openldap: upgrade to release 2.6.4

Fixes CVE-2023-2953. Because NSS support has been removed in release 2.5, switch TLS/SSL module used by OpenLDAP to OpenSSL. Add -pthread flag to openldap_LDFLAGS when building on Linux. This avoids errors that occur in libcrypto.a (libcrypto-lib-threads_pthread.o). Change-Id: I4779ce40233d144d930f20e85db7b4ba08f91ea1 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/143646 Tested-by: Taichi Haradaguchi <20001722@ymail.ne.jp> Reviewed-by: Taichi Haradaguchi <20001722@ymail.ne.jp> (cherry picked from commit 299ea597d154e1dc3d0f09adf67e05747cca54cf) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/154414 Tested-by: Jenkins Reviewed-by: خالد حسني <khaled@libreoffice.org>
author: Taichi Haradaguchi <20001722@ymail.ne.jp> 2022-12-05 01:47:35 +0900
committer: خالد حسني <khaled@libreoffice.org> 2023-07-25 10:57:39 +0200
commit: f5d1b16ca2b85901d04e6f9dcad16cd36bad2333 (patch)
tree: be96fc8dd5f6605204270318a452ef6b099db307 /external
parent: d8e9cf6c412874ce7185b98997afd7fb24820f71 (diff)
4 files changed, 13 insertions, 82 deletions
diff --git a/external/openldap/ExternalProject_openldap.mk b/external/openldap/ExternalProject_openldap.mk
index 6914d167b56c..e02a35d9943f 100644
--- a/external/openldap/ExternalProject_openldap.mk
+++ b/external/openldap/ExternalProject_openldap.mk
@@ -9,7 +9,7 @@
 
 $(eval $(call gb_ExternalProject_ExternalProject,openldap))
 
-$(eval $(call gb_ExternalProject_use_externals,openldap,nss3))
+$(eval $(call gb_ExternalProject_use_externals,openldap,openssl))
 
 $(eval $(call gb_ExternalProject_register_targets,openldap,\
 	build \
@@ -25,12 +25,10 @@ openldap_CFLAGS = -D_XOPEN_SOURCE=500 -D_DEFAULT_SOURCE -D_BSD_SOURCE
 endif
 
 openldap_LDFLAGS = $(call gb_ExternalProject_get_link_flags,openldap)
-ifeq ($(SYSTEM_NSS),)
-openldap_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib
+ifeq ($(SYSTEM_OPENSSL),)
+openldap_LDFLAGS += -L$(call gb_UnpackedTarball_get_dir,openssl)
 endif
-# Help openldap's configure determine that it needs -lpthread even if libasan.so
-# contains a pthread_create override:
-ifneq ($(filter -fsanitize=address,$(CC)),)
+ifeq ($(OS),LINUX)
 openldap_LDFLAGS += -pthread
 endif
 
@@ -40,7 +38,7 @@ $(call gb_ExternalProject_get_state_target,openldap,build) :
 		$(gb_RUN_CONFIGURE) ./configure \
 			--disable-slapd \
 			--with-pic \
-			--with-tls=moznss \
+			--with-tls=openssl \
 			--without-cyrus-sasl \
 			--disable-shared \
 			--enable-static \
@@ -49,11 +47,11 @@ $(call gb_ExternalProject_get_state_target,openldap,build) :
 				--with-yielding_select=yes \
 				ac_cv_func_memcmp_working=yes \
 			) \
-			$(if $(SYSTEM_NSS), \
-				CPPFLAGS="$(CPPFLAGS) $(NSS_CFLAGS)" CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(NSS_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap)" LDFLAGS="$(LDFLAGS) $(NSS_LIBS)" \
+			$(if $(SYSTEM_OPENSSL), \
+				CPPFLAGS="$(CPPFLAGS) $(OPENSSL_CFLAGS)" CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(OPENSSL_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap)" LDFLAGS="$(LDFLAGS) $(openldap_LDFLAGS) $(OPENSSL_LIBS)" \
 				, \
-				CPPFLAGS="$(CPPFLAGS) -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" \
-				CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap) -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" \
+				CPPFLAGS="$(CPPFLAGS) -I$(call gb_UnpackedTarball_get_dir,openssl)/include" \
+				CFLAGS="$(CFLAGS) $(openldap_CFLAGS) $(call gb_ExternalProject_get_build_flags,openldap) -I$(call gb_UnpackedTarball_get_dir,openssl)/include" \
 			) \
 			$(if $(openldap_LDFLAGS),LDFLAGS="$(LDFLAGS) $(openldap_LDFLAGS)") \
 		&& MAKEFLAGS= && $(MAKE) \
diff --git a/external/openldap/README b/external/openldap/README
index 0c1828c12b93..48da788f5447 100644
--- a/external/openldap/README
+++ b/external/openldap/README
@@ -1,3 +1,3 @@
 OpenLDAP provides an LDAP client library
 
-http://www.openldap.org/
+https://www.openldap.org/
diff --git a/external/openldap/openldap-2.4.44.patch.1 b/external/openldap/openldap-2.4.44.patch.1
index 317ef9a62e56..1521e86a2664 100644
--- a/external/openldap/openldap-2.4.44.patch.1
+++ b/external/openldap/openldap-2.4.44.patch.1
@@ -1,69 +1,4 @@
 -*- Mode: diff -*-
---- openldap.org/configure
-+++ openldap/configure
-@@ -15735,7 +15735,7 @@
-   $as_echo_n "(cached) " >&6
- else
-   ac_check_lib_save_LIBS=$LIBS
--LIBS="-lnss3  $LIBS"
-+LIBS="-lnss3  -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4  $LIBS"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
---- openldap.org/configure.in
-+++ openldap/configure.in
-@@ -1239,7 +1239,8 @@
- 		AC_CHECK_HEADERS([nssutil.h])
- 		if test "$ac_cv_header_nssutil_h" = yes ; then
- 			AC_CHECK_LIB([nss3], [NSS_Initialize],
--						 [ have_moznss=yes ], [ have_moznss=no ])
-+						 [ have_moznss=yes ], [ have_moznss=no ],
-+						 [ -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 ])
- 		fi
- 
- 		if test "$have_moznss" = yes ; then
---- openldap.org/libraries/libldap/tls_m.c
-+++ openldap/libraries/libldap/tls_m.c
-@@ -49,17 +49,17 @@
- #include <termios.h> /* for echo on/off */
- #endif
- 
--#include <nspr/nspr.h>
--#include <nspr/private/pprio.h>
--#include <nss/nss.h>
--#include <nss/ssl.h>
--#include <nss/sslerr.h>
--#include <nss/sslproto.h>
--#include <nss/pk11pub.h>
--#include <nss/secerr.h>
--#include <nss/keyhi.h>
--#include <nss/secmod.h>
--#include <nss/cert.h>
-+#include <nspr.h>
-+#include <private/pprio.h>
-+#include <nss.h>
-+#include <ssl.h>
-+#include <sslerr.h>
-+#include <sslproto.h>
-+#include <pk11pub.h>
-+#include <secerr.h>
-+#include <keyhi.h>
-+#include <secmod.h>
-+#include <cert.h>
- 
- #undef NSS_VERSION_INT
- #define	NSS_VERSION_INT	((NSS_VMAJOR << 24) | (NSS_VMINOR << 16) | \
---- openldap.org/libraries/libldap/tls2.c
-+++ openldap.org/libraries/libldap/tls2.c
-@@ -80,6 +80,8 @@
- 	{ BER_BVNULL, BER_BVNULL }
- };
- 
-+int ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in );
-+
- #ifdef HAVE_TLS
- 
- void
 --- openldap.org/Makefile.in
 +++ openldap/Makefile.in
 @@ -13,7 +13,7 @@
@@ -82,4 +17,4 @@
 -
 -check: test
 -test: FORCE
--	cd tests; $(MAKE) test
+-	cd tests && $(MAKE) test
diff --git a/external/postgresql/ExternalProject_postgresql.mk b/external/postgresql/ExternalProject_postgresql.mk
index 24e54adf3e0c..1d0a13b6bb03 100644
--- a/external/postgresql/ExternalProject_postgresql.mk
+++ b/external/postgresql/ExternalProject_postgresql.mk
@@ -44,7 +44,7 @@ endif
 ifeq ($(ENABLE_OPENSSL),TRUE)
 ifeq ($(SYSTEM_OPENSSL),)
 postgresql_CPPFLAGS += -I$(call gb_UnpackedTarball_get_dir,openssl)/include
-postgresql_LDFLAGS  += -L$(call gb_UnpackedTarball_get_dir,openssl)/ $(if $(filter $(OS),LINUX),-pthread)
+postgresql_LDFLAGS  += -L$(call gb_UnpackedTarball_get_dir,openssl) $(if $(filter $(OS),LINUX),-pthread)
 endif
 endif
 
@@ -54,8 +54,6 @@ postgresql_LDFLAGS  += \
 	-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/libldap_r/.libs \
 	-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/libldap/.libs \
 	-L$(call gb_UnpackedTarball_get_dir,openldap)/libraries/liblber/.libs \
-	$(if $(SYSTEM_NSS),,\
-		-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib) \
 
 endif
 
@@ -76,7 +74,7 @@ $(call gb_ExternalProject_get_state_target,postgresql,build) :
 			CFLAGS="-fPIC" \
 			CPPFLAGS="$(postgresql_CPPFLAGS)" \
 			LDFLAGS="$(postgresql_LDFLAGS)" \
-			$(if $(ENABLE_LDAP),EXTRA_LDAP_LIBS="-llber -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4") \
+			$(if $(ENABLE_LDAP),EXTRA_LDAP_LIBS="-llber") \
 		&& cd src/interfaces/libpq \
 		&& MAKEFLAGS= && $(MAKE) MAKELEVEL=0 all-static-lib)
 	$(call gb_Trace_EndRange,postgresql,EXTERNAL)
author	Taichi Haradaguchi <20001722@ymail.ne.jp>	2022-12-05 01:47:35 +0900
committer	خالد حسني <khaled@libreoffice.org>	2023-07-25 10:57:39 +0200
commit	f5d1b16ca2b85901d04e6f9dcad16cd36bad2333 (patch)
tree	be96fc8dd5f6605204270318a452ef6b099db307 /external
parent	d8e9cf6c412874ce7185b98997afd7fb24820f71 (diff)