diff options
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-support/openldap/openldap')
9 files changed, 243 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/initscript b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/initscript new file mode 100644 index 000000000..08d1067a7 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/initscript @@ -0,0 +1,35 @@ +#! /bin/sh +# +# This is an init script for openembedded +# Copy it to /etc/init.d/openldap and type +# > update-rc.d openldap defaults 60 +# + +# Source function library. +. /etc/init.d/functions + +slapd=/usr/sbin/slapd +test -x "$slapd" || exit 0 + + +case "$1" in + start) + echo -n "Starting OpenLDAP: " + start-stop-daemon --start --quiet --exec $slapd + echo "." + ;; + stop) + echo -n "Stopping OpenLDAP: " + start-stop-daemon --stop --quiet --pidfile /var/run/slapd.pid + echo "." + ;; + status) + status $slapd; + exit $? + ;; + *) + echo "Usage: /etc/init.d/openldap {start|stop|status}" + exit 1 +esac + +exit 0 diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/install-strip.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/install-strip.patch new file mode 100644 index 000000000..2992b7030 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/install-strip.patch @@ -0,0 +1,14 @@ +# This patch ensures that the install operations which strip +# programs and libraries (LTINSTALL) work in a cross build +# environment. +--- openldap-2.2.24/.pc/install-strip.patch/build/top.mk 2005-01-20 09:00:55.000000000 -0800 ++++ openldap-2.2.24/build/top.mk 2005-04-16 13:48:20.536710376 -0700 +@@ -116,7 +116,7 @@ + LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ + $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) + +-LTINSTALL = $(LIBTOOL) --mode=install $(INSTALL) ++LTINSTALL = STRIPPROG="" $(LIBTOOL) --mode=install $(top_srcdir)/contrib/ldapc++/install-sh -c + LTFINISH = $(LIBTOOL) --mode=finish + + # Misc UNIX commands used in build environment diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/kill-icu.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/kill-icu.patch new file mode 100644 index 000000000..dcf541137 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/kill-icu.patch @@ -0,0 +1,30 @@ +From: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org> + +slapd depends on ICU if it was built first. + +Upstream-status: inappropiate [embedded specific] +--- + configure.in | 8 -------- + 1 file changed, 8 deletions(-) + +--- openldap-2.4.23.orig/configure.in ++++ openldap-2.4.23/configure.in +@@ -2045,18 +2045,10 @@ if test $ol_enable_ndb != no ; then + SLAPD_LIBS="$SLAPD_LIBS \$(SLAPD_NDB_LIBS)" + fi + fi + + dnl ---------------------------------------------------------------- +-dnl International Components for Unicode +-OL_ICU +-if test "$ol_icu" = no ; then +- AC_MSG_WARN([ICU not available]) +-else +- ICU_LIBS="$ol_icu" +-fi +-dnl ---------------------------------------------------------------- + dnl + dnl Check for Cyrus SASL + dnl + WITH_SASL=no + ol_link_sasl=no diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch new file mode 100644 index 000000000..c7b1552c1 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-2.4.28-gnutls-gcrypt.patch @@ -0,0 +1,17 @@ +From http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-nds/openldap/files/ + +Upstream-status: Unknown + +-- + +--- openldap-2.4.28/configure.in.orig 2012-02-11 22:40:36.004360795 +0000 ++++ openldap-2.4.28/configure.in 2012-02-11 22:40:13.410986851 +0000 +@@ -1214,7 +1214,7 @@ + ol_with_tls=gnutls + ol_link_tls=yes + +- TLS_LIBS="-lgnutls" ++ TLS_LIBS="-lgnutls -lgcrypt" + + AC_DEFINE(HAVE_GNUTLS, 1, + [define if you have GNUtls]) diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch new file mode 100644 index 000000000..de9ca528a --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-CVE-2015-3276.patch @@ -0,0 +1,59 @@ +openldap CVE-2015-3276 + +the patch comes from: +https://bugzilla.redhat.com/show_bug.cgi?id=1238322 +https://bugzilla.redhat.com/attachment.cgi?id=1055640 + +The nss_parse_ciphers function in libraries/libldap/tls_m.c in +OpenLDAP does not properly parse OpenSSL-style multi-keyword mode +cipher strings, which might cause a weaker than intended cipher to +be used and allow remote attackers to have unspecified impact via +unknown vectors. + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + libraries/libldap/tls_m.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 9b101f9..e6f3051 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -621,18 +621,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + */ + if (mask || strength || protocol) { + for (i=0; i<ciphernum; i++) { +- if (((ciphers_def[i].attr & mask) || +- (ciphers_def[i].strength & strength) || +- (ciphers_def[i].version & protocol)) && +- (cipher_list[i] != -1)) { +- /* Enable the NULL ciphers only if explicity +- * requested */ +- if (ciphers_def[i].attr & SSL_eNULL) { +- if (mask & SSL_eNULL) +- cipher_list[i] = action; +- } else ++ /* if more than one mask is provided ++ * then AND logic applies (to match openssl) ++ */ ++ if ( cipher_list[i] == -1) ) ++ continue; ++ if ( mask && ! (ciphers_def[i].attr & mask) ) ++ continue; ++ if ( strength && ! (ciphers_def[i].strength & strength) ) ++ continue; ++ if ( protocol && ! (ciphers_def[i].version & protocol) ) ++ continue; ++ /* Enable the NULL ciphers only if explicity requested */ ++ if (ciphers_def[i].attr & SSL_eNULL) { ++ if (mask & SSL_eNULL) + cipher_list[i] = action; +- } ++ } else ++ cipher_list[i] = action; + } + } else { + for (i=0; i<ciphernum; i++) { +-- +1.7.9.5 + diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch new file mode 100644 index 000000000..b669b7254 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/openldap-m4-pthread.patch @@ -0,0 +1,20 @@ +--- openldap-2.3.11/build/openldap.m4.orig 2005-11-11 00:11:18.604322590 -0800 ++++ openldap-2.3.11/build/openldap.m4 2005-11-11 00:26:21.621145856 -0800 +@@ -788,7 +788,7 @@ AC_DEFUN([OL_PTHREAD_TEST_FUNCTION],[[ + ]]) + + AC_DEFUN([OL_PTHREAD_TEST_PROGRAM], +-AC_LANG_SOURCE([OL_PTHREAD_TEST_INCLUDES ++[AC_LANG_SOURCE([[OL_PTHREAD_TEST_INCLUDES + + int main(argc, argv) + int argc; +@@ -796,7 +796,7 @@ int main(argc, argv) + { + OL_PTHREAD_TEST_FUNCTION + } +-])) ++]])]) + dnl -------------------------------------------------------------------- + AC_DEFUN([OL_PTHREAD_TRY], [# Pthread try link: $1 ($2) + if test "$ol_link_threads" = no ; then diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/slapd.service b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/slapd.service new file mode 100644 index 000000000..f5f83fdc3 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/slapd.service @@ -0,0 +1,10 @@ +[Unit] +Description=Standalone LDAP Daemon +After=syslog.target network.target + +[Service] +Type=forking +ExecStart=@SBINDIR@/slapd + +[Install] +WantedBy=multi-user.target diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/thread_stub.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/thread_stub.patch new file mode 100644 index 000000000..540ba4a63 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/thread_stub.patch @@ -0,0 +1,20 @@ +openldap: set pointer + +When the function ldap_pvt_thread_pool_getkey() succeeds, it +must set the value of *data since the caller may try to use it. + +Upstream-Status: pending + +Signed-off-by: Joe Slater <jslater@windriver.com> + + +--- a/libraries/libldap_r/thr_stub.c ++++ b/libraries/libldap_r/thr_stub.c +@@ -217,6 +217,7 @@ ldap_pvt_thread_pool_unidle ( ldap_pvt_t + int ldap_pvt_thread_pool_getkey ( + void *ctx, void *key, void **data, ldap_pvt_thread_pool_keyfree_t **kfree ) + { ++ if (data) *data = NULL; /* avoid problems with uninitialized *data */ + return(0); + } + diff --git a/meta-openembedded/meta-oe/recipes-support/openldap/openldap/use-urandom.patch b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/use-urandom.patch new file mode 100644 index 000000000..e7b988faf --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/openldap/openldap/use-urandom.patch @@ -0,0 +1,38 @@ +openldap: assume /dev/urandom exists + +When we are cross-compiling, we want to assume +that /dev/urandom exists. We could change the source +code to look for it, but this is the easy way out. + +Upstream-Status: pending + +Signed-off-by: Joe Slater <jslater@windriver.com> + + +--- a/configure.in ++++ b/configure.in +@@ -2142,8 +2142,8 @@ fi + + dnl ---------------------------------------------------------------- + dnl Check for entropy sources ++dev=no + if test $cross_compiling != yes && test "$ac_cv_mingw32" != yes ; then +- dev=no + if test -r /dev/urandom ; then + dev="/dev/urandom"; + elif test -r /idev/urandom ; then +@@ -2156,9 +2156,11 @@ if test $cross_compiling != yes && test + dev="/idev/random"; + fi + +- if test $dev != no ; then +- AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) +- fi ++elif test $cross_compiling == yes ; then ++ dev="/dev/urandom"; ++fi ++if test $dev != no ; then ++ AC_DEFINE_UNQUOTED(URANDOM_DEVICE,"$dev",[set to urandom device]) + fi + + dnl ---------------------------------------------------------------- |