int_mutex_firstcreate( ldap_int_thread_mutex_t *mutex ) +{ + if ( *mutex == NULL ) { + HANDLE p = CreateMutex( NULL, 0, NULL ); + if ( InterlockedCompareExchangePointer((PVOID*)mutex, (PVOID)p, NULL) != NULL) + CloseHandle( p ); + } + return 0; +} + int ldap_pvt_thread_create( ldap_pvt_thread_t * thread, int detach, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/libraries/liblunicode/ucstr.c new/openldap-2.4.50/libraries/liblunicode/ucstr.c --- old/openldap-2.4.49/libraries/liblunicode/ucstr.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/libraries/liblunicode/ucstr.c 2020-04-28 16:05:54.000000000 +0200 @@ -109,6 +109,7 @@ void *ctx ) { int i, j, len, clen, outpos, ucsoutlen, outsize, last; + int didnewbv = 0; char *out, *outtmp, *s; ac_uint4 *ucs, *p, *ucsout; @@ -132,6 +133,7 @@ if ( !newbv ) { newbv = ber_memalloc_x( sizeof(struct berval), ctx ); if ( !newbv ) return NULL; + didnewbv = 1; } /* Should first check to see if string is already in proper @@ -145,6 +147,9 @@ outsize = len + 7; out = (char *) ber_memalloc_x( outsize, ctx ); if ( out == NULL ) { +fail: + if ( didnewbv ) + ber_memfree_x( newbv, ctx ); return NULL; } outpos = 0; @@ -171,7 +176,7 @@ outsize = len + 7; out = (char *) ber_memalloc_x( outsize, ctx ); if ( out == NULL ) { - return NULL; + goto fail; } outpos = i - 1; memcpy(out, s, outpos); @@ -180,7 +185,7 @@ outsize = len + 7; out = (char *) ber_memalloc_x( outsize, ctx ); if ( out == NULL ) { - return NULL; + goto fail; } outpos = 0; i = 0; @@ -189,7 +194,7 @@ p = ucs = ber_memalloc_x( len * sizeof(*ucs), ctx ); if ( ucs == NULL ) { ber_memfree_x(out, ctx); - return NULL; + goto fail; } /* convert character before first non-ascii to ucs-4 */ @@ -207,7 +212,7 @@ if ( clen == 0 ) { ber_memfree_x( ucs, ctx ); ber_memfree_x( out, ctx ); - return NULL; + goto fail; } if ( clen == 1 ) { /* ascii */ @@ -219,7 +224,7 @@ if ( (s[i] & 0xc0) != 0x80 ) { ber_memfree_x( ucs, ctx ); ber_memfree_x( out, ctx ); - return NULL; + goto fail; } *p <<= 6; *p |= s[i] & 0x3f; @@ -251,7 +256,7 @@ ber_memfree_x( ucsout, ctx ); ber_memfree_x( ucs, ctx ); ber_memfree_x( out, ctx ); - return NULL; + goto fail; } out = outtmp; } @@ -275,7 +280,7 @@ if (outtmp == NULL) { ber_memfree_x( ucs, ctx ); ber_memfree_x( out, ctx ); - return NULL; + goto fail; } out = outtmp; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/back-ldap/chain.c new/openldap-2.4.50/servers/slapd/back-ldap/chain.c --- old/openldap-2.4.49/servers/slapd/back-ldap/chain.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/back-ldap/chain.c 2020-04-28 16:05:54.000000000 +0200 @@ -1278,7 +1278,7 @@ "NAME 'olcChainDatabase' " "DESC 'Chain remote server configuration' " "AUXILIARY )", - Cft_Misc, olcDatabaseDummy, chain_ldadd + Cft_Misc, NULL, chain_ldadd #ifdef SLAP_CONFIG_DELETE , NULL, chain_lddel #endif @@ -2314,6 +2314,12 @@ /* Make sure we don't exceed the bits reserved for userland */ config_check_userland( CH_LAST ); + /* olcDatabaseDummy is defined in slapd, and Windows + will not let us initialize a struct element with a data pointer + from another library, so we have to initialize this element + "by hand". */ + chainocs[1].co_table = olcDatabaseDummy; + #ifdef LDAP_CONTROL_X_CHAINING_BEHAVIOR rc = register_supported_control( LDAP_CONTROL_X_CHAINING_BEHAVIOR, /* SLAP_CTRL_GLOBAL| */ SLAP_CTRL_ACCESS|SLAP_CTRL_HIDE, NULL, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/back-mdb/back-mdb.h new/openldap-2.4.50/servers/slapd/back-mdb/back-mdb.h --- old/openldap-2.4.49/servers/slapd/back-mdb/back-mdb.h 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/back-mdb/back-mdb.h 2020-04-28 16:05:54.000000000 +0200 @@ -66,9 +66,8 @@ MDB_env *mi_dbenv; /* DB_ENV parameters */ - /* The DB_ENV can be tuned via DB_CONFIG */ char *mi_dbenv_home; - uint32_t mi_dbenv_flags; + unsigned mi_dbenv_flags; int mi_dbenv_mode; size_t mi_mapsize; @@ -81,10 +80,10 @@ int mi_search_stack_depth; int mi_readers; - uint32_t mi_rtxn_size; + unsigned mi_rtxn_size; int mi_txn_cp; - uint32_t mi_txn_cp_min; - uint32_t mi_txn_cp_kbyte; + unsigned mi_txn_cp_min; + unsigned mi_txn_cp_kbyte; struct re_s *mi_txn_cp_task; struct re_s *mi_index_task; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/back-mdb/config.c new/openldap-2.4.50/servers/slapd/back-mdb/config.c --- old/openldap-2.4.49/servers/slapd/back-mdb/config.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/back-mdb/config.c 2020-04-28 16:05:54.000000000 +0200 @@ -521,22 +521,22 @@ } break; case MDB_CHKPT: { - long l; - mdb->mi_txn_cp = 1; - if ( lutil_atolx( &l, c->argv[1], 0 ) != 0 ) { + unsigned cp_kbyte, cp_min; + if ( lutil_atoux( &cp_kbyte, c->argv[1], 0 ) != 0 ) { fprintf( stderr, "%s: " "invalid kbyte \"%s\" in \"checkpoint\".\n", c->log, c->argv[1] ); return 1; } - mdb->mi_txn_cp_kbyte = l; - if ( lutil_atolx( &l, c->argv[2], 0 ) != 0 ) { + if ( lutil_atoux( &cp_min, c->argv[2], 0 ) != 0 ) { fprintf( stderr, "%s: " "invalid minutes \"%s\" in \"checkpoint\".\n", c->log, c->argv[2] ); return 1; } - mdb->mi_txn_cp_min = l; + mdb->mi_txn_cp = 1; + mdb->mi_txn_cp_kbyte = cp_kbyte; + mdb->mi_txn_cp_min = cp_min; /* If we're in server mode and time-based checkpointing is enabled, * submit a task to perform periodic checkpoints. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/back-mdb/dn2id.c new/openldap-2.4.50/servers/slapd/back-mdb/dn2id.c --- old/openldap-2.4.49/servers/slapd/back-mdb/dn2id.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/back-mdb/dn2id.c 2020-04-28 16:05:54.000000000 +0200 @@ -485,10 +485,8 @@ data.mv_data = d; rc = mdb_cursor_get( cursor, &key, &data, MDB_GET_BOTH ); op->o_tmpfree( d, op->o_tmpmemctx ); - if ( rc ) { - mdb_cursor_close( cursor ); + if ( rc ) break; - } ptr = (char *) data.mv_data + data.mv_size - 2*sizeof(ID); memcpy( &nid, ptr, sizeof(ID)); @@ -507,7 +505,7 @@ break; } } - + mdb_cursor_close( cursor ); done: if( rc != 0 ) { Debug( LDAP_DEBUG_TRACE, "<= mdb_dn2sups: get failed: %s (%d)\n", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/back-mdb/init.c new/openldap-2.4.50/servers/slapd/back-mdb/init.c --- old/openldap-2.4.49/servers/slapd/back-mdb/init.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/back-mdb/init.c 2020-04-28 16:05:54.000000000 +0200 @@ -85,7 +85,7 @@ int rc, i; struct mdb_info *mdb = (struct mdb_info *) be->be_private; struct stat stat1; - uint32_t flags; + unsigned flags; char *dbhome; MDB_txn *txn; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/back-mdb/search.c new/openldap-2.4.50/servers/slapd/back-mdb/search.c --- old/openldap-2.4.49/servers/slapd/back-mdb/search.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/back-mdb/search.c 2020-04-28 16:05:54.000000000 +0200 @@ -331,7 +331,7 @@ ID key; MDB_val data; int flag; - int nentries; + unsigned nentries; } ww_ctx; /* ITS#7904 if we get blocked while writing results to client, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/backend.c new/openldap-2.4.50/servers/slapd/backend.c --- old/openldap-2.4.49/servers/slapd/backend.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/backend.c 2020-04-28 16:05:54.000000000 +0200 @@ -1500,7 +1500,7 @@ * or if filter parsing fails. * In the latter case, * we should give up. */ - if ( ludp->lud_filter != NULL && ludp->lud_filter != '\0') { + if ( ludp->lud_filter != NULL && *ludp->lud_filter != '\0') { filter = str2filter_x( op, ludp->lud_filter ); if ( filter == NULL ) { /* give up... */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/filter.c new/openldap-2.4.50/servers/slapd/filter.c --- old/openldap-2.4.49/servers/slapd/filter.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/filter.c 2020-04-28 16:05:54.000000000 +0200 @@ -37,11 +37,16 @@ const Filter *slap_filter_objectClass_pres; const struct berval *slap_filterstr_objectClass_pres; +#ifndef SLAPD_MAX_FILTER_DEPTH +#define SLAPD_MAX_FILTER_DEPTH 5000 +#endif + static int get_filter_list( Operation *op, BerElement *ber, Filter **f, - const char **text ); + const char **text, + int depth ); static int get_ssa( Operation *op, @@ -80,12 +85,13 @@ return; } -int -get_filter( +static int +get_filter0( Operation *op, BerElement *ber, Filter **filt, - const char **text ) + const char **text, + int depth ) { ber_tag_t tag; ber_len_t len; @@ -126,6 +132,11 @@ * */ + if( depth > SLAPD_MAX_FILTER_DEPTH ) { + *text = "filter nested too deeply"; + return SLAPD_DISCONNECT; + } + tag = ber_peek_tag( ber, &len ); if( tag == LBER_ERROR ) { @@ -221,7 +232,7 @@ case LDAP_FILTER_AND: Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); - err = get_filter_list( op, ber, &f.f_and, text ); + err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); if ( err != LDAP_SUCCESS ) { break; } @@ -234,7 +245,7 @@ case LDAP_FILTER_OR: Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); - err = get_filter_list( op, ber, &f.f_or, text ); + err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); if ( err != LDAP_SUCCESS ) { break; } @@ -248,7 +259,7 @@ case LDAP_FILTER_NOT: Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); (void) ber_skip_tag( ber, &len ); - err = get_filter( op, ber, &f.f_not, text ); + err = get_filter0( op, ber, &f.f_not, text, depth+1 ); if ( err != LDAP_SUCCESS ) { break; } @@ -311,10 +322,22 @@ return( err ); } +int +get_filter( + Operation *op, + BerElement *ber, + Filter **filt, + const char **text ) +{ + return get_filter0( op, ber, filt, text, 0 ); +} + + static int get_filter_list( Operation *op, BerElement *ber, Filter **f, - const char **text ) + const char **text, + int depth ) { Filter **new; int err; @@ -328,7 +351,7 @@ tag != LBER_DEFAULT; tag = ber_next_element( ber, &len, last ) ) { - err = get_filter( op, ber, new, text ); + err = get_filter0( op, ber, new, text, depth ); if ( err != LDAP_SUCCESS ) return( err ); new = &(*new)->f_next; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/overlays/constraint.c new/openldap-2.4.50/servers/slapd/overlays/constraint.c --- old/openldap-2.4.49/servers/slapd/overlays/constraint.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/overlays/constraint.c 2020-04-28 16:05:54.000000000 +0200 @@ -446,7 +446,7 @@ } if ( ap.restrict_lud->lud_attrs != NULL ) { - if ( ap.restrict_lud->lud_attrs[0] != '\0' ) { + if ( ap.restrict_lud->lud_attrs[0] != NULL ) { snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s %s: attrs not allowed in restrict URI %s\n", c->argv[0], c->argv[1], arg); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/overlays/pcache.c new/openldap-2.4.50/servers/slapd/overlays/pcache.c --- old/openldap-2.4.49/servers/slapd/overlays/pcache.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/overlays/pcache.c 2020-04-28 16:05:54.000000000 +0200 @@ -3750,7 +3750,8 @@ { "( OLcfgOvOc:2.2 " "NAME 'olcPcacheDatabase' " "DESC 'Cache database configuration' " - "AUXILIARY )", Cft_Misc, olcDatabaseDummy, pc_ldadd }, + /* co_table is initialized in pcache_initialize */ + "AUXILIARY )", Cft_Misc, NULL, pc_ldadd }, { NULL, 0, NULL } }; @@ -4506,6 +4507,7 @@ SLAP_DBFLAGS(&cm->db) |= SLAP_DBFLAG_NO_SCHEMA_CHECK; cm->db.be_private = NULL; cm->db.bd_self = &cm->db; + cm->db.be_pending_csn_list = NULL; cm->qm = qm; cm->numattrsets = 0; cm->num_entries_limit = 5; @@ -5671,6 +5673,13 @@ ConfigArgs c; char *argv[ 4 ]; + /* olcDatabaseDummy is defined in slapd, and Windows + will not let us initialize a struct element with a data pointer + from another library, so we have to initialize this element + "by hand". */ + pcocs[1].co_table = olcDatabaseDummy; + + code = slap_loglevel_get( &debugbv, &pcache_debug ); if ( code ) { return code; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/overlays/ppolicy.c new/openldap-2.4.50/servers/slapd/overlays/ppolicy.c --- old/openldap-2.4.49/servers/slapd/overlays/ppolicy.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/overlays/ppolicy.c 2020-04-28 16:05:54.000000000 +0200 @@ -1323,9 +1323,8 @@ /* Setup a callback so we can munge the result */ cb->sc_response = ppolicy_bind_response; - cb->sc_next = op->o_callback->sc_next; cb->sc_private = ppb; - op->o_callback->sc_next = cb; + overlay_callback_after_backover( op, cb, 1 ); /* Did we receive a password policy request control? */ if ( op->o_ctrlflag[ppolicy_cid] ) { @@ -1469,9 +1468,8 @@ /* Setup a callback so we can munge the result */ cb->sc_response = ppolicy_compare_response; - cb->sc_next = op->o_callback->sc_next; cb->sc_private = ppb; - op->o_callback->sc_next = cb; + overlay_callback_after_backover( op, cb, 1 ); op->o_bd->bd_info = (BackendInfo *)on; ppolicy_get( op, e, &ppb->pp ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/overlays/translucent.c new/openldap-2.4.50/servers/slapd/overlays/translucent.c --- old/openldap-2.4.49/servers/slapd/overlays/translucent.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/overlays/translucent.c 2020-04-28 16:05:54.000000000 +0200 @@ -107,7 +107,8 @@ { "( OLcfgOvOc:14.2 " "NAME 'olcTranslucentDatabase' " "DESC 'Translucent target database configuration' " - "AUXILIARY )", Cft_Misc, olcDatabaseDummy, translucent_ldadd }, + /* co_table is initialized in translucent_initialize() */ + "AUXILIARY )", Cft_Misc, NULL, translucent_ldadd }, { NULL, 0, NULL } }; /* for translucent_init() */ @@ -1382,6 +1383,12 @@ int rc; + /* olcDatabaseDummy is defined in slapd, and Windows + will not let us initialize a struct element with a data pointer + from another library, so we have to initialize this element + "by hand". */ + translucentocs[1].co_table = olcDatabaseDummy; + Debug(LDAP_DEBUG_TRACE, "==> translucent_initialize\n", 0, 0, 0); translucent.on_bi.bi_type = "translucent"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/sasl.c new/openldap-2.4.50/servers/slapd/sasl.c --- old/openldap-2.4.49/servers/slapd/sasl.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/sasl.c 2020-04-28 16:05:54.000000000 +0200 @@ -46,7 +46,7 @@ #define SASL_VERSION_FULL ((SASL_VERSION_MAJOR << 16) |\ (SASL_VERSION_MINOR << 8) | SASL_VERSION_STEP) -#if SASL_VERSION_MINOR >= 0x020119 /* 2.1.25 */ +#if SASL_VERSION_FULL >= 0x020119 /* 2.1.25 */ typedef sasl_callback_ft slap_sasl_cb_ft; #else typedef int (*slap_sasl_cb_ft)(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/openldap-2.4.49/servers/slapd/syntax.c new/openldap-2.4.50/servers/slapd/syntax.c --- old/openldap-2.4.49/servers/slapd/syntax.c 2020-01-30 18:58:35.000000000 +0100 +++ new/openldap-2.4.50/servers/slapd/syntax.c 2020-04-28 16:05:54.000000000 +0200 @@ -219,8 +219,8 @@ } assert( (*lsei)->lsei_values != NULL ); - if ( (*lsei)->lsei_values[0] == '\0' - || (*lsei)->lsei_values[1] != '\0' ) + if ( (*lsei)->lsei_values[0] == NULL + || (*lsei)->lsei_values[1] != NULL ) { Debug( LDAP_DEBUG_ANY, "syn_add(%s): exactly one substitute syntax must be present\n", ssyn->ssyn_syn.syn_oid, 0, 0 );
