Re: (ITS#8666) Fix build with LibreSSL
by pawel@FreeBSD.org
Hi Howard,
On 2017-06-05 17:03 +0100, Howard Chu <hyc(a)symas.com> wrote:
>pawel(a)FreeBSD.org wrote:
>> Full_Name: Pawe&#322; P&#281;kala
>> Version: 2.4.45
>> OS: FreeBSD 12-CURRENT
>> URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D219781
>> Submission from: (NULL) (62.141.192.76)
>> =20
>
>No. LibreSSL should not be hijacking OPENSSL_VERSION_NUMBER macros,
>especially if it doesn't actually implement the features of those
>versions.
>
First off let me clarify first that I'm not representing LibreSSL
project, this is my opinion as a outsider. From my point of view they
are keeping OPENSSL_VERSION_NUMBER for backwards compatibility not
forwards, from their openssl/opensslv.h:
* These will change with each release of LibreSSL-portable */
#define LIBRESSL_VERSION_NUMBER 0x2050400fL
#define LIBRESSL_VERSION_TEXT "LibreSSL 2.5.4"
/* These will never change */
#define OPENSSL_VERSION_NUMBER 0x20000000L
>> Latest version fails to build with LibreSSL. Following patch fixes
>> issue for me:
>>
>> --- libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC
>> +++ libraries/libldap/tls_o.c
>> @@ -47,7 +47,7 @@
>> #include <ssl.h>
>> #endif
>>
>> -#if OPENSSL_VERSION_NUMBER >=3D 0x10100000
>> +#if OPENSSL_VERSION_NUMBER >=3D 0x10100000
>> && !defined(LIBRESSL_VERSION_NUMBER) #define
>> ASN1_STRING_data(x) ASN1_STRING_get0_data(x) #endif
>>
>> @@ -157,7 +157,7 @@ tlso_init( void )
>> (void) tlso_seed_PRNG( lo->ldo_tls_randfile );
>> #endif
>>
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000 ||
>> defined(LIBRESSL_VERSION_NUMBER) SSL_load_error_strings();
>> SSL_library_init();
>> OpenSSL_add_all_digests();
>> @@ -205,7 +205,7 @@ static void
>> tlso_ctx_ref( tls_ctx *ctx )
>> {
>> tlso_ctx *c =3D (tlso_ctx *)ctx;
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000 ||
>> defined(LIBRESSL_VERSION_NUMBER) #define
>> SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1,
>> CRYPTO_LOCK_SSL_CTX ) #endif
>> SSL_CTX_up_ref( c );
>> @@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct
>> berval * if (!x) return LDAP_INVALID_CREDENTIALS;
>> =09
>> xn =3D X509_get_subject_name(x);
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000 ||
>> defined(LIBRESSL_VERSION_NUMBER) der_dn->bv_len =3D i2d_X509_NAME( xn,
>> NULL ); der_dn->bv_val =3D xn->bytes->data;
>> #else
>> @@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct
>> berval return LDAP_INVALID_CREDENTIALS;
>>
>> xn =3D X509_get_subject_name(x);
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000 ||
>> defined(LIBRESSL_VERSION_NUMBER) der_dn->bv_len =3D i2d_X509_NAME( xn,
>> NULL ); der_dn->bv_val =3D xn->bytes->data;
>> #else
>> @@ -721,7 +721,7 @@ struct tls_data {
>> Sockbuf_IO_Desc *sbiod;
>> };
>>
>> -#if OPENSSL_VERSION_NUMBER < 0x10100000
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000 ||
>> defined(LIBRESSL_VERSION_NUMBER) #define BIO_set_init(b, x)
>> b->init =3D x #define BIO_set_data(b, x) b->ptr =3D x
>> #define BIO_clear_flags(b, x) b->flags &=3D ~(x)
>> @@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str )
>> return tlso_bio_write( b, str, strlen( str ) );
>> }
>>
>> -#if OPENSSL_VERSION_NUMBER >=3D 0x10100000
>> +#if OPENSSL_VERSION_NUMBER >=3D 0x10100000
>> && !defined(LIBRESSL_VERSION_NUMBER) struct bio_method_st {
>> int type;
>> const char *name;
>>
>>
>> =20
>
>
--=20
pozdrawiam / with regards
Pawe=C5=82 P=C4=99kala
6 years, 6 months
Re: (ITS#8666) Fix build with LibreSSL
by hyc@symas.com
pawel(a)FreeBSD.org wrote:
> Full_Name: Pawe&#322; P&#281;kala
> Version: 2.4.45
> OS: FreeBSD 12-CURRENT
> URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219781
> Submission from: (NULL) (62.141.192.76)
>
No. LibreSSL should not be hijacking OPENSSL_VERSION_NUMBER macros, especially
if it doesn't actually implement the features of those versions.
> Latest version fails to build with LibreSSL. Following patch fixes issue for
> me:
>
> --- libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC
> +++ libraries/libldap/tls_o.c
> @@ -47,7 +47,7 @@
> #include <ssl.h>
> #endif
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000
> +#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
> #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
> #endif
>
> @@ -157,7 +157,7 @@ tlso_init( void )
> (void) tlso_seed_PRNG( lo->ldo_tls_randfile );
> #endif
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000
> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
> SSL_load_error_strings();
> SSL_library_init();
> OpenSSL_add_all_digests();
> @@ -205,7 +205,7 @@ static void
> tlso_ctx_ref( tls_ctx *ctx )
> {
> tlso_ctx *c = (tlso_ctx *)ctx;
> -#if OPENSSL_VERSION_NUMBER < 0x10100000
> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
> #define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1,
> CRYPTO_LOCK_SSL_CTX )
> #endif
> SSL_CTX_up_ref( c );
> @@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *
> if (!x) return LDAP_INVALID_CREDENTIALS;
>
> xn = X509_get_subject_name(x);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000
> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
> der_dn->bv_len = i2d_X509_NAME( xn, NULL );
> der_dn->bv_val = xn->bytes->data;
> #else
> @@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval
> return LDAP_INVALID_CREDENTIALS;
>
> xn = X509_get_subject_name(x);
> -#if OPENSSL_VERSION_NUMBER < 0x10100000
> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
> der_dn->bv_len = i2d_X509_NAME( xn, NULL );
> der_dn->bv_val = xn->bytes->data;
> #else
> @@ -721,7 +721,7 @@ struct tls_data {
> Sockbuf_IO_Desc *sbiod;
> };
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000
> +#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
> #define BIO_set_init(b, x) b->init = x
> #define BIO_set_data(b, x) b->ptr = x
> #define BIO_clear_flags(b, x) b->flags &= ~(x)
> @@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str )
> return tlso_bio_write( b, str, strlen( str ) );
> }
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000
> +#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
> struct bio_method_st {
> int type;
> const char *name;
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 6 months
Re: (ITS#8444) Out-of-sync issue with memberOf overlay, Delta-syncrepl MMR and >2 nodes
by okuznik@symas.com
Although Quanah hasn't been able to trigger this yet, the regression
test in master he wrote has been consistently able to trigger for me on
my machine, so I've started to investigate.
For posterity and in case anyone is interested, I have uploaded the
testrun/ directory from a failing run (I suspect the fact of this laptop
having a slow 2-core CPU helps) with a slightly patched slapd that
records the thread ID as well since, in part, this seems like a race of
some sort.
The tgz is available at
ftp://ftp.openldap.org/incoming/its8444-regression-testrun-sync,stat.tgz
So far it looks like replica #3's threads 7f50fb7fe700 and 7f51017bb700
are both trying to apply the modification with CSN
20170605125334.856475Z#000000#001#000000 which sends it into a full
refresh.=20
--=20
Ond=C5=99ej Kuzn=C3=ADk
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP
6 years, 6 months
(ITS#8667) slapcat not honoring '-g' option
by gnoe@symas.com
Full_Name: Gregory Noe
Version: 2.4.44
OS: Debian 8.7
URL: ftp://ftp.openldap.org/incoming/gregory-noe-170605.tar
Submission from: (NULL) (63.142.209.94)
Slapcat is not honoring the '-g' option. The output includes entries from glued
subordinates when it shouldn't. The attached test script
(gregory-noe-170605.tar) sets up the following DIT with inetOrgPerson entries in
each OU:
dn: dc=example,dc=com
|- ou=NonSub00,dc=example,dc=com
|- ou=NonSub01,dc=example,dc=com
|- ou=NonSub02,dc=example,dc=com
glued sub: ou=Accounting,dc=example,dc=com
glued sub: ou=Administrative,dc=example,dc=com
glued sub: ou=Janitorial,dc=example,dc=com
Then the script runs 'slapcat -g -b dc=example,dc=com | grep ^dn'. The result
contains entries from all three glued subordinates.
Tested using Symas OpenLDAP 2.4.44.5
6 years, 6 months
(ITS#8666) Fix build with LibreSSL
by pawel@FreeBSD.org
Full_Name: Pawe&#322; P&#281;kala
Version: 2.4.45
OS: FreeBSD 12-CURRENT
URL: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219781
Submission from: (NULL) (62.141.192.76)
Latest version fails to build with LibreSSL. Following patch fixes issue for
me:
--- libraries/libldap/tls_o.c.orig 2017-06-04 16:31:28 UTC
+++ libraries/libldap/tls_o.c
@@ -47,7 +47,7 @@
#include <ssl.h>
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
#define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
#endif
@@ -157,7 +157,7 @@ tlso_init( void )
(void) tlso_seed_PRNG( lo->ldo_tls_randfile );
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_digests();
@@ -205,7 +205,7 @@ static void
tlso_ctx_ref( tls_ctx *ctx )
{
tlso_ctx *c = (tlso_ctx *)ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
#define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1,
CRYPTO_LOCK_SSL_CTX )
#endif
SSL_CTX_up_ref( c );
@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *
if (!x) return LDAP_INVALID_CREDENTIALS;
xn = X509_get_subject_name(x);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
der_dn->bv_val = xn->bytes->data;
#else
@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval
return LDAP_INVALID_CREDENTIALS;
xn = X509_get_subject_name(x);
-#if OPENSSL_VERSION_NUMBER < 0x10100000
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
der_dn->bv_val = xn->bytes->data;
#else
@@ -721,7 +721,7 @@ struct tls_data {
Sockbuf_IO_Desc *sbiod;
};
-#if OPENSSL_VERSION_NUMBER < 0x10100000
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(LIBRESSL_VERSION_NUMBER)
#define BIO_set_init(b, x) b->init = x
#define BIO_set_data(b, x) b->ptr = x
#define BIO_clear_flags(b, x) b->flags &= ~(x)
@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str )
return tlso_bio_write( b, str, strlen( str ) );
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
+#if OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(LIBRESSL_VERSION_NUMBER)
struct bio_method_st {
int type;
const char *name;
6 years, 6 months
(ITS#8665) limits documentation update for glued databases
by quanah@openldap.org
Full_Name: Quanah Gibson-Mount
Version: 2.4.43
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)
When using glued/subordinate databases, the "limits" directive needs to be set
on the parent as well as subordinate dbs to be applied if there are global
limits in place. This is currently not documented. Otherwise, the "limits"
directive settings on the subordinate databases is not honored.
6 years, 6 months