X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=meta-starlingx%2Fmeta-stx-integ%2Frecipes-support%2Fopenldap%2Ffiles%2F0019-openldap-openssl-ITS7596-Add-EC-support.patch;fp=meta-starlingx%2Fmeta-stx-integ%2Frecipes-support%2Fopenldap%2Ffiles%2F0019-openldap-openssl-ITS7596-Add-EC-support.patch;h=0000000000000000000000000000000000000000;hb=6fc6934434f70595536a387ece31bc30141cafb5;hp=ef3da1efc18970b246fecdef18c56eb799929ed6;hpb=eb1e26510491ba49de693ab3b0498edcb06be6c5;p=pti%2Frtp.git diff --git a/meta-starlingx/meta-stx-integ/recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch b/meta-starlingx/meta-stx-integ/recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch deleted file mode 100644 index ef3da1e..0000000 --- a/meta-starlingx/meta-stx-integ/recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch +++ /dev/null @@ -1,241 +0,0 @@ -From dc82cdf9c6c25c69c7eee203d1c4f4c91f969ba9 Mon Sep 17 00:00:00 2001 -From: babak sarashki -Date: Tue, 5 Nov 2019 09:30:49 -0800 -Subject: [PATCH 19/20] openldap openssl ITS7596 Add EC support - -From e631ce808ed56119e61321463d06db7999ba5a08 -From stx 1901 openldap-openssl-ITS7595-Add-EC-support-1.patch ---- - doc/man/man5/slapd-config.5 | 7 +++++++ - doc/man/man5/slapd.conf.5 | 7 +++++++ - include/ldap.h | 1 + - libraries/libldap/ldap-int.h | 2 ++ - libraries/libldap/tls2.c | 17 +++++++++++++++++ - libraries/libldap/tls_o.c | 33 ++++++++++++++++++++++++++++++--- - servers/slapd/bconfig.c | 12 +++++++++++- - 7 files changed, 75 insertions(+), 4 deletions(-) - -diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 -index 42032d4..733ff1e 100644 ---- a/doc/man/man5/slapd-config.5 -+++ b/doc/man/man5/slapd-config.5 -@@ -922,6 +922,13 @@ are not used. - When using Mozilla NSS these parameters are always generated randomly - so this directive is ignored. - .TP -+.B olcTLSECName: -+Specify the name of a curve to use for Elliptic curve Diffie-Hellman -+ephemeral key exchange. This is required to enable ECDHE algorithms in -+OpenSSL. This option is not used with GnuTLS; the curves may be -+chosen in the GnuTLS ciphersuite specification. This option is also -+ignored for Mozilla NSS. -+.TP - .B olcTLSProtocolMin: [.] - Specifies minimum SSL/TLS protocol version that will be negotiated. - If the server doesn't support at least that version, -diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 -index 2d4431f..ffe74ff 100644 ---- a/doc/man/man5/slapd.conf.5 -+++ b/doc/man/man5/slapd.conf.5 -@@ -1153,6 +1153,13 @@ are not used. - When using Mozilla NSS these parameters are always generated randomly - so this directive is ignored. - .TP -+.B TLSECName -+Specify the name of a curve to use for Elliptic curve Diffie-Hellman -+ephemeral key exchange. This is required to enable ECDHE algorithms in -+OpenSSL. This option is not used with GnuTLS; the curves may be -+chosen in the GnuTLS ciphersuite specification. This option is also -+ignored for Mozilla NSS. -+.TP - .B TLSProtocolMin [.] - Specifies minimum SSL/TLS protocol version that will be negotiated. - If the server doesn't support at least that version, -diff --git a/include/ldap.h b/include/ldap.h -index 7bc0644..bb22cb8 100644 ---- a/include/ldap.h -+++ b/include/ldap.h -@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_TLS_NEWCTX 0x600f - #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ - #define LDAP_OPT_X_TLS_PACKAGE 0x6011 -+#define LDAP_OPT_X_TLS_ECNAME 0x6012 - #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY 0x6050 - - #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0 -diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h -index 15092c1..f504f44 100644 ---- a/libraries/libldap/ldap-int.h -+++ b/libraries/libldap/ldap-int.h -@@ -165,6 +165,7 @@ struct ldaptls { - char *lt_ciphersuite; - char *lt_crlfile; - char *lt_randfile; /* OpenSSL only */ -+ char *lt_ecname; /* OpenSSL only */ - int lt_protocol_min; - }; - #endif -@@ -250,6 +251,7 @@ struct ldapoptions { - #define ldo_tls_certfile ldo_tls_info.lt_certfile - #define ldo_tls_keyfile ldo_tls_info.lt_keyfile - #define ldo_tls_dhfile ldo_tls_info.lt_dhfile -+#define ldo_tls_ecname ldo_tls_info.lt_ecname - #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile - #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir - #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index 198d0b1..ba4b9c5 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) - LDAP_FREE( lo->ldo_tls_dhfile ); - lo->ldo_tls_dhfile = NULL; - } -+ if ( lo->ldo_tls_ecname ) { -+ LDAP_FREE( lo->ldo_tls_ecname ); -+ lo->ldo_tls_ecname = NULL; -+ } - if ( lo->ldo_tls_cacertfile ) { - LDAP_FREE( lo->ldo_tls_cacertfile ); - lo->ldo_tls_cacertfile = NULL; -@@ -257,6 +261,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) - lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); - __atoe( lts.lt_dhfile ); - } -+ if ( lts.lt_ecname ) { -+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname ); -+ __atoe( lts.lt_ecname ); -+ } - #endif - lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); - if ( lo->ldo_tls_ctx == NULL ) { -@@ -282,6 +290,7 @@ error_exit: - LDAP_FREE( lts.lt_crlfile ); - LDAP_FREE( lts.lt_cacertdir ); - LDAP_FREE( lts.lt_dhfile ); -+ LDAP_FREE( lts.lt_ecname ); - #endif - return rc; - } -@@ -686,6 +695,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) - *(char **)arg = lo->ldo_tls_dhfile ? - LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; - break; -+ case LDAP_OPT_X_TLS_ECNAME: -+ *(char **)arg = lo->ldo_tls_ecname ? -+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL; -+ break; - case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ - *(char **)arg = lo->ldo_tls_crlfile ? - LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; -@@ -808,6 +821,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) - if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); - lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; - return 0; -+ case LDAP_OPT_X_TLS_ECNAME: -+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname ); -+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL; -+ return 0; - case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ - if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); - lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index 92c708b..45afc11 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -371,10 +371,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - return -1; - } - -- if ( lo->ldo_tls_dhfile ) { -- DH *dh = NULL; -+ if ( is_server && lo->ldo_tls_dhfile ) { -+ DH *dh; - BIO *bio; -- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); - - if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { - Debug( LDAP_DEBUG_ANY, -@@ -393,7 +392,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) - } - BIO_free( bio ); - SSL_CTX_set_tmp_dh( ctx, dh ); -+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); -+ DH_free( dh ); -+ } -+ -+#ifdef SSL_OP_SINGLE_ECDH_USE -+ if ( is_server && lo->ldo_tls_ecname ) { -+ EC_KEY *ecdh; -+ -+ int nid = OBJ_sn2nid( lt->lt_ecname ); -+ if ( nid == NID_undef ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not use EC name `%s'.\n", -+ lo->ldo_tls_ecname,0,0); -+ tlso_report_error(); -+ return -1; -+ } -+ ecdh = EC_KEY_new_by_curve_name( nid ); -+ if ( ecdh == NULL ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not generate key for EC name `%s'.\n", -+ lo->ldo_tls_ecname,0,0); -+ tlso_report_error(); -+ return -1; -+ } -+ SSL_CTX_set_tmp_ecdh( ctx, ecdh ); -+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); -+ EC_KEY_free( ecdh ); - } -+#endif - - if ( tlso_opt_trace ) { - SSL_CTX_set_info_callback( ctx, tlso_info_cb ); -diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c -index 250f141..8b1e4e5 100644 ---- a/servers/slapd/bconfig.c -+++ b/servers/slapd/bconfig.c -@@ -194,6 +194,7 @@ enum { - CFG_ACL_ADD, - CFG_SYNC_SUBENTRY, - CFG_LTHREADS, -+ CFG_TLS_ECNAME, - - CFG_LAST - }; -@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = { - #endif - "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " - "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, -+ { "TLSECName", NULL, 2, 2, 0, -+#ifdef HAVE_TLS -+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option, -+#else -+ ARG_IGNORED, NULL, -+#endif -+ "( OLcfgGlAt:96 NAME 'olcTLSECName' " -+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, - { "TLSProtocolMin", NULL, 2, 2, 0, - #ifdef HAVE_TLS - CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, -@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = { - "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " - "olcTLSCACertificatePath $ olcTLSCertificateFile $ " - "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " -- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ " -+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ " - "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " - "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " - "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, -@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) { - case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break; - case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break; - case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break; -+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break; - #ifdef HAVE_GNUTLS - case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; - #endif --- -2.17.1 -