meta-starlingx/meta-stx-integ/recipes-support/openldap/files/0019-openldap-openssl-ITS7596-Add-EC-support.patch

   1 From dc82cdf9c6c25c69c7eee203d1c4f4c91f969ba9 Mon Sep 17 00:00:00 2001
   2 From: babak sarashki <babak.sarashki@windriver.com>
   3 Date: Tue, 5 Nov 2019 09:30:49 -0800
   4 Subject: [PATCH 19/20] openldap openssl ITS7596 Add EC support
   5
   6 From e631ce808ed56119e61321463d06db7999ba5a08
   7 From stx 1901 openldap-openssl-ITS7595-Add-EC-support-1.patch
   8 ---
   9  doc/man/man5/slapd-config.5  |  7 +++++++
  10  doc/man/man5/slapd.conf.5    |  7 +++++++
  11  include/ldap.h               |  1 +
  12  libraries/libldap/ldap-int.h |  2 ++
  13  libraries/libldap/tls2.c     | 17 +++++++++++++++++
  14  libraries/libldap/tls_o.c    | 33 ++++++++++++++++++++++++++++++---
  15  servers/slapd/bconfig.c      | 12 +++++++++++-
  16  7 files changed, 75 insertions(+), 4 deletions(-)
  17
  18 diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
  19 index 42032d4..733ff1e 100644
  20 --- a/doc/man/man5/slapd-config.5
  21 +++ b/doc/man/man5/slapd-config.5
  22 @@ -922,6 +922,13 @@ are not used.
  23  When using Mozilla NSS these parameters are always generated randomly
  24  so this directive is ignored.
  25  .TP
  26 +.B olcTLSECName: <name>
  27 +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
  28 +ephemeral key exchange.  This is required to enable ECDHE algorithms in
  29 +OpenSSL.  This option is not used with GnuTLS; the curves may be
  30 +chosen in the GnuTLS ciphersuite specification. This option is also
  31 +ignored for Mozilla NSS.
  32 +.TP
  33  .B olcTLSProtocolMin: <major>[.<minor>]
  34  Specifies minimum SSL/TLS protocol version that will be negotiated.
  35  If the server doesn't support at least that version,
  36 diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
  37 index 2d4431f..ffe74ff 100644
  38 --- a/doc/man/man5/slapd.conf.5
  39 +++ b/doc/man/man5/slapd.conf.5
  40 @@ -1153,6 +1153,13 @@ are not used.
  41  When using Mozilla NSS these parameters are always generated randomly
  42  so this directive is ignored.
  43  .TP
  44 +.B TLSECName <name>
  45 +Specify the name of a curve to use for Elliptic curve Diffie-Hellman
  46 +ephemeral key exchange.  This is required to enable ECDHE algorithms in
  47 +OpenSSL.  This option is not used with GnuTLS; the curves may be
  48 +chosen in the GnuTLS ciphersuite specification. This option is also
  49 +ignored for Mozilla NSS.
  50 +.TP
  51  .B TLSProtocolMin <major>[.<minor>]
  52  Specifies minimum SSL/TLS protocol version that will be negotiated.
  53  If the server doesn't support at least that version,
  54 diff --git a/include/ldap.h b/include/ldap.h
  55 index 7bc0644..bb22cb8 100644
  56 --- a/include/ldap.h
  57 +++ b/include/ldap.h
  58 @@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
  59  #define LDAP_OPT_X_TLS_NEWCTX          0x600f
  60  #define LDAP_OPT_X_TLS_CRLFILE         0x6010  /* GNUtls only */
  61  #define LDAP_OPT_X_TLS_PACKAGE         0x6011
  62 +#define LDAP_OPT_X_TLS_ECNAME          0x6012
  63  #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY  0x6050
  64
  65  #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED   0
  66 diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
  67 index 15092c1..f504f44 100644
  68 --- a/libraries/libldap/ldap-int.h
  69 +++ b/libraries/libldap/ldap-int.h
  70 @@ -165,6 +165,7 @@ struct ldaptls {
  71         char            *lt_ciphersuite;
  72         char            *lt_crlfile;
  73         char            *lt_randfile;   /* OpenSSL only */
  74 +       char            *lt_ecname;             /* OpenSSL only */
  75         int             lt_protocol_min;
  76  };
  77  #endif
  78 @@ -250,6 +251,7 @@ struct ldapoptions {
  79  #define ldo_tls_certfile       ldo_tls_info.lt_certfile
  80  #define ldo_tls_keyfile        ldo_tls_info.lt_keyfile
  81  #define ldo_tls_dhfile ldo_tls_info.lt_dhfile
  82 +#define ldo_tls_ecname ldo_tls_info.lt_ecname
  83  #define ldo_tls_cacertfile     ldo_tls_info.lt_cacertfile
  84  #define ldo_tls_cacertdir      ldo_tls_info.lt_cacertdir
  85  #define ldo_tls_ciphersuite    ldo_tls_info.lt_ciphersuite
  86 diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
  87 index 198d0b1..ba4b9c5 100644
  88 --- a/libraries/libldap/tls2.c
  89 +++ b/libraries/libldap/tls2.c
  90 @@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
  91                 LDAP_FREE( lo->ldo_tls_dhfile );
  92                 lo->ldo_tls_dhfile = NULL;
  93         }
  94 +       if ( lo->ldo_tls_ecname ) {
  95 +               LDAP_FREE( lo->ldo_tls_ecname );
  96 +               lo->ldo_tls_ecname = NULL;
  97 +       }
  98         if ( lo->ldo_tls_cacertfile ) {
  99                 LDAP_FREE( lo->ldo_tls_cacertfile );
 100                 lo->ldo_tls_cacertfile = NULL;
 101 @@ -257,6 +261,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
 102                 lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
 103                 __atoe( lts.lt_dhfile );
 104         }
 105 +       if ( lts.lt_ecname ) {
 106 +               lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
 107 +               __atoe( lts.lt_ecname );
 108 +       }
 109  #endif
 110         lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
 111         if ( lo->ldo_tls_ctx == NULL ) {
 112 @@ -282,6 +290,7 @@ error_exit:
 113         LDAP_FREE( lts.lt_crlfile );
 114         LDAP_FREE( lts.lt_cacertdir );
 115         LDAP_FREE( lts.lt_dhfile );
 116 +       LDAP_FREE( lts.lt_ecname );
 117  #endif
 118         return rc;
 119  }
 120 @@ -686,6 +695,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 121                 *(char **)arg = lo->ldo_tls_dhfile ?
 122                         LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
 123                 break;
 124 +       case LDAP_OPT_X_TLS_ECNAME:
 125 +               *(char **)arg = lo->ldo_tls_ecname ?
 126 +                       LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
 127 +               break;
 128         case LDAP_OPT_X_TLS_CRLFILE:    /* GnuTLS only */
 129                 *(char **)arg = lo->ldo_tls_crlfile ?
 130                         LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
 131 @@ -808,6 +821,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 132                 if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
 133                 lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
 134                 return 0;
 135 +       case LDAP_OPT_X_TLS_ECNAME:
 136 +               if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
 137 +               lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 138 +               return 0;
 139         case LDAP_OPT_X_TLS_CRLFILE:    /* GnuTLS only */
 140                 if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
 141                 lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
 142 diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 143 index 92c708b..45afc11 100644
 144 --- a/libraries/libldap/tls_o.c
 145 +++ b/libraries/libldap/tls_o.c
 146 @@ -371,10 +371,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 147                 return -1;
 148         }
 149
 150 -       if ( lo->ldo_tls_dhfile ) {
 151 -               DH *dh = NULL;
 152 +       if ( is_server && lo->ldo_tls_dhfile ) {
 153 +               DH *dh;
 154                 BIO *bio;
 155 -               SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
 156
 157                 if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
 158                         Debug( LDAP_DEBUG_ANY,
 159 @@ -393,7 +392,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 160                 }
 161                 BIO_free( bio );
 162                 SSL_CTX_set_tmp_dh( ctx, dh );
 163 +               SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
 164 +               DH_free( dh );
 165 +       }
 166 +
 167 +#ifdef SSL_OP_SINGLE_ECDH_USE
 168 +       if ( is_server && lo->ldo_tls_ecname ) {
 169 +               EC_KEY *ecdh;
 170 +
 171 +               int nid = OBJ_sn2nid( lt->lt_ecname );
 172 +               if ( nid == NID_undef ) {
 173 +                       Debug( LDAP_DEBUG_ANY,
 174 +                               "TLS: could not use EC name `%s'.\n",
 175 +                               lo->ldo_tls_ecname,0,0);
 176 +                       tlso_report_error();
 177 +                       return -1;
 178 +               }
 179 +               ecdh = EC_KEY_new_by_curve_name( nid );
 180 +               if ( ecdh == NULL ) {
 181 +                       Debug( LDAP_DEBUG_ANY,
 182 +                               "TLS: could not generate key for EC name `%s'.\n",
 183 +                               lo->ldo_tls_ecname,0,0);
 184 +                       tlso_report_error();
 185 +                       return -1;
 186 +               }
 187 +               SSL_CTX_set_tmp_ecdh( ctx, ecdh );
 188 +               SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
 189 +               EC_KEY_free( ecdh );
 190         }
 191 +#endif
 192
 193         if ( tlso_opt_trace ) {
 194                 SSL_CTX_set_info_callback( ctx, tlso_info_cb );
 195 diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
 196 index 250f141..8b1e4e5 100644
 197 --- a/servers/slapd/bconfig.c
 198 +++ b/servers/slapd/bconfig.c
 199 @@ -194,6 +194,7 @@ enum {
 200         CFG_ACL_ADD,
 201         CFG_SYNC_SUBENTRY,
 202         CFG_LTHREADS,
 203 +       CFG_TLS_ECNAME,
 204
 205         CFG_LAST
 206  };
 207 @@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
 208  #endif
 209                 "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
 210                         "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 211 +       { "TLSECName", NULL, 2, 2, 0,
 212 +#ifdef HAVE_TLS
 213 +               CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
 214 +#else
 215 +               ARG_IGNORED, NULL,
 216 +#endif
 217 +               "( OLcfgGlAt:96 NAME 'olcTLSECName' "
 218 +                       "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 219         { "TLSProtocolMin",     NULL, 2, 2, 0,
 220  #ifdef HAVE_TLS
 221                 CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
 222 @@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
 223                  "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
 224                  "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
 225                  "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
 226 -                "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
 227 +                "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
 228                  "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
 229                  "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
 230                  "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
 231 @@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
 232         case CFG_TLS_CA_PATH:   flag = LDAP_OPT_X_TLS_CACERTDIR;        break;
 233         case CFG_TLS_CA_FILE:   flag = LDAP_OPT_X_TLS_CACERTFILE;       break;
 234         case CFG_TLS_DH_FILE:   flag = LDAP_OPT_X_TLS_DHFILE;   break;
 235 +       case CFG_TLS_ECNAME:    flag = LDAP_OPT_X_TLS_ECNAME;   break;
 236  #ifdef HAVE_GNUTLS
 237         case CFG_TLS_CRL_FILE:  flag = LDAP_OPT_X_TLS_CRLFILE;  break;
 238  #endif
 239 --
 240 2.17.1
 241