Halaman utama Jelajahi Bantuan
Masuk
erkanisik
/
main
cermin dari https://github.com/pisilinux/main.git
Liatin 1
Bintangi 0
Fork 0
Berkas Masalah 0 Wiki
Pohon: 53ae218f7b
Ranting Tag
main
/
server
/
openldap
/
files
/
fedora
/
openldap-openssl-ITS7595-Add-EC-support-1.patch

openldap-openssl-ITS7595-Add-EC-support-1.patch 8.2 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228 
  1. ITS#7595 Add Elliptic Curve support for OpenSSL
    2. 

  2. 

  3. Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
    4. 

  4. Author:    Howard Chu <hyc@openldap.org>
    5. 

  5. Date:      Sat Sep 7 09:47:19 2013 -0700
    6. 

  6. 

  7. diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
    8. 

  8. index 9c72e8296..2311c3096 100644
    9. 

  9. --- a/doc/man/man5/slapd-config.5
    10. 

  10. +++ b/doc/man/man5/slapd-config.5
    11. 

  11. @@ -922,6 +922,13 @@ are not used.
    12. 

  12.  When using Mozilla NSS these parameters are always generated randomly
    13. 

  13.  so this directive is ignored.
    14. 

  14.  .TP
    15. 

  15. +.B olcTLSECName: <name>
    16. 

  16. +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
    17. 

  17. +ephemeral key exchange.  This is required to enable ECDHE algorithms in
    18. 

  18. +OpenSSL.  This option is not used with GnuTLS; the curves may be
    19. 

  19. +chosen in the GnuTLS ciphersuite specification. This option is also
    20. 

  20. +ignored for Mozilla NSS.
    21. 

  21. +.TP
    22. 

  22.  .B olcTLSProtocolMin: <major>[.<minor>]
    23. 

  23.  Specifies minimum SSL/TLS protocol version that will be negotiated.
    24. 

  24.  If the server doesn't support at least that version,
    25. 

  25. diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
    26. 

  26. index f504adcf9..ef03e0ad8 100644
    27. 

  27. --- a/doc/man/man5/slapd.conf.5
    28. 

  28. +++ b/doc/man/man5/slapd.conf.5
    29. 

  29. @@ -1153,6 +1153,13 @@ are not used.
    30. 

  30.  When using Mozilla NSS these parameters are always generated randomly
    31. 

  31.  so this directive is ignored.
    32. 

  32.  .TP
    33. 

  33. +.B TLSECName <name>
    34. 

  34. +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
    35. 

  35. +ephemeral key exchange.  This is required to enable ECDHE algorithms in
    36. 

  36. +OpenSSL.  This option is not used with GnuTLS; the curves may be
    37. 

  37. +chosen in the GnuTLS ciphersuite specification. This option is also
    38. 

  38. +ignored for Mozilla NSS.
    39. 

  39. +.TP
    40. 

  40.  .B TLSProtocolMin <major>[.<minor>]
    41. 

  41.  Specifies minimum SSL/TLS protocol version that will be negotiated.
    42. 

  42.  If the server doesn't support at least that version,
    43. 

  43. diff --git a/include/ldap.h b/include/ldap.h
    44. 

  44. index c245651c2..0964a193e 100644
    45. 

  45. --- a/include/ldap.h
    46. 

  46. +++ b/include/ldap.h
    47. 

  47. @@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
    48. 

  48.  #define LDAP_OPT_X_TLS_NEWCTX		0x600f
    49. 

  49.  #define LDAP_OPT_X_TLS_CRLFILE		0x6010	/* GNUtls only */
    50. 

  50.  #define LDAP_OPT_X_TLS_PACKAGE		0x6011
    51. 

  51. +#define LDAP_OPT_X_TLS_ECNAME		0x6012
    52. 

  52.  
    53. 

  53.  #define LDAP_OPT_X_TLS_NEVER	0
    54. 

  54.  #define LDAP_OPT_X_TLS_HARD		1
    55. 

  55. diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
    56. 

  56. index 66e04ae80..db7193f4f 100644
    57. 

  57. --- a/libraries/libldap/ldap-int.h
    58. 

  58. +++ b/libraries/libldap/ldap-int.h
    59. 

  59. @@ -165,6 +165,7 @@ struct ldaptls {
    60. 

  60.  	char		*lt_ciphersuite;
    61. 

  61.  	char		*lt_crlfile;
    62. 

  62.  	char		*lt_randfile;	/* OpenSSL only */
    63. 

  63. +	char		*lt_ecname;		/* OpenSSL only */
    64. 

  64.  	int		lt_protocol_min;
    65. 

  65.  };
    66. 

  66.  #endif
    67. 

  67. @@ -250,6 +251,7 @@ struct ldapoptions {
    68. 

  68.  #define ldo_tls_certfile	ldo_tls_info.lt_certfile
    69. 

  69.  #define ldo_tls_keyfile	ldo_tls_info.lt_keyfile
    70. 

  70.  #define ldo_tls_dhfile	ldo_tls_info.lt_dhfile
    71. 

  71. +#define ldo_tls_ecname	ldo_tls_info.lt_ecname
    72. 

  72.  #define ldo_tls_cacertfile	ldo_tls_info.lt_cacertfile
    73. 

  73.  #define ldo_tls_cacertdir	ldo_tls_info.lt_cacertdir
    74. 

  74.  #define ldo_tls_ciphersuite	ldo_tls_info.lt_ciphersuite
    75. 

  75. diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
    76. 

  76. index d25c190ea..0451b01af 100644
    77. 

  77. --- a/libraries/libldap/tls2.c
    78. 

  78. +++ b/libraries/libldap/tls2.c
    79. 

  79. @@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
    80. 

  80.  		LDAP_FREE( lo->ldo_tls_dhfile );
    81. 

  81.  		lo->ldo_tls_dhfile = NULL;
    82. 

  82.  	}
    83. 

  83. +	if ( lo->ldo_tls_ecname ) {
    84. 

  84. +		LDAP_FREE( lo->ldo_tls_ecname );
    85. 

  85. +		lo->ldo_tls_ecname = NULL;
    86. 

  86. +	}
    87. 

  87.  	if ( lo->ldo_tls_cacertfile ) {
    88. 

  88.  		LDAP_FREE( lo->ldo_tls_cacertfile );
    89. 

  89.  		lo->ldo_tls_cacertfile = NULL;
    90. 

  90. @@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
    91. 

  91.  		lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
    92. 

  92.  		__atoe( lts.lt_dhfile );
    93. 

  93.  	}
    94. 

  94. +	if ( lts.lt_ecname ) {
    95. 

  95. +		lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
    96. 

  96. +		__atoe( lts.lt_ecname );
    97. 

  97. +	}
    98. 

  98.  #endif
    99. 

  99.  	lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
    100. 

  100.  	if ( lo->ldo_tls_ctx == NULL ) {
    101. 

  101. @@ -257,6 +265,7 @@ error_exit:
    102. 

  102.  	LDAP_FREE( lts.lt_crlfile );
    103. 

  103.  	LDAP_FREE( lts.lt_cacertdir );
    104. 

  104.  	LDAP_FREE( lts.lt_dhfile );
    105. 

  105. +	LDAP_FREE( lts.lt_ecname );
    106. 

  106.  #endif
    107. 

  107.  	return rc;
    108. 

  108.  }
    109. 

  109. @@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
    110. 

  110.  		*(char **)arg = lo->ldo_tls_dhfile ?
    111. 

  111.  			LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
    112. 

  112.  		break;
    113. 

  113. +	case LDAP_OPT_X_TLS_ECNAME:
    114. 

  114. +		*(char **)arg = lo->ldo_tls_ecname ?
    115. 

  115. +			LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
    116. 

  116. +		break;
    117. 

  117.  	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
    118. 

  118.  		*(char **)arg = lo->ldo_tls_crlfile ?
    119. 

  119.  			LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
    120. 

  120. @@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
    121. 

  121.  		if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
    122. 

  122.  		lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
    123. 

  123.  		return 0;
    124. 

  124. +	case LDAP_OPT_X_TLS_ECNAME:
    125. 

  125. +		if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
    126. 

  126. +		lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
    127. 

  127. +		return 0;
    128. 

  128.  	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
    129. 

  129.  		if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
    130. 

  130.  		lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
    131. 

  131. diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
    132. 

  132. index f24060b7e..1370923af 100644
    133. 

  133. --- a/libraries/libldap/tls_o.c
    134. 

  134. +++ b/libraries/libldap/tls_o.c
    135. 

  135. @@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
    136. 

  136.  		return -1;
    137. 

  137.  	}
    138. 

  138.  
    139. 

  139. -	if ( lo->ldo_tls_dhfile ) {
    140. 

  140. -		DH *dh = NULL;
    141. 

  141. +	if ( is_server && lo->ldo_tls_dhfile ) {
    142. 

  142. +		DH *dh;
    143. 

  143.  		BIO *bio;
    144. 

  144. -		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
    145. 

  145.  
    146. 

  146.  		if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
    147. 

  147.  			Debug( LDAP_DEBUG_ANY,
    148. 

  148. @@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
    149. 

  149.  		}
    150. 

  150.  		BIO_free( bio );
    151. 

  151.  		SSL_CTX_set_tmp_dh( ctx, dh );
    152. 

  152. +		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
    153. 

  153. +		DH_free( dh );
    154. 

  154. +	}
    155. 

  155. +
    156. 

  156. +#ifdef SSL_OP_SINGLE_ECDH_USE
    157. 

  157. +	if ( is_server && lo->ldo_tls_ecname ) {
    158. 

  158. +		EC_KEY *ecdh;
    159. 

  159. +
    160. 

  160. +		int nid = OBJ_sn2nid( lt->lt_ecname );
    161. 

  161. +		if ( nid == NID_undef ) {
    162. 

  162. +			Debug( LDAP_DEBUG_ANY,
    163. 

  163. +				"TLS: could not use EC name `%s'.\n",
    164. 

  164. +				lo->ldo_tls_ecname,0,0);
    165. 

  165. +			tlso_report_error();
    166. 

  166. +			return -1;
    167. 

  167. +		}
    168. 

  168. +		ecdh = EC_KEY_new_by_curve_name( nid );
    169. 

  169. +		if ( ecdh == NULL ) {
    170. 

  170. +			Debug( LDAP_DEBUG_ANY,
    171. 

  171. +				"TLS: could not generate key for EC name `%s'.\n",
    172. 

  172. +				lo->ldo_tls_ecname,0,0);
    173. 

  173. +			tlso_report_error();
    174. 

  174. +			return -1;
    175. 

  175. +		}
    176. 

  176. +		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
    177. 

  177. +		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
    178. 

  178. +		EC_KEY_free( ecdh );
    179. 

  179.  	}
    180. 

  180. +#endif
    181. 

  181.  
    182. 

  182.  	if ( tlso_opt_trace ) {
    183. 

  183.  		SSL_CTX_set_info_callback( ctx, tlso_info_cb );
    184. 

  184. diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
    185. 

  185. index 250f14100..8b1e4e582 100644
    186. 

  186. --- a/servers/slapd/bconfig.c
    187. 

  187. +++ b/servers/slapd/bconfig.c
    188. 

  188. @@ -194,6 +194,7 @@ enum {
    189. 

  189.  	CFG_ACL_ADD,
    190. 

  190.  	CFG_SYNC_SUBENTRY,
    191. 

  191.  	CFG_LTHREADS,
    192. 

  192. +	CFG_TLS_ECNAME,
    193. 

  193.  
    194. 

  194.  	CFG_LAST
    195. 

  195.  };
    196. 

  196. @@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
    197. 

  197.  #endif
    198. 

  198.  		"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
    199. 

  199.  			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
    200. 

  200. +	{ "TLSECName", NULL, 2, 2, 0,
    201. 

  201. +#ifdef HAVE_TLS
    202. 

  202. +		CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
    203. 

  203. +#else
    204. 

  204. +		ARG_IGNORED, NULL,
    205. 

  205. +#endif
    206. 

  206. +		"( OLcfgGlAt:96 NAME 'olcTLSECName' "
    207. 

  207. +			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
    208. 

  208.  	{ "TLSProtocolMin",	NULL, 2, 2, 0,
    209. 

  209.  #ifdef HAVE_TLS
    210. 

  210.  		CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
    211. 

  211. @@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
    212. 

  212.  		 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
    213. 

  213.  		 "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
    214. 

  214.  		 "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
    215. 

  215. -		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
    216. 

  216. +		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
    217. 

  217.  		 "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
    218. 

  218.  		 "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
    219. 

  219.  		 "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
    220. 

  220. @@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
    221. 

  221.  	case CFG_TLS_CA_PATH:	flag = LDAP_OPT_X_TLS_CACERTDIR;	break;
    222. 

  222.  	case CFG_TLS_CA_FILE:	flag = LDAP_OPT_X_TLS_CACERTFILE;	break;
    223. 

  223.  	case CFG_TLS_DH_FILE:	flag = LDAP_OPT_X_TLS_DHFILE;	break;
    224. 

  224. +	case CFG_TLS_ECNAME:	flag = LDAP_OPT_X_TLS_ECNAME;	break;
    225. 

  225.  #ifdef HAVE_GNUTLS
    226. 

  226.  	case CFG_TLS_CRL_FILE:	flag = LDAP_OPT_X_TLS_CRLFILE;	break;
    227. 

  227.  #endif
    228. 

  228.