1 From dc82cdf9c6c25c69c7eee203d1c4f4c91f969ba9 Mon Sep 17 00:00:00 2001
2 From: babak sarashki <babak.sarashki@windriver.com>
3 Date: Tue, 5 Nov 2019 09:30:49 -0800
4 Subject: [PATCH 19/20] openldap openssl ITS7596 Add EC support
6 From e631ce808ed56119e61321463d06db7999ba5a08
7 From stx 1901 openldap-openssl-ITS7595-Add-EC-support-1.patch
9 doc/man/man5/slapd-config.5 | 7 +++++++
10 doc/man/man5/slapd.conf.5 | 7 +++++++
12 libraries/libldap/ldap-int.h | 2 ++
13 libraries/libldap/tls2.c | 17 +++++++++++++++++
14 libraries/libldap/tls_o.c | 33 ++++++++++++++++++++++++++++++---
15 servers/slapd/bconfig.c | 12 +++++++++++-
16 7 files changed, 75 insertions(+), 4 deletions(-)
18 diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
19 index 42032d4..733ff1e 100644
20 --- a/doc/man/man5/slapd-config.5
21 +++ b/doc/man/man5/slapd-config.5
22 @@ -922,6 +922,13 @@ are not used.
23 When using Mozilla NSS these parameters are always generated randomly
24 so this directive is ignored.
26 +.B olcTLSECName: <name>
27 +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
28 +ephemeral key exchange. This is required to enable ECDHE algorithms in
29 +OpenSSL. This option is not used with GnuTLS; the curves may be
30 +chosen in the GnuTLS ciphersuite specification. This option is also
31 +ignored for Mozilla NSS.
33 .B olcTLSProtocolMin: <major>[.<minor>]
34 Specifies minimum SSL/TLS protocol version that will be negotiated.
35 If the server doesn't support at least that version,
36 diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
37 index 2d4431f..ffe74ff 100644
38 --- a/doc/man/man5/slapd.conf.5
39 +++ b/doc/man/man5/slapd.conf.5
40 @@ -1153,6 +1153,13 @@ are not used.
41 When using Mozilla NSS these parameters are always generated randomly
42 so this directive is ignored.
45 +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
46 +ephemeral key exchange. This is required to enable ECDHE algorithms in
47 +OpenSSL. This option is not used with GnuTLS; the curves may be
48 +chosen in the GnuTLS ciphersuite specification. This option is also
49 +ignored for Mozilla NSS.
51 .B TLSProtocolMin <major>[.<minor>]
52 Specifies minimum SSL/TLS protocol version that will be negotiated.
53 If the server doesn't support at least that version,
54 diff --git a/include/ldap.h b/include/ldap.h
55 index 7bc0644..bb22cb8 100644
58 @@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
59 #define LDAP_OPT_X_TLS_NEWCTX 0x600f
60 #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
61 #define LDAP_OPT_X_TLS_PACKAGE 0x6011
62 +#define LDAP_OPT_X_TLS_ECNAME 0x6012
63 #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY 0x6050
65 #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0
66 diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
67 index 15092c1..f504f44 100644
68 --- a/libraries/libldap/ldap-int.h
69 +++ b/libraries/libldap/ldap-int.h
70 @@ -165,6 +165,7 @@ struct ldaptls {
73 char *lt_randfile; /* OpenSSL only */
74 + char *lt_ecname; /* OpenSSL only */
78 @@ -250,6 +251,7 @@ struct ldapoptions {
79 #define ldo_tls_certfile ldo_tls_info.lt_certfile
80 #define ldo_tls_keyfile ldo_tls_info.lt_keyfile
81 #define ldo_tls_dhfile ldo_tls_info.lt_dhfile
82 +#define ldo_tls_ecname ldo_tls_info.lt_ecname
83 #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
84 #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
85 #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
86 diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
87 index 198d0b1..ba4b9c5 100644
88 --- a/libraries/libldap/tls2.c
89 +++ b/libraries/libldap/tls2.c
90 @@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
91 LDAP_FREE( lo->ldo_tls_dhfile );
92 lo->ldo_tls_dhfile = NULL;
94 + if ( lo->ldo_tls_ecname ) {
95 + LDAP_FREE( lo->ldo_tls_ecname );
96 + lo->ldo_tls_ecname = NULL;
98 if ( lo->ldo_tls_cacertfile ) {
99 LDAP_FREE( lo->ldo_tls_cacertfile );
100 lo->ldo_tls_cacertfile = NULL;
101 @@ -257,6 +261,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
102 lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
103 __atoe( lts.lt_dhfile );
105 + if ( lts.lt_ecname ) {
106 + lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
107 + __atoe( lts.lt_ecname );
110 lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
111 if ( lo->ldo_tls_ctx == NULL ) {
112 @@ -282,6 +290,7 @@ error_exit:
113 LDAP_FREE( lts.lt_crlfile );
114 LDAP_FREE( lts.lt_cacertdir );
115 LDAP_FREE( lts.lt_dhfile );
116 + LDAP_FREE( lts.lt_ecname );
120 @@ -686,6 +695,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
121 *(char **)arg = lo->ldo_tls_dhfile ?
122 LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
124 + case LDAP_OPT_X_TLS_ECNAME:
125 + *(char **)arg = lo->ldo_tls_ecname ?
126 + LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
128 case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
129 *(char **)arg = lo->ldo_tls_crlfile ?
130 LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
131 @@ -808,6 +821,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
132 if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
133 lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
135 + case LDAP_OPT_X_TLS_ECNAME:
136 + if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
137 + lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
139 case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
140 if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
141 lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
142 diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
143 index 92c708b..45afc11 100644
144 --- a/libraries/libldap/tls_o.c
145 +++ b/libraries/libldap/tls_o.c
146 @@ -371,10 +371,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
150 - if ( lo->ldo_tls_dhfile ) {
152 + if ( is_server && lo->ldo_tls_dhfile ) {
155 - SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
157 if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
158 Debug( LDAP_DEBUG_ANY,
159 @@ -393,7 +392,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
162 SSL_CTX_set_tmp_dh( ctx, dh );
163 + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
167 +#ifdef SSL_OP_SINGLE_ECDH_USE
168 + if ( is_server && lo->ldo_tls_ecname ) {
171 + int nid = OBJ_sn2nid( lt->lt_ecname );
172 + if ( nid == NID_undef ) {
173 + Debug( LDAP_DEBUG_ANY,
174 + "TLS: could not use EC name `%s'.\n",
175 + lo->ldo_tls_ecname,0,0);
176 + tlso_report_error();
179 + ecdh = EC_KEY_new_by_curve_name( nid );
180 + if ( ecdh == NULL ) {
181 + Debug( LDAP_DEBUG_ANY,
182 + "TLS: could not generate key for EC name `%s'.\n",
183 + lo->ldo_tls_ecname,0,0);
184 + tlso_report_error();
187 + SSL_CTX_set_tmp_ecdh( ctx, ecdh );
188 + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
189 + EC_KEY_free( ecdh );
193 if ( tlso_opt_trace ) {
194 SSL_CTX_set_info_callback( ctx, tlso_info_cb );
195 diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
196 index 250f141..8b1e4e5 100644
197 --- a/servers/slapd/bconfig.c
198 +++ b/servers/slapd/bconfig.c
199 @@ -194,6 +194,7 @@ enum {
207 @@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
209 "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
210 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
211 + { "TLSECName", NULL, 2, 2, 0,
213 + CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
217 + "( OLcfgGlAt:96 NAME 'olcTLSECName' "
218 + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
219 { "TLSProtocolMin", NULL, 2, 2, 0,
221 CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
222 @@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
223 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
224 "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
225 "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
226 - "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
227 + "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
228 "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
229 "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
230 "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
231 @@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
232 case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
233 case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
234 case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
235 + case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
237 case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;