Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2020-09-01 20:03:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Tue Sep 1 20:03:00 2020 rev:156 rq:830372 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2020-08-19 18:43:58.975437737 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new.3399/openldap2.changes 2020-09-01 20:03:45.176490963 +0200 @@ -1,0 +2,22 @@ +Fri Aug 28 22:06:57 UTC 2020 - Michael Ströder <[email protected]> + +- updated to 2.4.52 + +OpenLDAP 2.4.52 (2020/08/28) + Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318) + Added libldap OpenSSL support for multiple EECDH curves (ITS#9054) + Added slapd OpenSSL support for multiple EECDH curves (ITS#9054) + Fixed librewrite malloc/free corruption (ITS#9249) + Fixed libldap hang when using UDP and server down (ITS#9328) + Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324) + Fixed slapd syncrepl regression that could trigger an assert (ITS#9329) + Fixed slapd-mdb index error with collapsed range (ITS#9135) + +------------------------------------------------------------------- +Thu Aug 20 16:39:54 UTC 2020 - Thorsten Kukuk <[email protected]> + +- Switch from shadow to sysusers to generate ldap account +- Remove if's for code older than SLE12 (Even SLE12 builds no longer) +- Remove 12 years old sasl2 migration code + +------------------------------------------------------------------- Old: ---- openldap-2.4.51.tgz New: ---- ldap-user.conf openldap-2.4.52.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.QHhtJj/_old 2020-09-01 20:03:52.196494246 +0200 +++ /var/tmp/diff_new_pack.QHhtJj/_new 2020-09-01 20:03:52.204494250 +0200 @@ -22,17 +22,11 @@ %endif %define run_test_suite 0 -%define version_main 2.4.51 - -%if %{suse_version} >= 1310 && %{suse_version} != 1315 -%define _rundir /run/slapd -%else -%define _rundir /var/run/slapd -%endif - +%define version_main 2.4.52 %define name_ppolicy_check_module ppolicy-check-password %define version_ppolicy_check_module 1.2 %define ppolicy_docdir %{_docdir}/openldap-%{name_ppolicy_check_module}-%{version_ppolicy_check_module} +%define slapdrundir %{_rundir}/slapd Name: openldap2 Summary: An open source implementation of the Lightweight Directory Access Protocol @@ -55,6 +49,7 @@ Source16: sysconfig.openldap Source17: openldap_update_modules_path.sh Source18: openldap2.conf +Source19: ldap-user.conf Patch1: 0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch Patch3: 0003-LDAPI-socket-location.dif Patch5: 0005-pie-compile.dif @@ -77,19 +72,19 @@ BuildRequires: libsodium-devel BuildRequires: libtool BuildRequires: openslp-devel +BuildRequires: sysuser-tools BuildRequires: unixODBC-devel -%if %{suse_version} >= 1310 && %{suse_version} != 1315 # avoid cycle with krb5 BuildRequires: pkgconfig(krb5) BuildRequires: pkgconfig(systemd) %if %{suse_version} < 1500 %{?systemd_requires} %endif -%endif Requires: libldap-2_4-2 = %{version_main} Recommends: cyrus-sasl Conflicts: openldap -PreReq: %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep +PreReq: %fillup_prereq +%sysusers_requires %description OpenLDAP is a client and server reference implementation of the @@ -142,9 +137,7 @@ %package -n libldap-data Summary: Configuration file for system-wide defaults for all uses of libldap Group: Productivity/Networking/LDAP/Clients -%if 0%{?suse_version} != 1110 BuildArch: noarch -%endif %description -n libldap-data The subpackage contains a configuration file used to set system-wide defaults @@ -175,9 +168,7 @@ Summary: OpenLDAP Documentation Group: Documentation/Other Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README -%if 0%{?suse_version} > 1110 BuildArch: noarch -%endif %description doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts. @@ -274,7 +265,7 @@ --sysconfdir=%{_sysconfdir} \ --libdir=%{_libdir} \ --libexecdir=%{_libdir} \ - --localstatedir=%{_rundir} \ + --localstatedir=%{slapdrundir} \ --enable-wrappers=no \ --enable-spasswd \ --enable-modules \ @@ -315,6 +306,8 @@ # Build ppolicy-check-password module make -C contrib/slapd-modules/%{name_ppolicy_check_module} %{?_smp_mflags} "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libdir}" +# Create ldap user +%sysusers_generate_pre %{SOURCE19} ldap %check %if %run_test_suite @@ -368,6 +361,8 @@ install -m 755 %{SOURCE17} %{buildroot}%{_sbindir} mkdir -p %{buildroot}%{_tmpfilesdir}/ install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/ +mkdir -p %{buildroot}%{_sysusersdir} +install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/ # Install ppolicy check module make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install @@ -412,7 +407,7 @@ rm -f %{buildroot}/etc/openldap/DB_CONFIG.example rm -f %{buildroot}/etc/openldap/schema/README rm -f %{buildroot}/etc/openldap/slapd.ldif* -rm -f %{buildroot}%{_rundir}/openldap-data/DB_CONFIG.example +rm -f %{buildroot}%{slapdrundir}/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcslapd @@ -434,17 +429,10 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \ -Wl,-soname -Wl,libldap-2.4.so.2 -L "%{buildroot}%{_libdir}" -lldap_r -%pre -getent group ldap >/dev/null || /usr/sbin/groupadd -g 70 -o -r ldap -getent passwd ldap >/dev/null || /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/false -c "User for OpenLDAP" -d /var/lib/ldap ldap +%pre -f ldap.pre %service_add_pre slapd.service %post -if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then - cp /etc/sasl2/slapd.conf /etc/sasl2/slapd.conf.rpmnew - cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf -fi - if [ ${1:-0} -gt 1 ] && [ ! -f /var/adm/openldap_modules_path_updated ] ; then /usr/sbin/openldap_update_modules_path.sh fi @@ -512,8 +500,9 @@ /usr/lib/openldap/start %{_unitdir}/slapd.service %{_tmpfilesdir}/%{name}.conf +%{_sysusersdir}/ldap-user.conf %dir %attr(0750, ldap, ldap) %{_sharedstatedir}/ldap -%ghost %attr(0750, ldap, ldap) %{_rundir} +%ghost %attr(0750, ldap, ldap) %{slapdrundir} %doc %{_mandir}/man8/sl* %doc %{_mandir}/man5/slapd.* %doc %{_mandir}/man5/slapd-bdb.* ++++++ ldap-user.conf ++++++ # Type Name ID GECOS [HOME] u ldap - "User for OpenLDAP" /var/lib/ldap ++++++ openldap-2.4.51.tgz -> openldap-2.4.52.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/CHANGES new/openldap-2.4.52/CHANGES --- old/openldap-2.4.51/CHANGES 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/CHANGES 2020-08-28 18:10:00.000000000 +0200 @@ -1,5 +1,15 @@ OpenLDAP 2.4 Change Log +OpenLDAP 2.4.52 (2020/08/28) + Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318) + Added libldap OpenSSL support for multiple EECDH curves (ITS#9054) + Added slapd OpenSSL support for multiple EECDH curves (ITS#9054) + Fixed librewrite malloc/free corruption (ITS#9249) + Fixed libldap hang when using UDP and server down (ITS#9328) + Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324) + Fixed slapd syncrepl regression that could trigger an assert (ITS#9329) + Fixed slapd-mdb index error with collapsed range (ITS#9135) + OpenLDAP 2.4.51 Release (2020/08/11) Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/build/version.var new/openldap-2.4.52/build/version.var --- old/openldap-2.4.51/build/version.var 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/build/version.var 2020-08-28 18:10:00.000000000 +0200 @@ -15,9 +15,9 @@ ol_package=OpenLDAP ol_major=2 ol_minor=4 -ol_patch=51 -ol_api_inc=20451 -ol_api_current=12 -ol_api_revision=14 -ol_api_age=10 -ol_release_date="2020/08/11" +ol_patch=52 +ol_api_inc=20452 +ol_api_current=13 +ol_api_revision=0 +ol_api_age=11 +ol_release_date="2020/08/28" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/doc/guide/admin/guide.html new/openldap-2.4.52/doc/guide/admin/guide.html --- old/openldap-2.4.51/doc/guide/admin/guide.html 2020-08-12 02:27:49.000000000 +0200 +++ new/openldap-2.4.52/doc/guide/admin/guide.html 2020-08-28 19:32:17.000000000 +0200 @@ -23,7 +23,7 @@ <DIV CLASS="title"> <H1 CLASS="doc-title">OpenLDAP Software 2.4 Administrator's Guide</H1> <ADDRESS CLASS="doc-author">The OpenLDAP Project <<A HREF="http://www.openldap.org/";>http://www.openldap.org/</A>></ADDRESS> -<ADDRESS CLASS="doc-modified">11 August 2020</ADDRESS> +<ADDRESS CLASS="doc-modified">28 August 2020</ADDRESS> <BR CLEAR="All"> </DIV> <DIV CLASS="contents"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/doc/man/man3/ldap_get_option.3 new/openldap-2.4.52/doc/man/man3/ldap_get_option.3 --- old/openldap-2.4.51/doc/man/man3/ldap_get_option.3 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/doc/man/man3/ldap_get_option.3 2020-08-28 18:10:00.000000000 +0200 @@ -710,6 +710,20 @@ .BR ldap_memfree (3). Ignored by GnuTLS and Mozilla NSS. .TP +.B LDAP_OPT_X_TLS_ECNAME +Gets/sets the name of the curve(s) used for +elliptic curve key exchanges. +.BR invalue +must be +.BR "const char *" ; +.BR outvalue +must be +.BR "char **" , +and its contents need to be freed by the caller using +.BR ldap_memfree (3). +Ignored by GnuTLS and Mozilla NSS. In GnuTLS a curve may be selected +in the cipher suite specification. +.TP .B LDAP_OPT_X_TLS_KEYFILE Sets/gets the full-path of the certificate key file. .BR invalue @@ -760,6 +774,15 @@ one of .BR LDAP_OPT_X_TLS_NEVER , .BR LDAP_OPT_X_TLS_HARD , +.BR LDAP_OPT_X_TLS_DEMAND , +.BR LDAP_OPT_X_TLS_ALLOW , +.BR LDAP_OPT_X_TLS_TRY . +.TP +.B LDAP_OPT_X_TLS_REQUIRE_SAN +Sets/gets the peer certificate subjectAlternativeName checking strategy, +one of +.BR LDAP_OPT_X_TLS_NEVER , +.BR LDAP_OPT_X_TLS_HARD , .BR LDAP_OPT_X_TLS_DEMAND , .BR LDAP_OPT_X_TLS_ALLOW , .BR LDAP_OPT_X_TLS_TRY . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/doc/man/man5/ldap.conf.5 new/openldap-2.4.52/doc/man/man5/ldap.conf.5 --- old/openldap-2.4.51/doc/man/man5/ldap.conf.5 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/doc/man/man5/ldap.conf.5 2020-08-28 18:10:00.000000000 +0200 @@ -345,6 +345,12 @@ certutil \-d /path/to/certdbdir \-L .fi .TP +.B TLS_ECNAME <name> +Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman +ephemeral key exchange. This option is only used for OpenSSL. +This option is not used with GnuTLS; the curves may be +chosen in the GnuTLS ciphersuite specification. +.TP .B TLS_KEY <filename> Specifies the file that contains the private key that matches the certificate stored in the @@ -458,6 +464,37 @@ is immediately terminated. This is the default setting. .RE .TP +.B TLS_REQSAN <level> +Specifies what checks to perform on the subjectAlternativeName +(SAN) extensions in a server certificate when validating the certificate +name against the specified hostname of the server. The +.B <level> +can be specified as one of the following keywords: +.RS +.TP +.B never +The client will not check any SAN in the certificate. +.TP +.B allow +The SAN is checked against the specified hostname. If a SAN is +present but none match the specified hostname, the SANs are ignored +and the usual check against the certificate DN is used. +This is the default setting. +.TP +.B try +The SAN is checked against the specified hostname. If no SAN is present +in the server certificate, the usual check against the certificate DN +is used. If a SAN is present but doesn't match the specified hostname, +the session is immediately terminated. This setting may be preferred +when a mix of certs with and without SANs are in use. +.TP +.B demand | hard +These keywords are equivalent. The SAN is checked against the specified +hostname. If no SAN is present in the server certificate, or no SANs +match, the session is immediately terminated. This setting should be +used when only certificates with SANs are in use. +.RE +.TP .B TLS_CRLCHECK <level> Specifies if the Certificate Revocation List (CRL) of the CA should be used to verify if the server certificates have not been revoked. This diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/doc/man/man5/slapd-config.5 new/openldap-2.4.52/doc/man/man5/slapd-config.5 --- old/openldap-2.4.51/doc/man/man5/slapd-config.5 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/doc/man/man5/slapd-config.5 2020-08-28 18:10:00.000000000 +0200 @@ -923,9 +923,9 @@ so this directive is ignored. .TP .B olcTLSECName: <name> -Specify the name of a curve to use for Elliptic curve Diffie-Hellman -ephemeral key exchange. This is required to enable ECDHE algorithms in -OpenSSL. This option is not used with GnuTLS; the curves may be +Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman +ephemeral key exchange. This option is only used for OpenSSL. +This option is not used with GnuTLS; the curves may be chosen in the GnuTLS ciphersuite specification. This option is also ignored for Mozilla NSS. .TP @@ -1785,7 +1785,9 @@ .B [tls_cacert=<file>] .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=<ciphers>] +.B [tls_ecname=<names>] .B [tls_crlcheck=none|peer|all] .B [tls_protocol_min=<major>[.<minor>]] .B [suffixmassage=<real DN>] @@ -1951,7 +1953,9 @@ argument is supplied, the session will be aborted if the StartTLS request fails. Otherwise the syncrepl session continues without TLS. The .B tls_reqcert -setting defaults to "demand" and the other TLS settings default to the same +setting defaults to "demand", the +.B tls_reqsan +setting defaults to "allow", and the other TLS settings default to the same as the main slapd TLS settings. The diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/doc/man/man5/slapd-ldap.5 new/openldap-2.4.52/doc/man/man5/slapd-ldap.5 --- old/openldap-2.4.51/doc/man/man5/slapd-ldap.5 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/doc/man/man5/slapd-ldap.5 2020-08-28 18:10:00.000000000 +0200 @@ -113,7 +113,9 @@ .B [tls_cacert=<file>] .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=<ciphers>] +.B [tls_ecname=<names>] .B [tls_protocol_min=<major>[.<minor>]] .B [tls_crlcheck=none|peer|all] .RS @@ -152,7 +154,9 @@ The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand". +which defaults to "demand", and +.B tls_reqsan +which defaults to "allow". .RE .TP @@ -227,7 +231,9 @@ .B [tls_cacert=<file>] .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=<ciphers>] +.B [tls_ecname=<names>] .B [tls_protocol_min=<version>] .B [tls_crlcheck=none|peer|all] .RS @@ -378,7 +384,9 @@ The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand". +which defaults to "demand", and +.B tls_reqsan +which defaults to "allow". The identity associated to this directive is also used for privileged operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP @@ -584,7 +592,9 @@ .B [tls_cacert=<file>] .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=<ciphers>] +.B [tls_ecname=<names>] .B [tls_crlcheck=none|peer|all] .RS Specify TLS settings for regular connections. @@ -600,7 +610,9 @@ The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand" and +which defaults to "demand", +.B tls_reqsan +which defaults to "allow", and .B starttls which is overshadowed by the first keyword and thus ignored. .RE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/doc/man/man5/slapd-meta.5 new/openldap-2.4.52/doc/man/man5/slapd-meta.5 --- old/openldap-2.4.51/doc/man/man5/slapd-meta.5 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/doc/man/man5/slapd-meta.5 2020-08-28 18:10:00.000000000 +0200 @@ -361,7 +361,9 @@ .B [tls_cacert=<file>] .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=<ciphers>] +.B [tls_ecname=<ciphers>] .B [tls_protocol_min=<major>[.<minor>]] .B [tls_crlcheck=none|peer|all] .RS @@ -511,7 +513,9 @@ The TLS settings default to the same as the main slapd TLS settings, except for .B tls_reqcert -which defaults to "demand". +which defaults to "demand", and +.B tls_reqsan +which defaults to "allow".. The identity associated to this directive is also used for privileged operations whenever \fBidassert\-bind\fP is defined and \fBacl\-bind\fP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/doc/man/man5/slapd.conf.5 new/openldap-2.4.52/doc/man/man5/slapd.conf.5 --- old/openldap-2.4.51/doc/man/man5/slapd.conf.5 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/doc/man/man5/slapd.conf.5 2020-08-28 18:10:00.000000000 +0200 @@ -1154,9 +1154,9 @@ so this directive is ignored. .TP .B TLSECName <name> -Specify the name of a curve to use for Elliptic curve Diffie-Hellman -ephemeral key exchange. This is required to enable ECDHE algorithms in -OpenSSL. This option is not used with GnuTLS; the curves may be +Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman +ephemeral key exchange. This option is only used for OpenSSL. +This option is not used with GnuTLS; the curves may be chosen in the GnuTLS ciphersuite specification. This option is also ignored for Mozilla NSS. .TP @@ -1765,7 +1765,9 @@ .B [tls_cacert=<file>] .B [tls_cacertdir=<path>] .B [tls_reqcert=never|allow|try|demand] +.B [tls_reqsan=never|allow|try|demand] .B [tls_cipher_suite=<ciphers>] +.B [tls_ecname=<names>] .B [tls_crlcheck=none|peer|all] .B [tls_protocol_min=<major>[.<minor>]] .B [suffixmassage=<real DN>] @@ -1963,7 +1965,9 @@ argument is supplied, the session will be aborted if the StartTLS request fails. Otherwise the syncrepl session continues without TLS. The .B tls_reqcert -setting defaults to "demand" and the other TLS settings +setting defaults to "demand", the +.B tls_reqsan +seting defaults to "allow", and the other TLS settings default to the same as the main slapd TLS settings. The diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/include/ldap.h new/openldap-2.4.52/include/ldap.h --- old/openldap-2.4.51/include/ldap.h 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/include/ldap.h 2020-08-28 18:10:00.000000000 +0200 @@ -159,6 +159,7 @@ #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ #define LDAP_OPT_X_TLS_PACKAGE 0x6011 #define LDAP_OPT_X_TLS_ECNAME 0x6012 +#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a #define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_HARD 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/libraries/libldap/init.c new/openldap-2.4.52/libraries/libldap/init.c --- old/openldap-2.4.51/libraries/libldap/init.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/libraries/libldap/init.c 2020-08-28 18:10:00.000000000 +0200 @@ -127,9 +127,11 @@ {0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE}, {0, ATTR_TLS, "TLS_CACERTDIR", NULL, LDAP_OPT_X_TLS_CACERTDIR}, {0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, + {0, ATTR_TLS, "TLS_REQSAN", NULL, LDAP_OPT_X_TLS_REQUIRE_SAN}, {0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, {0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE}, {0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN}, + {0, ATTR_TLS, "TLS_ECNAME", NULL, LDAP_OPT_X_TLS_ECNAME}, #ifdef HAVE_OPENSSL_CRL {0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK}, @@ -573,6 +575,7 @@ gopts->ldo_tls_connect_cb = NULL; gopts->ldo_tls_connect_arg = NULL; gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; + gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW; #endif gopts->ldo_keepalive_probes = 0; gopts->ldo_keepalive_interval = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/libraries/libldap/ldap-int.h new/openldap-2.4.52/libraries/libldap/ldap-int.h --- old/openldap-2.4.51/libraries/libldap/ldap-int.h 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/libraries/libldap/ldap-int.h 2020-08-28 18:10:00.000000000 +0200 @@ -262,6 +262,7 @@ int ldo_tls_require_cert; int ldo_tls_impl; int ldo_tls_crlcheck; + int ldo_tls_require_san; #define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0 #else #define LDAP_LDO_TLS_NULLARG diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/libraries/libldap/result.c new/openldap-2.4.52/libraries/libldap/result.c --- old/openldap-2.4.51/libraries/libldap/result.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/libraries/libldap/result.c 2020-08-28 18:10:00.000000000 +0200 @@ -486,7 +486,8 @@ #ifdef LDAP_CONNECTIONLESS if ( LDAP_IS_UDP(ld) ) { struct sockaddr_storage from; - ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ); + if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 ) + goto fail; if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1; } nextresp3: @@ -502,10 +503,11 @@ break; case LBER_DEFAULT: +fail: err = sock_errno(); #ifdef LDAP_DEBUG Debug( LDAP_DEBUG_CONNS, - "ber_get_next failed.\n", 0, 0, 0 ); + "ber_get_next failed, errno=%d.\n", err, 0, 0 ); #endif if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING; if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/libraries/libldap/tls2.c new/openldap-2.4.52/libraries/libldap/tls2.c --- old/openldap-2.4.51/libraries/libldap/tls2.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/libraries/libldap/tls2.c 2020-08-28 18:10:00.000000000 +0200 @@ -532,10 +532,12 @@ case LDAP_OPT_X_TLS_RANDOM_FILE: case LDAP_OPT_X_TLS_CIPHER_SUITE: case LDAP_OPT_X_TLS_DHFILE: + case LDAP_OPT_X_TLS_ECNAME: case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ return ldap_pvt_tls_set_option( ld, option, (void *) arg ); case LDAP_OPT_X_TLS_REQUIRE_CERT: + case LDAP_OPT_X_TLS_REQUIRE_SAN: case LDAP_OPT_X_TLS: i = -1; if ( strcasecmp( arg, "never" ) == 0 ) { @@ -666,6 +668,9 @@ case LDAP_OPT_X_TLS_REQUIRE_CERT: *(int *)arg = lo->ldo_tls_require_cert; break; + case LDAP_OPT_X_TLS_REQUIRE_SAN: + *(int *)arg = lo->ldo_tls_require_san; + break; #ifdef HAVE_OPENSSL_CRL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ *(int *)arg = lo->ldo_tls_crlcheck; @@ -798,6 +803,18 @@ return 0; } return -1; + case LDAP_OPT_X_TLS_REQUIRE_SAN: + if ( !arg ) return -1; + switch( *(int *) arg ) { + case LDAP_OPT_X_TLS_NEVER: + case LDAP_OPT_X_TLS_DEMAND: + case LDAP_OPT_X_TLS_ALLOW: + case LDAP_OPT_X_TLS_TRY: + case LDAP_OPT_X_TLS_HARD: + lo->ldo_tls_require_san = * (int *) arg; + return 0; + } + return -1; #ifdef HAVE_OPENSSL_CRL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ if ( !arg ) return -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/libraries/libldap/tls_g.c new/openldap-2.4.52/libraries/libldap/tls_g.c --- old/openldap-2.4.51/libraries/libldap/tls_g.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/libraries/libldap/tls_g.c 2020-08-28 18:10:00.000000000 +0200 @@ -453,6 +453,7 @@ { tlsg_session *s = (tlsg_session *)session; int i, ret; + int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0; const gnutls_datum_t *peer_cert_list; unsigned int list_size; char altname[NI_MAXHOST]; @@ -515,12 +516,14 @@ } } + if (chkSAN) { for ( i=0, ret=0; ret >= 0; i++ ) { altnamesize = sizeof(altname); ret = gnutls_x509_crt_get_subject_alt_name( cert, i, altname, &altnamesize, NULL ); if ( ret < 0 ) break; + gotSAN = 1; /* ignore empty */ if ( altnamesize == 0 ) continue; @@ -556,7 +559,44 @@ } if ( ret >= 0 ) { ret = LDAP_SUCCESS; - } else { + } + } + if (ret != LDAP_SUCCESS && chkSAN) { + switch(chkSAN) { + case LDAP_OPT_X_TLS_DEMAND: + case LDAP_OPT_X_TLS_HARD: + if (!gotSAN) { + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get subjectAltName from peer certificate.\n", 0, 0, 0 ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); + } + ld->ld_error = LDAP_STRDUP( + _("TLS: unable to get subjectAltName from peer certificate")); + goto done; + } + /* FALLTHRU */ + case LDAP_OPT_X_TLS_TRY: + if (gotSAN) { + Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " + "subjectAltName in certificate.\n", + name, 0, 0 ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); + } + ld->ld_error = LDAP_STRDUP( + _("TLS: hostname does not match subjectAltName in peer certificate")); + goto done; + } + break; + case LDAP_OPT_X_TLS_ALLOW: + break; + } + } + + if ( ret != LDAP_SUCCESS ){ /* find the last CN */ i=0; do { @@ -611,9 +651,10 @@ LDAP_FREE( ld->ld_error ); } ld->ld_error = LDAP_STRDUP( - _("TLS: hostname does not match CN in peer certificate")); + _("TLS: hostname does not match name in peer certificate")); } } +done: gnutls_x509_crt_deinit( cert ); return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/libraries/libldap/tls_o.c new/openldap-2.4.52/libraries/libldap/tls_o.c --- old/openldap-2.4.51/libraries/libldap/tls_o.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/libraries/libldap/tls_o.c 2020-08-28 18:10:00.000000000 +0200 @@ -407,34 +407,30 @@ DH_free( dh ); } - if ( is_server && lo->ldo_tls_ecname ) { + if ( lo->ldo_tls_ecname ) { #ifdef OPENSSL_NO_EC Debug( LDAP_DEBUG_ANY, "TLS: Elliptic Curves not supported.\n", 0,0,0 ); return -1; #else - EC_KEY *ecdh; - - int nid = OBJ_sn2nid( lt->lt_ecname ); - if ( nid == NID_undef ) { + if ( !SSL_CTX_set1_curves_list( ctx, lt->lt_ecname )) { Debug( LDAP_DEBUG_ANY, - "TLS: could not use EC name `%s'.\n", + "TLS: could not set EC name `%s'.\n", lo->ldo_tls_ecname,0,0); tlso_report_error(); return -1; } - ecdh = EC_KEY_new_by_curve_name( nid ); - if ( ecdh == NULL ) { + /* + * This is a NOP in OpenSSL 1.1.0 and later, where curves are always + * auto-negotiated. + */ +#if OPENSSL_VERSION_NUMBER < 0x10100000UL + if ( SSL_CTX_set_ecdh_auto( ctx, 1 ) <= 0 ) { Debug( LDAP_DEBUG_ANY, - "TLS: could not generate key for EC name `%s'.\n", - lo->ldo_tls_ecname,0,0); - tlso_report_error(); - return -1; + "TLS: could not enable automatic EC negotiation.\n", 0, 0, 0 ); } - SSL_CTX_set_tmp_ecdh( ctx, ecdh ); - SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); - EC_KEY_free( ecdh ); #endif +#endif /* OPENSSL_NO_EC */ } if ( tlso_opt_trace ) { @@ -624,6 +620,7 @@ { tlso_session *s = (tlso_session *)sess; int i, ret = LDAP_LOCAL_ERROR; + int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0; X509 *x; const char *name; char *ptr; @@ -662,7 +659,8 @@ if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) { if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4; } - + + if (chkSAN) { i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); if (i >= 0) { X509_EXTENSION *ex; @@ -675,6 +673,7 @@ char *domain = NULL; GENERAL_NAME *gn; + gotSAN = 1; if (ntype == IS_DNS) { domain = strchr(name, '.'); if (domain) { @@ -733,6 +732,41 @@ } } } + } + if (ret != LDAP_SUCCESS && chkSAN) { + switch(chkSAN) { + case LDAP_OPT_X_TLS_DEMAND: + case LDAP_OPT_X_TLS_HARD: + if (!gotSAN) { + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get subjectAltName from peer certificate.\n", 0, 0, 0 ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); + } + ld->ld_error = LDAP_STRDUP( + _("TLS: unable to get subjectAltName from peer certificate")); + goto done; + } + /* FALLTHRU */ + case LDAP_OPT_X_TLS_TRY: + if (gotSAN) { + Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " + "subjectAltName in certificate.\n", + name, 0, 0 ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); + } + ld->ld_error = LDAP_STRDUP( + _("TLS: hostname does not match subjectAltName in peer certificate")); + goto done; + } + break; + case LDAP_OPT_X_TLS_ALLOW: + break; + } + } if (ret != LDAP_SUCCESS) { X509_NAME *xn; @@ -796,9 +830,10 @@ LDAP_FREE( ld->ld_error ); } ld->ld_error = LDAP_STRDUP( - _("TLS: hostname does not match CN in peer certificate")); + _("TLS: hostname does not match name in peer certificate")); } } +done: X509_free(x); return ret; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/libraries/librewrite/subst.c new/openldap-2.4.52/libraries/librewrite/subst.c --- old/openldap-2.4.51/libraries/librewrite/subst.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/libraries/librewrite/subst.c 2020-08-28 18:10:00.000000000 +0200 @@ -32,7 +32,7 @@ { size_t subs_len; struct berval *subs = NULL, *tmps; - struct rewrite_submatch *submatch = NULL; + struct rewrite_submatch *submatch = NULL, *tmpsm; struct rewrite_subst *s = NULL; @@ -71,7 +71,16 @@ goto cleanup; } subs = tmps; - + subs[ nsub ].bv_val = NULL; + + tmpsm = ( struct rewrite_submatch * )realloc( submatch, + sizeof( struct rewrite_submatch )*( nsub + 1 ) ); + if ( tmpsm == NULL ) { + goto cleanup; + } + submatch = tmpsm; + submatch[ nsub ].ls_map = NULL; + /* * I think an `if l > 0' at runtime is better outside than * inside a function call ... @@ -95,19 +104,12 @@ * Substitution pattern */ if ( isdigit( (unsigned char) p[ 1 ] ) ) { - struct rewrite_submatch *tmpsm; int d = p[ 1 ] - '0'; /* * Add a new value substitution scheme */ - tmpsm = ( struct rewrite_submatch * )realloc( submatch, - sizeof( struct rewrite_submatch )*( nsub + 1 ) ); - if ( tmpsm == NULL ) { - goto cleanup; - } - submatch = tmpsm; submatch[ nsub ].ls_submatch = d; /* @@ -140,7 +142,6 @@ */ } else if ( p[ 1 ] == '{' ) { struct rewrite_map *map; - struct rewrite_submatch *tmpsm; map = rewrite_map_parse( info, p + 2, (const char **)&begin ); @@ -152,13 +153,6 @@ /* * Add a new value substitution scheme */ - tmpsm = ( struct rewrite_submatch * )realloc( submatch, - sizeof( struct rewrite_submatch )*( nsub + 1 ) ); - if ( tmpsm == NULL ) { - rewrite_map_destroy( &map ); - goto cleanup; - } - submatch = tmpsm; submatch[ nsub ].ls_type = REWRITE_SUBMATCH_MAP_W_ARG; submatch[ nsub ].ls_map = map; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/servers/slapd/back-mdb/idl.c new/openldap-2.4.52/servers/slapd/back-mdb/idl.c --- old/openldap-2.4.51/servers/slapd/back-mdb/idl.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/servers/slapd/back-mdb/idl.c 2020-08-28 18:10:00.000000000 +0200 @@ -625,9 +625,30 @@ } if ( lo2 >= hi2 ) { /* The range has collapsed... */ - rc = mdb_cursor_del( cursor, MDB_NODUPDATA ); + /* delete the range marker */ + rc = mdb_cursor_del( cursor, 0 ); if ( rc != 0 ) { - err = "c_del dup"; + err = "c_del dup1"; + goto fail; + } + /* skip past deleted marker */ + rc = mdb_cursor_get( cursor, &key, &data, MDB_NEXT_DUP ); + if ( rc != 0 ) { + err = "c_get dup1"; + goto fail; + } + /* delete the requested id */ + if ( id == hi ) { + /* skip lo */ + rc = mdb_cursor_get( cursor, &key, &data, MDB_NEXT_DUP ); + if ( rc != 0 ) { + err = "c_get dup2"; + goto fail; + } + } + rc = mdb_cursor_del( cursor, 0 ); + if ( rc != 0 ) { + err = "c_del dup2"; goto fail; } } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/servers/slapd/config.c new/openldap-2.4.52/servers/slapd/config.c --- old/openldap-2.4.51/servers/slapd/config.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/servers/slapd/config.c 2020-08-28 18:10:00.000000000 +0200 @@ -1428,8 +1428,10 @@ { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL }, { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL }, + { BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL }, { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL }, { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL }, + { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL }, #ifdef HAVE_OPENSSL_CRL { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL }, #endif @@ -1795,6 +1797,10 @@ ch_free( bc->sb_tls_reqcert ); bc->sb_tls_reqcert = NULL; } + if ( bc->sb_tls_reqsan ) { + ch_free( bc->sb_tls_reqsan ); + bc->sb_tls_reqsan = NULL; + } if ( bc->sb_tls_cipher_suite ) { ch_free( bc->sb_tls_cipher_suite ); bc->sb_tls_cipher_suite = NULL; @@ -1803,6 +1809,10 @@ ch_free( bc->sb_tls_protocol_min ); bc->sb_tls_protocol_min = NULL; } + if ( bc->sb_tls_ecname ) { + ch_free( bc->sb_tls_ecname ); + bc->sb_tls_ecname = NULL; + } #ifdef HAVE_OPENSSL_CRL if ( bc->sb_tls_crlcheck ) { ch_free( bc->sb_tls_crlcheck ); @@ -1838,6 +1848,11 @@ &bc->sb_tls_cipher_suite ); if ( !bc->sb_tls_reqcert ) bc->sb_tls_reqcert = ch_strdup("demand"); + if ( !bc->sb_tls_reqsan ) + bc->sb_tls_reqsan = ch_strdup("allow"); + if ( !bc->sb_tls_ecname ) + slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME, + &bc->sb_tls_ecname ); #ifdef HAVE_OPENSSL_CRL if ( !bc->sb_tls_crlcheck ) slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK, @@ -1858,7 +1873,7 @@ { "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE }, { "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR }, { "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE }, - { "tls_protocol_min", offsetof(slap_bindconf, sb_tls_protocol_min), LDAP_OPT_X_TLS_PROTOCOL_MIN }, + { "tls_ecname", offsetof(slap_bindconf, sb_tls_ecname), LDAP_OPT_X_TLS_ECNAME }, {0, 0} }; @@ -1893,6 +1908,16 @@ } else newctx = 1; } + if ( bc->sb_tls_reqsan ) { + rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, + bc->sb_tls_reqsan ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set tls_reqsan to %s\n", + bc->sb_tls_reqsan, 0, 0 ); + res = -1; + } + } if ( bc->sb_tls_protocol_min ) { rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, bc->sb_tls_protocol_min ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/servers/slapd/slap.h new/openldap-2.4.52/servers/slapd/slap.h --- old/openldap-2.4.51/servers/slapd/slap.h 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/servers/slapd/slap.h 2020-08-28 18:10:00.000000000 +0200 @@ -1639,8 +1639,10 @@ char *sb_tls_cacert; char *sb_tls_cacertdir; char *sb_tls_reqcert; + char *sb_tls_reqsan; char *sb_tls_cipher_suite; char *sb_tls_protocol_min; + char *sb_tls_ecname; #ifdef HAVE_OPENSSL_CRL char *sb_tls_crlcheck; #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/servers/slapd/syncrepl.c new/openldap-2.4.52/servers/slapd/syncrepl.c --- old/openldap-2.4.51/servers/slapd/syncrepl.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/servers/slapd/syncrepl.c 2020-08-28 18:10:00.000000000 +0200 @@ -501,103 +501,132 @@ return rc; } +/* #define DEBUG_MERGE_STATE 1 */ + static int -merge_state( syncinfo_t *si ) +merge_state( syncinfo_t *si, struct sync_cookie *sc1, struct sync_cookie *sc2 ) { - int i, j = 0, k, numcsns = 0, alloc = 0, changed = 0; - BerVarray new_ctxcsn = si->si_syncCookie.ctxcsn; - int *new_sids = NULL; - - /* Count and set up sids */ - for ( i=0; i < si->si_cookieState->cs_num; i++ ) { - if ( si->si_cookieState->cs_sids[i] == -1 ) { - continue; - } - - for ( ; j < si->si_syncCookie.numcsns && - si->si_syncCookie.sids[j] == -1; - j++ ) - alloc = 1; /* Just skip over them */ - - for ( ; j < si->si_syncCookie.numcsns && - si->si_syncCookie.sids[j] < si->si_cookieState->cs_sids[i]; - j++ ) { - if ( si->si_syncCookie.sids[j] != -1 ) { - new_sids = ch_realloc( new_sids, (numcsns+1)*sizeof(int) ); - new_sids[numcsns++] = si->si_syncCookie.sids[j]; + int i, j, k, changed = 0; + int ei, ej; + int *newsids; + struct berval *newcsns; + + ei = sc1->numcsns; + ej = sc2->numcsns; +#ifdef DEBUG_MERGE_STATE + for ( i=0; i<ei; i++ ) { + fprintf(stderr, "merge_state: %s si_syncCookie [%d] %d %s\n", + si->si_ridtxt, i, sc1->sids[i], sc1->ctxcsn[i].bv_val ); + } + for ( i=0; i<ej; i++ ) { + fprintf(stderr, "merge_state: %s si_cookieState [%d] %d %s\n", + si->si_ridtxt, i, sc2->sids[i], sc2->ctxcsn[i].bv_val ); + } +#endif + /* see if they cover the same SIDs */ + if ( ei == ej ) { + for ( i = 0; i < ei; i++ ) { + if ( sc1->sids[i] != sc2->sids[i] ) { + changed = 1; + break; } } - - if ( j < si->si_syncCookie.numcsns && - si->si_syncCookie.sids[j] == si->si_cookieState->cs_sids[i] ) j++; - - new_sids = ch_realloc( new_sids, (numcsns+1)*sizeof(int) ); - new_sids[numcsns++] = si->si_cookieState->cs_sids[i]; - } - - for ( ; j < si->si_syncCookie.numcsns; j++ ) { - if ( si->si_syncCookie.sids[j] != -1 ) { - new_sids = ch_realloc( new_sids, (numcsns+1)*sizeof(int) ); - new_sids[numcsns++] = si->si_syncCookie.sids[j]; + /* SIDs are the same, take fast path */ + if ( !changed ) { + for ( i = 0; i > ei; i++ ) { + if ( !bvmatch( &sc1->ctxcsn[i], &sc2->ctxcsn[i] )) { + ber_bvreplace( &sc1->ctxcsn[i], &sc2->ctxcsn[i] ); + changed = 1; + } + } + return changed; } + changed = 0; } - if ( alloc || numcsns != si->si_syncCookie.numcsns ) { - /* Short circuit allocations if we don't need to start over */ - alloc = 1; - new_ctxcsn = ch_calloc( numcsns + 1, sizeof( BerValue ) ); - } + i = ei + ej; + newsids = ch_malloc( sizeof(int) * i ); + newcsns = ch_malloc( sizeof(struct berval) * ( i + 1 )); - i = j = 0; - for ( k=0; k < numcsns; k++ ) { - while ( i < si->si_cookieState->cs_num && - si->si_cookieState->cs_sids[i] < new_sids[k] ) + for ( i=0, j=0, k=0; i < ei || j < ej ; ) { + if ( sc1->sids[i] == -1 ) { i++; - - while ( j < si->si_syncCookie.numcsns && - si->si_syncCookie.sids[j] < new_sids[k] ) - j++; - - if ( j < si->si_syncCookie.numcsns && - si->si_cookieState->cs_sids[i] == si->si_syncCookie.sids[j] ) { - assert( si->si_cookieState->cs_sids[i] == new_sids[k] ); - if ( !bvmatch( &si->si_syncCookie.ctxcsn[j], - &si->si_cookieState->cs_vals[i] )) { - ber_bvreplace( &new_ctxcsn[k], &si->si_cookieState->cs_vals[i] ); + continue; + } + if ( j >= ej || (i < ei && sc1->sids[i] < sc2->sids[j] )) { + newsids[k] = sc1->sids[i]; + ber_dupbv( &newcsns[k], &sc1->ctxcsn[i] ); + i++; k++; + continue; + } + if ( i < ei && sc1->sids[i] == sc2->sids[j] ) { + newsids[k] = sc1->sids[i]; + ber_dupbv( &newcsns[k], &sc2->ctxcsn[j] ); + if ( !bvmatch( &sc1->ctxcsn[i], &sc2->ctxcsn[j] )) changed = 1; - } else if ( alloc ) { - ber_dupbv( &new_ctxcsn[k], &si->si_syncCookie.ctxcsn[j] ); + i++; j++; k++; + continue; + } + if ( j < ej ) { + if ( sc2->sids[j] == -1 ) { + j++; + continue; } - i++; - j++; - } else if ( si->si_cookieState->cs_sids[i] == new_sids[k] ) { + newsids[k] = sc2->sids[j]; + ber_dupbv( &newcsns[k], &sc2->ctxcsn[j] ); changed = 1; - ber_bvreplace( &new_ctxcsn[k], &si->si_cookieState->cs_vals[i] ); - i++; - } else { - if ( alloc ) { - ber_dupbv( &new_ctxcsn[k], &si->si_syncCookie.ctxcsn[j] ); - } - j++; + j++; k++; } } - assert( i == si->si_cookieState->cs_num ); - assert( j == si->si_syncCookie.numcsns ); - si->si_syncCookie.numcsns = numcsns; - if ( alloc ) { - changed = 1; - ch_free( si->si_syncCookie.sids ); - si->si_syncCookie.sids = new_sids; - - ber_bvarray_free( si->si_syncCookie.ctxcsn ); - si->si_syncCookie.ctxcsn = new_ctxcsn; - } else { - ch_free( new_sids ); + ber_bvarray_free( sc1->ctxcsn ); + ch_free( sc1->sids ); + sc1->numcsns = k; + sc1->sids = ch_realloc( newsids, sizeof(int) * k ); + sc1->ctxcsn = ch_realloc( newcsns, sizeof(struct berval) * (k+1) ); + BER_BVZERO( &sc1->ctxcsn[k] ); +#ifdef DEBUG_MERGE_STATE + for ( i=0; i<sc1->numcsns; i++ ) { + fprintf(stderr, "merge_state: %s si_syncCookie2 [%d] %d %s\n", + si->si_ridtxt, i, sc1->sids[i], sc1->ctxcsn[i].bv_val ); } +#endif + return changed; } +#ifdef DEBUG_MERGE_STATE +static void +merge_test( syncinfo_t *si ) { + struct sync_cookie sc1, sc2; + int ret; + + sc1.numcsns = 1; + sc1.sids = malloc( sizeof(int)); + sc1.ctxcsn = malloc( sizeof( struct berval ) * 2); + sc1.sids[0] = 1; + { struct berval bv = BER_BVC("20200826182258.100566Z#000000#001#000000"); + ber_dupbv( &sc1.ctxcsn[0], &bv ); } + BER_BVZERO( &sc1.ctxcsn[1] ); + + sc2.numcsns = 3; + sc2.sids = malloc( sizeof(int) * 3); + sc2.ctxcsn = malloc( sizeof(struct berval) * 4); + sc2.sids[0] = 1; + sc2.sids[1] = 2; + sc2.sids[2] = 3; + { struct berval bv = BER_BVC("20200826182258.100567Z#000000#001#000000"); + ber_dupbv( &sc2.ctxcsn[0], &bv ); } + { struct berval bv = BER_BVC("20200826182259.141950Z#000000#002#000000"); + ber_dupbv( &sc2.ctxcsn[1], &bv ); } + { struct berval bv = BER_BVC("20200826182300.171795Z#000000#003#000000"); + ber_dupbv( &sc2.ctxcsn[2], &bv ); } + BER_BVZERO( &sc2.ctxcsn[3] ); + + ret = merge_state( si, &sc1, &sc2 ); +} +#endif + static int check_syncprov( Operation *op, @@ -668,8 +697,9 @@ ber_bvarray_dup_x( &si->si_syncCookie.ctxcsn, si->si_cookieState->cs_vals, NULL ); changed = 1; - } else if ( merge_state( si ) ) { - changed = 1; + } else { + changed = merge_state( si, &si->si_syncCookie, + (struct sync_cookie *)&si->si_cookieState->cs_vals ); } } if ( changed ) { @@ -874,7 +904,11 @@ return match; } -#define SYNC_PAUSED -3 +#define SYNC_TIMEOUT 0 +#define SYNC_SHUTDOWN -100 +#define SYNC_ERROR -101 +#define SYNC_REPOLL -102 +#define SYNC_PAUSED -103 static int do_syncrep2( @@ -896,14 +930,13 @@ int m; - struct timeval *tout_p = NULL; struct timeval tout = { 0, 0 }; int refreshDeletes = 0; char empty[6] = "empty"; if ( slapd_shutdown ) { - rc = -2; + rc = SYNC_SHUTDOWN; goto done; } @@ -914,14 +947,8 @@ slap_dup_sync_cookie( &syncCookie_req, &si->si_syncCookie ); - if ( abs(si->si_type) == LDAP_SYNC_REFRESH_AND_PERSIST && si->si_refreshDone ) { - tout_p = &tout; - } else { - tout_p = NULL; - } - while ( ( rc = ldap_result( si->si_ld, si->si_msgid, LDAP_MSG_ONE, - tout_p, &msg ) ) > 0 ) + &tout, &msg ) ) > 0 ) { int match, punlock, syncstate; struct berval *retdata, syncUUID[2], cookie = BER_BVNULL; @@ -934,7 +961,7 @@ struct berval bdn; if ( slapd_shutdown ) { - rc = -2; + rc = SYNC_SHUTDOWN; goto done; } switch( ldap_msgtype( msg ) ) { @@ -1044,7 +1071,7 @@ /* check pending CSNs too */ while ( ldap_pvt_thread_mutex_trylock( &si->si_cookieState->cs_pmutex )) { if ( slapd_shutdown ) { - rc = -2; + rc = SYNC_SHUTDOWN; goto done; } if ( !ldap_pvt_thread_pool_pausecheck( &connection_pool )) @@ -1206,7 +1233,7 @@ "got search result with multiple " "Sync State control\n", si->si_ridtxt, 0, 0 ); ldap_controls_free( rctrls ); - rc = -1; + rc = SYNC_ERROR; goto done; } } @@ -1277,7 +1304,11 @@ rc = LDAP_SYNC_REFRESH_REQUIRED; slap_resume_listeners(); } else { - rc = -2; + /* for persist, we shouldn't get a SearchResult so this is an error */ + if ( si->si_type == LDAP_SYNC_REFRESH_AND_PERSIST ) + rc = SYNC_ERROR; + else + rc = SYNC_REPOLL; } goto done; @@ -1353,9 +1384,6 @@ si->si_refreshDone = 1; } ber_scanf( ber, /*"{"*/ "}" ); - if ( abs(si->si_type) == LDAP_SYNC_REFRESH_AND_PERSIST && - si->si_refreshDone ) - tout_p = &tout; break; case LDAP_TAG_SYNC_ID_SET: Debug( LDAP_DEBUG_SYNC, @@ -1485,7 +1513,7 @@ } } - if ( rc == -1 ) { + if ( rc == SYNC_ERROR ) { rc = LDAP_OTHER; ldap_get_option( si->si_ld, LDAP_OPT_ERROR_NUMBER, &rc ); err = rc; @@ -1528,7 +1556,7 @@ int rc = LDAP_SUCCESS; int dostop = 0; ber_socket_t s; - int i, defer = 1, fail = 0, freeinfo = 0; + int i, fail = 0, freeinfo = 0; Backend *be; if ( si == NULL ) @@ -1661,25 +1689,19 @@ } if ( si->si_conn ) dostop = 1; - rc = -1; + rc = SYNC_SHUTDOWN; } if ( rc != SYNC_PAUSED ) { - if ( abs(si->si_type) == LDAP_SYNC_REFRESH_AND_PERSIST ) { - /* If we succeeded, enable the connection for further listening. - * If we failed, tear down the connection and reschedule. - */ - if ( rc == LDAP_SUCCESS ) { - if ( si->si_conn ) { - connection_client_enable( si->si_conn ); - } else { - si->si_conn = connection_client_setup( s, do_syncrepl, arg ); - } - } else if ( si->si_conn ) { - dostop = 1; + if ( rc == SYNC_TIMEOUT ) { + /* there was nothing to read, try to listen for more */ + if ( si->si_conn ) { + connection_client_enable( si->si_conn ); + } else { + si->si_conn = connection_client_setup( s, do_syncrepl, arg ); } - } else { - if ( rc == -2 ) rc = 0; + } else if ( si->si_conn ) { + dostop = 1; } } } @@ -1688,8 +1710,8 @@ * 1) for any hard failure, give up and remove this task * 2) for ServerDown, reschedule this task to run later * 3) for threadpool pause, reschedule to run immediately - * 4) for Refresh and Success, reschedule to run - * 5) for Persist and Success, reschedule to defer + * 4) for SYNC_REPOLL, reschedule to run later + * 5) for SYNC_TIMEOUT, reschedule to defer */ ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex ); @@ -1707,25 +1729,26 @@ ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 ); rtask->interval.tv_sec = si->si_interval; rc = 0; - } else if ( rc == LDAP_SUCCESS ) { - if ( si->si_type == LDAP_SYNC_REFRESH_ONLY ) { - defer = 0; - } + } else if ( rc == SYNC_TIMEOUT ) { + ldap_pvt_runqueue_resched( &slapd_rq, rtask, 1 ); + } else if ( rc == SYNC_REPOLL ) { rtask->interval.tv_sec = si->si_interval; - ldap_pvt_runqueue_resched( &slapd_rq, rtask, defer ); + ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 ); if ( si->si_retrynum ) { for ( i = 0; si->si_retrynum_init[i] != RETRYNUM_TAIL; i++ ) { si->si_retrynum[i] = si->si_retrynum_init[i]; } si->si_retrynum[i] = RETRYNUM_TAIL; } + slap_wake_listener(); + rc = 0; } else { for ( i = 0; si->si_retrynum && si->si_retrynum[i] <= 0; i++ ) { if ( si->si_retrynum[i] == RETRYNUM_FOREVER || si->si_retrynum[i] == RETRYNUM_TAIL ) break; } - if ( si->si_ctype < 1 + if ( si->si_ctype < 1 || rc == SYNC_SHUTDOWN || !si->si_retrynum || si->si_retrynum[i] == RETRYNUM_TAIL ) { if ( si->si_re ) { ldap_pvt_runqueue_remove( &slapd_rq, rtask ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/tests/data/regressions/its9282/config.ldif new/openldap-2.4.52/tests/data/regressions/its9282/config.ldif --- old/openldap-2.4.51/tests/data/regressions/its9282/config.ldif 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/tests/data/regressions/its9282/config.ldif 2020-08-28 18:10:00.000000000 +0200 @@ -62,7 +62,7 @@ dn="cn=manager,dc=example,dc=com" credentials=secret timeout=1 olcMirrorMode: TRUE -dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config +dn: olcOverlay={0}syncprov,olcDatabase={1}@BACKEND@,cn=config objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 10 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openldap-2.4.51/tests/progs/slapd-mtread.c new/openldap-2.4.52/tests/progs/slapd-mtread.c --- old/openldap-2.4.51/tests/progs/slapd-mtread.c 2020-08-11 20:33:20.000000000 +0200 +++ new/openldap-2.4.52/tests/progs/slapd-mtread.c 2020-08-28 18:10:00.000000000 +0200 @@ -185,7 +185,7 @@ /* by default, tolerate referrals and no such object */ tester_ignore_str2errlist( "REFERRAL,NO_SUCH_OBJECT" ); - while ( (i = getopt( argc, argv, "ACc:D:e:Ff:H:h:i:L:l:M:m:p:r:t:T:w:v" )) != EOF ) { + while ( (i = getopt( argc, argv, "ACc:D:e:Ff:H:h:i:L:l:M:m:Np:r:t:T:w:v" )) != EOF ) { switch ( i ) { case 'A': noattrs++; ++++++ start ++++++ --- /var/tmp/diff_new_pack.QHhtJj/_old 2020-09-01 20:03:53.284494755 +0200 +++ /var/tmp/diff_new_pack.QHhtJj/_new 2020-09-01 20:03:53.288494757 +0200 @@ -7,10 +7,6 @@ # Ralf Haferkamp # -# Determine the base and follow a runlevel link name. -base=${0##*/} -link=${base#*[SK][0-9][0-9]} - test -f /etc/sysconfig/openldap && . /etc/sysconfig/openldap SLAPD_BIN=/usr/sbin/slapd
