Skip to content
Commits on Source (2)
Show whitespace changes
Inline Side-by-side
debian/changelog
View file @ 7488ce09
......@@ -3,6 +3,10 @@ openldap (2.4.48+dfsg-2) UNRELEASED; urgency=medium
* When validating the DNS domain chosen for slapd's default suffix, set
LC_COLLATE explicitly for grep to ensure character ranges behave as
expected. Thanks to Fredrik Roubert. (Closes: #940908)
* Replace patch no-gnutls_global_set_mutex with a git-format-patch of the
actual upstream commit.
* Backport proposed upstream patch to emit detailed messages about errors in
the TLS configuration. (ITS#9086)
-- Ryan Tandy <ryan@nardis.ca> Sat, 21 Sep 2019 15:47:54 -0700
......
debian/patches/no-gnutls_global_set_mutex debian/patches/ITS-9069-Do-not-call-gnutls_global_set_mutex.patch
View file @ 7488ce09
Description: Do not call gnutls_global_set_mutex()
From 63c82c0ed7b29dc839e076d5b3efb373f04a2627 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Tue, 27 Aug 2019 17:58:44 -0700
Subject: [PATCH] ITS#9069 Do not call gnutls_global_set_mutex()
Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.
.
When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.
.
Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code
may be unmapped and the application could crash when GnuTLS calls the
mutex functions.
.
The default behaviour of GnuTLS, using pthreads, should be suitable on
all Debian systems, and is probably the same as what libldap uses
anyway.
Author: Ryan Tandy <ryan@nardis.ca>
Bug-Debian: https://bugs.debian.org/803197
Forwarded: no
is unloaded (for example via dlclose()) after calling this, its code may
be unmapped and the application could crash when GnuTLS calls the mutex
functions.
On typical systems, GnuTLS system mutexes are probably the same as what
libldap uses anyway.
---
libraries/libldap/tls_g.c | 43 +--------------------------------------
1 file changed, 1 insertion(+), 42 deletions(-)
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 1baf2b883..6f5bd12e6 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -67,51 +67,10 @@
@@ -69,51 +69,10 @@ static int tlsg_cert_verify( tlsg_session *s );
#ifdef LDAP_R_COMPILE
......@@ -75,3 +80,6 @@ Forwarded: no
}
#endif /* LDAP_R_COMPILE */
--
2.20.1
debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch 0 → 100644
View file @ 7488ce09
From 82ce81ee7ad4a252aed2d6a10ea808ff18a65ffd Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Sun, 22 Sep 2019 03:08:30 +0000
Subject: [PATCH] ITS#9086 Add debug logging for more GnuTLS errors
---
libraries/libldap/tls_g.c | 56 ++++++++++++++++++++++++++++++++++-----
1 file changed, 49 insertions(+), 7 deletions(-)
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index f3b4cd710..249f7e8d5 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -188,9 +188,16 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf )
{
int rc = -1, fd;
struct stat st;
+ char ebuf[128];
fd = open( path, O_RDONLY );
- if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
+ if ( fd < 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: opening `%s' failed: %s\n",
+ path, AC_STRERROR_R( errno, ebuf, sizeof ebuf ), NULL );
+ return -1;
+ }
+ if ( fstat( fd, &st ) == 0 ) {
buf->size = st.st_size;
buf->data = LDAP_MALLOC( st.st_size + 1 );
if ( buf->data ) {
@@ -236,7 +243,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
ctx->cred,
lt->lt_cacertfile,
GNUTLS_X509_FMT_PEM );
- if ( rc < 0 ) return -1;
+ if ( rc < 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use CA certificate file `%s': %s (%d)\n",
+ lo->ldo_tls_cacertfile, gnutls_strerror( rc ), rc );
+ return -1;
+ } else if ( rc == 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: warning: no certificate loaded from CA certificate file `%s'.\n",
+ lo->ldo_tls_cacertfile, NULL, NULL );
+ /* only warn, no return */
+ }
}
if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
@@ -254,18 +271,38 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
* do some special checks here...
*/
rc = tlsg_getfile( lt->lt_keyfile, &buf );
- if ( rc ) return -1;
+ if ( rc ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use private key file `%s`.\n",
+ lt->lt_keyfile, NULL, NULL );
+ return -1;
+ }
rc = gnutls_x509_privkey_import( key, &buf,
GNUTLS_X509_FMT_PEM );
LDAP_FREE( buf.data );
- if ( rc < 0 ) return rc;
+ if ( rc < 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use private key: %s (%d)\n",
+ gnutls_strerror( rc ), rc, NULL );
+ return rc;
+ }
rc = tlsg_getfile( lt->lt_certfile, &buf );
- if ( rc ) return -1;
+ if ( rc ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use certificate file `%s`.\n",
+ lt->lt_certfile, NULL, NULL );
+ return -1;
+ }
rc = gnutls_x509_crt_list_import( certs, &max, &buf,
GNUTLS_X509_FMT_PEM, 0 );
LDAP_FREE( buf.data );
- if ( rc < 0 ) return rc;
+ if ( rc < 0 ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use certificate: %s (%d)\n",
+ gnutls_strerror( rc ), rc, NULL );
+ return rc;
+ }
/* If there's only one cert and it's not self-signed,
* then we have to build the cert chain.
@@ -282,7 +319,12 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
}
rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
- if ( rc ) return -1;
+ if ( rc ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use certificate with key: %s (%d)\n",
+ gnutls_strerror( rc ), rc, NULL );
+ return -1;
+ }
} else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n",
--
2.20.1
debian/patches/series
View file @ 7488ce09
......@@ -19,4 +19,5 @@ switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
no-bdb-ABI-second-guessing
ITS6035-olcauthzregex-needs-restart.patch
set-maintainer-name
no-gnutls_global_set_mutex
ITS-9069-Do-not-call-gnutls_global_set_mutex.patch
ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch