June 2017 - openldap-bugs

by pawel＠FreeBSD.org

Hi Howard, On 2017-06-05 17:03 +0100, Howard Chu <hyc(a)symas.com> wrote: >pawel(a)FreeBSD.org wrote: >> Full_Name: Pawe&#322; P&#281;kala >> Version: 2.4.45 >> OS: FreeBSD 12-CURRENT >> URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219781 >> Submission from: (NULL) (62.141.192.76) >> =20 > >No. LibreSSL should not be hijacking OPENSSL_VERSION_NUMBER macros, >especially if it doesn't actually implement the features of those >versions. > First off let me clarify first that I'm not representing LibreSSL project, this is my opinion as a outsider. From my point of view they are keeping OPENSSL_VERSION_NUMBER for backwards compatibility not forwards, from their openssl/opensslv.h: * These will change with each release of LibreSSL-portable */ #define LIBRESSL_VERSION_NUMBER 0x2050400fL #define LIBRESSL_VERSION_TEXT "LibreSSL 2.5.4" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L >> Latest version fails to build with LibreSSL. Following patch fixes >> issue for me: >> >> --- libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC >> +++ libraries/libldap/tls_o.c >> @@ -47,7 +47,7 @@ >> #include <ssl.h> >> #endif >> >> -#if OPENSSL_VERSION_NUMBER >=3D 0x10100000 >> +#if OPENSSL_VERSION_NUMBER >=3D 0x10100000 >> && !defined(LIBRESSL_VERSION_NUMBER) #define >> ASN1_STRING_data(x) ASN1_STRING_get0_data(x) #endif >> >> @@ -157,7 +157,7 @@ tlso_init( void ) >> (void) tlso_seed_PRNG( lo->ldo_tls_randfile ); >> #endif >> >> -#if OPENSSL_VERSION_NUMBER < 0x10100000 >> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || >> defined(LIBRESSL_VERSION_NUMBER) SSL_load_error_strings(); >> SSL_library_init(); >> OpenSSL_add_all_digests(); >> @@ -205,7 +205,7 @@ static void >> tlso_ctx_ref( tls_ctx *ctx ) >> { >> tlso_ctx *c =3D (tlso_ctx *)ctx; >> -#if OPENSSL_VERSION_NUMBER < 0x10100000 >> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || >> defined(LIBRESSL_VERSION_NUMBER) #define >> SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, >> CRYPTO_LOCK_SSL_CTX ) #endif >> SSL_CTX_up_ref( c ); >> @@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct >> berval * if (!x) return LDAP_INVALID_CREDENTIALS; >> =09 >> xn =3D X509_get_subject_name(x); >> -#if OPENSSL_VERSION_NUMBER < 0x10100000 >> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || >> defined(LIBRESSL_VERSION_NUMBER) der_dn->bv_len =3D i2d_X509_NAME( xn, >> NULL ); der_dn->bv_val =3D xn->bytes->data; >> #else >> @@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct >> berval return LDAP_INVALID_CREDENTIALS; >> >> xn =3D X509_get_subject_name(x); >> -#if OPENSSL_VERSION_NUMBER < 0x10100000 >> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || >> defined(LIBRESSL_VERSION_NUMBER) der_dn->bv_len =3D i2d_X509_NAME( xn, >> NULL ); der_dn->bv_val =3D xn->bytes->data; >> #else >> @@ -721,7 +721,7 @@ struct tls_data { >> Sockbuf_IO_Desc *sbiod; >> }; >> >> -#if OPENSSL_VERSION_NUMBER < 0x10100000 >> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || >> defined(LIBRESSL_VERSION_NUMBER) #define BIO_set_init(b, x) >> b->init =3D x #define BIO_set_data(b, x) b->ptr =3D x >> #define BIO_clear_flags(b, x) b->flags &=3D ~(x) >> @@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str ) >> return tlso_bio_write( b, str, strlen( str ) ); >> } >> >> -#if OPENSSL_VERSION_NUMBER >=3D 0x10100000 >> +#if OPENSSL_VERSION_NUMBER >=3D 0x10100000 >> && !defined(LIBRESSL_VERSION_NUMBER) struct bio_method_st { >> int type; >> const char *name; >> >> >> =20 > > --=20 pozdrawiam / with regards Pawe=C5=82 P=C4=99kala

6 years, 6 months

1
0
0 / 0

Re: (ITS#8666) Fix build with LibreSSL

by hyc＠symas.com

pawel(a)FreeBSD.org wrote: > Full_Name: Pawe&#322; P&#281;kala > Version: 2.4.45 > OS: FreeBSD 12-CURRENT > URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219781 > Submission from: (NULL) (62.141.192.76) > No. LibreSSL should not be hijacking OPENSSL_VERSION_NUMBER macros, especially if it doesn't actually implement the features of those versions. > Latest version fails to build with LibreSSL. Following patch fixes issue for > me: > > --- libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC > +++ libraries/libldap/tls_o.c > @@ -47,7 +47,7 @@ > #include <ssl.h> > #endif > > -#if OPENSSL_VERSION_NUMBER >= 0x10100000 > +#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) > #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x) > #endif > > @@ -157,7 +157,7 @@ tlso_init( void ) > (void) tlso_seed_PRNG( lo->ldo_tls_randfile ); > #endif > > -#if OPENSSL_VERSION_NUMBER < 0x10100000 > +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) > SSL_load_error_strings(); > SSL_library_init(); > OpenSSL_add_all_digests(); > @@ -205,7 +205,7 @@ static void > tlso_ctx_ref( tls_ctx *ctx ) > { > tlso_ctx *c = (tlso_ctx *)ctx; > -#if OPENSSL_VERSION_NUMBER < 0x10100000 > +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) > #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, > CRYPTO_LOCK_SSL_CTX ) > #endif > SSL_CTX_up_ref( c ); > @@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval * > if (!x) return LDAP_INVALID_CREDENTIALS; > > xn = X509_get_subject_name(x); > -#if OPENSSL_VERSION_NUMBER < 0x10100000 > +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) > der_dn->bv_len = i2d_X509_NAME( xn, NULL ); > der_dn->bv_val = xn->bytes->data; > #else > @@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval > return LDAP_INVALID_CREDENTIALS; > > xn = X509_get_subject_name(x); > -#if OPENSSL_VERSION_NUMBER < 0x10100000 > +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) > der_dn->bv_len = i2d_X509_NAME( xn, NULL ); > der_dn->bv_val = xn->bytes->data; > #else > @@ -721,7 +721,7 @@ struct tls_data { > Sockbuf_IO_Desc *sbiod; > }; > > -#if OPENSSL_VERSION_NUMBER < 0x10100000 > +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) > #define BIO_set_init(b, x) b->init = x > #define BIO_set_data(b, x) b->ptr = x > #define BIO_clear_flags(b, x) b->flags &= ~(x) > @@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str ) > return tlso_bio_write( b, str, strlen( str ) ); > } > > -#if OPENSSL_VERSION_NUMBER >= 0x10100000 > +#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) > struct bio_method_st { > int type; > const char *name; > > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

6 years, 6 months

1
0
0 / 0

Re: (ITS#8444) Out-of-sync issue with memberOf overlay, Delta-syncrepl MMR and >2 nodes

by okuznik＠symas.com

Although Quanah hasn't been able to trigger this yet, the regression test in master he wrote has been consistently able to trigger for me on my machine, so I've started to investigate. For posterity and in case anyone is interested, I have uploaded the testrun/ directory from a failing run (I suspect the fact of this laptop having a slow 2-core CPU helps) with a slightly patched slapd that records the thread ID as well since, in part, this seems like a race of some sort. The tgz is available at ftp://ftp.openldap.org/incoming/its8444-regression-testrun-sync,stat.tgz So far it looks like replica #3's threads 7f50fb7fe700 and 7f51017bb700 are both trying to apply the modification with CSN 20170605125334.856475Z#000000#001#000000 which sends it into a full refresh.=20 --=20 Ond=C5=99ej Kuzn=C3=ADk Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP

6 years, 6 months

1
0
0 / 0

(ITS#8667) slapcat not honoring '-g' option

by gnoe＠symas.com

Full_Name: Gregory Noe Version: 2.4.44 OS: Debian 8.7 URL: ftp://ftp.openldap.org/incoming/gregory-noe-170605.tar Submission from: (NULL) (63.142.209.94) Slapcat is not honoring the '-g' option. The output includes entries from glued subordinates when it shouldn't. The attached test script (gregory-noe-170605.tar) sets up the following DIT with inetOrgPerson entries in each OU: dn: dc=example,dc=com |- ou=NonSub00,dc=example,dc=com |- ou=NonSub01,dc=example,dc=com |- ou=NonSub02,dc=example,dc=com glued sub: ou=Accounting,dc=example,dc=com glued sub: ou=Administrative,dc=example,dc=com glued sub: ou=Janitorial,dc=example,dc=com Then the script runs 'slapcat -g -b dc=example,dc=com | grep ^dn'. The result contains entries from all three glued subordinates. Tested using Symas OpenLDAP 2.4.44.5

6 years, 6 months

1
0
0 / 0

(ITS#8666) Fix build with LibreSSL

by pawel＠FreeBSD.org

Full_Name: Pawe&#322; P&#281;kala Version: 2.4.45 OS: FreeBSD 12-CURRENT URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219781 Submission from: (NULL) (62.141.192.76) Latest version fails to build with LibreSSL. Following patch fixes issue for me: --- libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC +++ libraries/libldap/tls_o.c @@ -47,7 +47,7 @@ #include <ssl.h> #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000 +#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x) #endif @@ -157,7 +157,7 @@ tlso_init( void ) (void) tlso_seed_PRNG( lo->ldo_tls_randfile ); #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000 +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_digests(); @@ -205,7 +205,7 @@ static void tlso_ctx_ref( tls_ctx *ctx ) { tlso_ctx *c = (tlso_ctx *)ctx; -#if OPENSSL_VERSION_NUMBER < 0x10100000 +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX ) #endif SSL_CTX_up_ref( c ); @@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval * if (!x) return LDAP_INVALID_CREDENTIALS; xn = X509_get_subject_name(x); -#if OPENSSL_VERSION_NUMBER < 0x10100000 +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) der_dn->bv_len = i2d_X509_NAME( xn, NULL ); der_dn->bv_val = xn->bytes->data; #else @@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval return LDAP_INVALID_CREDENTIALS; xn = X509_get_subject_name(x); -#if OPENSSL_VERSION_NUMBER < 0x10100000 +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) der_dn->bv_len = i2d_X509_NAME( xn, NULL ); der_dn->bv_val = xn->bytes->data; #else @@ -721,7 +721,7 @@ struct tls_data { Sockbuf_IO_Desc *sbiod; }; -#if OPENSSL_VERSION_NUMBER < 0x10100000 +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER) #define BIO_set_init(b, x) b->init = x #define BIO_set_data(b, x) b->ptr = x #define BIO_clear_flags(b, x) b->flags &= ~(x) @@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str ) return tlso_bio_write( b, str, strlen( str ) ); } -#if OPENSSL_VERSION_NUMBER >= 0x10100000 +#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER) struct bio_method_st { int type; const char *name;

6 years, 6 months

1
0
0 / 0

(ITS#8665) limits documentation update for glued databases

by quanah＠openldap.org

Full_Name: Quanah Gibson-Mount Version: 2.4.43 OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.148.239) When using glued/subordinate databases, the "limits" directive needs to be set on the parent as well as subordinate dbs to be applied if there are global limits in place. This is currently not documented. Otherwise, the "limits" directive settings on the subordinate databases is not honored.

6 years, 6 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs June 2017