diff --git a/build-scripts/compile-options b/build-scripts/compile-options index a7e416308..a30e4cac3 100644 --- a/build-scripts/compile-options +++ b/build-scripts/compile-options @@ -32,10 +32,6 @@ export PROJECT # It's a flag: if it's set to 1 - then we use system OpenSSL. # Otherwise, we build it. if [ -z "$SYSTEM_SSL" ]; then - # We don't bundle OpenSSL on some redhat-derived systems due to incompatability with libpam and our openssl. - if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then - SYSTEM_SSL=1 - fi if [ "$OS" = "opensuse" ] || [ "$OS" = "sles" ]; then if [ "$OS_VERSION_MAJOR" -ge "15" ]; then SYSTEM_SSL=1 diff --git a/build-scripts/configure b/build-scripts/configure index c54b7b64f..78abfa9f7 100755 --- a/build-scripts/configure +++ b/build-scripts/configure @@ -89,6 +89,11 @@ yes) ;; esac +# RHEL 8 using vendored openssl can't use libpam since the distribution libpam is linked with openssl 1.x +if [ "$OS" = "rhel" ] && [ "$_OS_VERSION_MAJOR" -eq "8" ]; then + var_append ARGS "--without-pam" +fi + # RHEL 8 requires an SELinux policy if [ "$OS" = "rhel" ] && [ "$OS_VERSION_MAJOR" -ge "8" ]; then var_append ARGS "--with-selinux-policy" diff --git a/ci/centos-7-setup-devtoolset-11.sh b/ci/centos-7-setup-devtoolset-11.sh new file mode 100755 index 000000000..66250e3cf --- /dev/null +++ b/ci/centos-7-setup-devtoolset-11.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +set -ex +sudo yum install -y centos-release-scl +sudo rm -f /etc/yum.repos.d/CentOS-SCLo-scl.repo +sudo sed -i 's,^#baseurl.*$,baseurl=https://vault.centos.org/7.9.2009/sclo/x86_64/rh/,' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo +sudo sed -i '/mirrorlist/d' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo +sudo yum update -y +sudo yum install -y devtoolset-11 +if ! grep "source /opt/rh/devtoolset-11/enable" /usr/lib/rpm/find-debuginfo.sh; then + sudo sed -i '1a\source /opt/rh/devtoolset-11/enable' /usr/lib/rpm/find-debuginfo.sh +fi +source /opt/rh/devtoolset-11/enable diff --git a/ci/fix-buildhost.sh b/ci/fix-buildhost.sh index 7c1671ae3..688375966 100755 --- a/ci/fix-buildhost.sh +++ b/ci/fix-buildhost.sh @@ -1,3 +1,16 @@ +#!/usr/bin/env bash +# it is expected that this file is sourced, not executed directly +set -ex +my_path="$(realpath "${BASH_SOURCE[0]}")" +my_dir="$(dirname "$my_path")" + +if [ -f /etc/os-release ]; then + source /etc/os-release + if [ "$ID" = "centos" ] && [ "$VERSION_ID" = "7" ]; then + source "$my_dir"/centos-7-setup-devtoolset-11.sh + fi +fi + if [ "$(uname)" = "HP-UX" ]; then # /etc/profile contains tty code that won't work well when sourced and this VUE env var guards against running those bits # https://ftp.mirrorservice.org/sites/www.bitsavers.org/pdf/hp/9000_hpux/9.x/B1171-90044_HP_Visual_User_Environment_System_Administration_Manual_Nov91.pdf @@ -10,3 +23,16 @@ if [ -f /etc/profile ]; then # e.g. ent-14014: custom build of ssh needed for build-artifacts-cache needed and /etc/profile has PATH=/opt/craig/bin:$PATH . /etc/profile fi + +mkdir -p ~/.ssh +echo "build-artifacts-cache.cloud.cfengine.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGahpsY8Phk2+isBmuJQjjQVlh6BNL/Qetc14g26gowV" >> ~/.ssh/known_hosts + +# /etc/profile can contain tricky things, on suse for example it includes a call to tty which will fail in CI +# so only source /etc/profile where we absolutely need it. +if [ "$(uname)" = "HP-UX" ] || [ "$(uname)" = "SunOS" ]; then + if [ -f /etc/profile ]; then + # running on the proxied host or not we want to make sure local customizations are taken + # e.g. ent-14014: custom build of ssh needed for build-artifacts-cache needed and /etc/profile has PATH=/opt/craig/bin:$PATH + . /etc/profile + fi +fi diff --git a/ci/linux-install-jdk21.sh b/ci/linux-install-jdk21.sh index d115853bd..cc2c836b1 100755 --- a/ci/linux-install-jdk21.sh +++ b/ci/linux-install-jdk21.sh @@ -9,15 +9,15 @@ install_jdk() { baseurl=https://download.oracle.com/java/21/archive/ major_version=21 baseurl="https://download.oracle.com/java/${major_version}/archive/" - version=21.0.10 + version=21.0.11 if uname -m | grep aarch64; then tarball=jdk-${version}_linux-aarch64_bin.tar.gz # checksum from https://download.oracle.com/java/${major_version}/archive/jdk-${version}_linux-aarch64_bin.tar.gz.sha256 - sha=edaf800c6deb1e7daeb448ef9c6a047551fd681942cb9e37e2729ae1a3918d1d + sha=2ebe89cad767abba83fb0b8cedd2d2d9bcbf947315fde78f7263a57a24f43b96 else tarball=jdk-${version}_linux-x64_bin.tar.gz # checksum from https://download.oracle.com/java/${major_version}/latest/jdk-${version}_linux-x64_bin.tar.gz.sha256 - sha=773eff7191d996d3b6ce3a99c21ce69cf2d836fd07277106313732a098d4309a + sha=e1c25a83f9e2e374c93e0c29cc3d98a947621ae0fefa4a8d932951eb160c47c3 fi wget --quiet "$baseurl$tarball" echo "$sha $tarball" | sha256sum --check - diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec index d014b74e2..854b8cafd 100644 --- a/deps-packaging/apache/cfbuild-apache.spec +++ b/deps-packaging/apache/cfbuild-apache.spec @@ -1,4 +1,4 @@ -%define apache_version 2.4.66 +%define apache_version 2.4.67 %global __os_install_post %{nil} Summary: CFEngine Build Automation -- apache diff --git a/deps-packaging/apache/distfiles b/deps-packaging/apache/distfiles index 115bd09b5..e2962e04d 100644 --- a/deps-packaging/apache/distfiles +++ b/deps-packaging/apache/distfiles @@ -1 +1 @@ -442184763b60936471b88a91275f79d2407733b7aac27e345f270e8bc31c3d49 httpd-2.4.66.tar.gz +10a578d199c3930250534fac629995f34ef7571709a7c88c45239e1fdc88cf77 httpd-2.4.67.tar.gz diff --git a/deps-packaging/git/cfbuild-git.spec b/deps-packaging/git/cfbuild-git.spec index e2d50a60f..6bd8ab7c0 100644 --- a/deps-packaging/git/cfbuild-git.spec +++ b/deps-packaging/git/cfbuild-git.spec @@ -1,4 +1,4 @@ -%define git_version 2.53.0 +%define git_version 2.54.0 Summary: CFEngine Build Automation -- git Name: cfbuild-git diff --git a/deps-packaging/git/distfiles b/deps-packaging/git/distfiles index f67a1446f..b02e4b46a 100644 --- a/deps-packaging/git/distfiles +++ b/deps-packaging/git/distfiles @@ -1 +1 @@ -429dc0f5fe5f14109930cdbbb588c5d6ef5b8528910f0d738040744bebdc6275 git-2.53.0.tar.gz +45e8107643a44e3ce46f5665beb35af3932fb0d70017687905ab5d4e3aafa8eb git-2.54.0.tar.gz diff --git a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec index bc9a1045d..61af2fd7e 100644 --- a/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec +++ b/deps-packaging/libcurl-hub/cfbuild-libcurl-hub.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl-hub diff --git a/deps-packaging/libcurl-hub/distfiles b/deps-packaging/libcurl-hub/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl-hub/distfiles +++ b/deps-packaging/libcurl-hub/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz diff --git a/deps-packaging/libcurl/cfbuild-libcurl.spec b/deps-packaging/libcurl/cfbuild-libcurl.spec index 592d6c389..82023bbb7 100644 --- a/deps-packaging/libcurl/cfbuild-libcurl.spec +++ b/deps-packaging/libcurl/cfbuild-libcurl.spec @@ -1,4 +1,4 @@ -%define curl_version 8.17.0 +%define curl_version 8.20.0 Summary: CFEngine Build Automation -- libcurl Name: cfbuild-libcurl diff --git a/deps-packaging/libcurl/distfiles b/deps-packaging/libcurl/distfiles index 06c2470ca..024e5bcdd 100644 --- a/deps-packaging/libcurl/distfiles +++ b/deps-packaging/libcurl/distfiles @@ -1 +1 @@ -e8e74cdeefe5fb78b3ae6e90cd542babf788fa9480029cfcee6fd9ced42b7910 curl-8.17.0.tar.gz +fc5819cad3f9f5482669adcdc49a782c15f36d2a0715b395b06d9173593d2dc0 curl-8.20.0.tar.gz diff --git a/deps-packaging/libexpat/cfbuild-libexpat.spec b/deps-packaging/libexpat/cfbuild-libexpat.spec index 1a8777af2..a0e177fd9 100644 --- a/deps-packaging/libexpat/cfbuild-libexpat.spec +++ b/deps-packaging/libexpat/cfbuild-libexpat.spec @@ -1,4 +1,4 @@ -%define expat_version 2.7.5 +%define expat_version 2.8.1 Summary: CFEngine Build Automation -- libexpat Name: cfbuild-libexpat diff --git a/deps-packaging/libexpat/distfiles b/deps-packaging/libexpat/distfiles index 2e8dfed90..c2bb242b7 100644 --- a/deps-packaging/libexpat/distfiles +++ b/deps-packaging/libexpat/distfiles @@ -1 +1 @@ -1032dfef4ff17f70464827daa28369b20f6584d108bc36f17ab1676e1edd2f91 expat-2.7.5.tar.xz +10b195ee78160a908388180a8fe3603d4e9a12f4755fbf5f3816b23a9d750da0 expat-2.8.1.tar.xz diff --git a/deps-packaging/libexpat/source b/deps-packaging/libexpat/source index a6177fb5e..9d573df43 100644 --- a/deps-packaging/libexpat/source +++ b/deps-packaging/libexpat/source @@ -1 +1 @@ -https://github.com/libexpat/libexpat/releases/download/R_2_7_5/ +https://github.com/libexpat/libexpat/releases/download/R_2_8_1/ diff --git a/deps-packaging/libxml2/cfbuild-libxml2.spec b/deps-packaging/libxml2/cfbuild-libxml2.spec index dee239d1d..90559aee5 100644 --- a/deps-packaging/libxml2/cfbuild-libxml2.spec +++ b/deps-packaging/libxml2/cfbuild-libxml2.spec @@ -1,4 +1,4 @@ -%define libxml_version 2.15.2 +%define libxml_version 2.15.3 Summary: CFEngine Build Automation -- libxml2 Name: cfbuild-libxml2 diff --git a/deps-packaging/libxml2/distfiles b/deps-packaging/libxml2/distfiles index 5b301b300..035bb2aaa 100644 --- a/deps-packaging/libxml2/distfiles +++ b/deps-packaging/libxml2/distfiles @@ -1 +1 @@ -c8b9bc81f8b590c33af8cc6c336dbff2f53409973588a351c95f1c621b13d09d libxml2-2.15.2.tar.xz +78262a6e7ac170d6528ebfe2efccdf220191a5af6a6cd61ea4a9a9a5042c7a07 libxml2-2.15.3.tar.xz diff --git a/deps-packaging/nghttp2/cfbuild-nghttp2.spec b/deps-packaging/nghttp2/cfbuild-nghttp2.spec index 06c9ffbb3..9181c500e 100644 --- a/deps-packaging/nghttp2/cfbuild-nghttp2.spec +++ b/deps-packaging/nghttp2/cfbuild-nghttp2.spec @@ -1,4 +1,4 @@ -%define nghttp2_version 1.68.1 +%define nghttp2_version 1.69.0 Summary: CFEngine Build Automation -- nghttp2 Name: cfbuild-nghttp2 diff --git a/deps-packaging/nghttp2/distfiles b/deps-packaging/nghttp2/distfiles index 82cbf8784..713246209 100644 --- a/deps-packaging/nghttp2/distfiles +++ b/deps-packaging/nghttp2/distfiles @@ -1 +1 @@ -6abd7ab0a7f1580d5914457cb3c85eb80455657ee5119206edbd7f848c14f0b2 nghttp2-1.68.1.tar.xz +1fb324b6ec2c56f6bde0658f4139ffd8209fa9e77ce98fd7a5f63af8d0e508ad nghttp2-1.69.0.tar.xz diff --git a/deps-packaging/nghttp2/source b/deps-packaging/nghttp2/source index 3bce8feda..5202c92a7 100644 --- a/deps-packaging/nghttp2/source +++ b/deps-packaging/nghttp2/source @@ -1 +1 @@ -https://github.com/nghttp2/nghttp2/releases/download/v1.68.1/ +https://github.com/nghttp2/nghttp2/releases/download/v1.69.0/ diff --git a/deps-packaging/openldap/75b624f47574dffb1f5041625cf9d6218dbcb07d.patch b/deps-packaging/openldap/75b624f47574dffb1f5041625cf9d6218dbcb07d.patch new file mode 100644 index 000000000..533716822 --- /dev/null +++ b/deps-packaging/openldap/75b624f47574dffb1f5041625cf9d6218dbcb07d.patch @@ -0,0 +1,108 @@ +From 75b624f47574dffb1f5041625cf9d6218dbcb07d Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Thu, 30 Apr 2026 16:57:27 -0700 +Subject: [PATCH] ITS#10498 libldap: more const-correctness for OpenSSL 4 + +--- + libraries/libldap/tls_o.c | 20 ++++++++++---------- + servers/slapd/overlays/autoca.c | 7 ++++++- + 2 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 428bc32c85..93a7070f81 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -198,8 +198,8 @@ tlso_ca_list( char * bundle, char * dir, X509 *cert, STACK_OF(X509_NAME) *ca_lis + ldap_charray_free( dirs ); + } + if ( cert ) { +- X509_NAME *xn = X509_get_subject_name( cert ); +- xn = X509_NAME_dup( xn ); ++ const X509_NAME *cxn = X509_get_subject_name( cert ); ++ X509_NAME *xn = X509_NAME_dup( cxn ); + if ( xn && ca_list ) { + sk_X509_NAME_push( ca_list, xn ); + } +@@ -924,7 +924,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn ) + { + tlso_session *s = (tlso_session *)sess; + X509 *x; +- X509_NAME *xn; ++ const X509_NAME *xn; + + x = SSL_get_certificate( s ); + +@@ -961,7 +961,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn ) + { + tlso_session *s = (tlso_session *)sess; + X509 *x = tlso_get_cert( s ); +- X509_NAME *xn; ++ const X509_NAME *xn; + + if ( !x ) + return LDAP_INVALID_CREDENTIALS; +@@ -1037,7 +1037,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + if (chkSAN) { + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) { +- X509_EXTENSION *ex; ++ const X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + + ex = X509_get_ext(x, i); +@@ -1143,10 +1143,10 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + } + + if (ret != LDAP_SUCCESS) { +- X509_NAME *xn; +- X509_NAME_ENTRY *ne; ++ const X509_NAME *xn; ++ const X509_NAME_ENTRY *ne; + ASN1_OBJECT *obj; +- ASN1_STRING *cn = NULL; ++ const ASN1_STRING *cn = NULL; + char *cnstr; + int cnlen; + int navas; +@@ -1742,8 +1742,8 @@ tlso_verify_cb( int ok, X509_STORE_CTX *ctx ) + X509 *cert; + int errnum; + int errdepth; +- X509_NAME *subject; +- X509_NAME *issuer; ++ const X509_NAME *subject; ++ const X509_NAME *issuer; + char *sname; + char *iname; + char *certerr = NULL; +diff --git a/servers/slapd/overlays/autoca.c b/servers/slapd/overlays/autoca.c +index 43761655d2..da978c3233 100644 +--- a/servers/slapd/overlays/autoca.c ++++ b/servers/slapd/overlays/autoca.c +@@ -44,9 +44,13 @@ + + #if OPENSSL_VERSION_NUMBER >= 0x10100000 + #include ++#ifndef X509_get_notBefore + #define X509_get_notBefore(x) X509_getm_notBefore(x) ++#endif ++#ifndef X509_get_notAfter + #define X509_get_notAfter(x) X509_getm_notAfter(x) + #endif ++#endif + + #if OPENSSL_VERSION_MAJOR >= 3 + #define BN_pseudo_rand(bn, bits, top, bottom) BN_rand(bn, bits, top, bottom) +@@ -272,7 +276,8 @@ typedef struct genargs { + + static int autoca_gencert( Operation *op, genargs *args ) + { +- X509_NAME *subj_name, *issuer_name; ++ X509_NAME *subj_name; ++ const X509_NAME *issuer_name; + X509 *subj_cert; + struct berval derdn; + unsigned char *pp; +-- +GitLab + diff --git a/deps-packaging/openldap/a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch b/deps-packaging/openldap/a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch new file mode 100644 index 000000000..47d4b6927 --- /dev/null +++ b/deps-packaging/openldap/a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch @@ -0,0 +1,73 @@ +From a599597cb3cb6d36f888bffcbd0b010a644b92c5 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Tue, 28 Apr 2026 16:49:32 +0100 +Subject: [PATCH] ITS#10498 libldap: fix for OpenSSL 4 compatibility + +--- + libraries/libldap/tls_o.c | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 02dc4cd92f..428bc32c85 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -1147,6 +1147,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + X509_NAME_ENTRY *ne; + ASN1_OBJECT *obj; + ASN1_STRING *cn = NULL; ++ char *cnstr; ++ int cnlen; + int navas; + + /* find the last CN */ +@@ -1174,22 +1176,25 @@ no_cn: + } + ld->ld_error = LDAP_STRDUP( + _("TLS: unable to get CN from peer certificate")); ++ } else { ++ cnlen = ASN1_STRING_length( cn ); ++ cnstr = (char *)ASN1_STRING_get0_data( cn ); ++ if ( cnlen == nlen && ++ strncasecmp( name, (char *) cnstr, nlen ) == 0 ) { ++ ret = LDAP_SUCCESS; + +- } else if ( cn->length == nlen && +- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) { +- ret = LDAP_SUCCESS; +- +- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) { +- char *domain = strchr(name, '.'); +- if( domain ) { +- int dlen; ++ } else if (( cnstr[0] == '*' ) && ( cnstr[1] == '.' )) { ++ char *domain = strchr(name, '.'); ++ if( domain ) { ++ int dlen; + +- dlen = nlen - (domain-name); ++ dlen = nlen - (domain-name); + +- /* Is this a wildcard match? */ +- if ((dlen == cn->length-1) && +- !strncasecmp(domain, (char *) &cn->data[1], dlen)) { +- ret = LDAP_SUCCESS; ++ /* Is this a wildcard match? */ ++ if ((dlen == cnlen-1) && ++ !strncasecmp(domain, cnstr+1, dlen)) { ++ ret = LDAP_SUCCESS; ++ } + } + } + } +@@ -1197,7 +1202,7 @@ no_cn: + if( ret == LDAP_LOCAL_ERROR ) { + Debug3( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " + "common name in certificate (%.*s).\n", +- name, cn->length, cn->data ); ++ name, cnlen, cnstr ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); +-- +GitLab + diff --git a/deps-packaging/openldap/a704373426e37fd7f4e4beb3be451b5555799517.patch b/deps-packaging/openldap/a704373426e37fd7f4e4beb3be451b5555799517.patch new file mode 100644 index 000000000..4c7c4f6fb --- /dev/null +++ b/deps-packaging/openldap/a704373426e37fd7f4e4beb3be451b5555799517.patch @@ -0,0 +1,40 @@ +From a704373426e37fd7f4e4beb3be451b5555799517 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Mon, 4 May 2026 15:35:20 +0100 +Subject: [PATCH] ITS#10498 libldap: silence a couple more warnings + +OpenSSL 3 and 4 differ on constness here, and 4 is self-inconsistent +between getter and d2i. Discard the useless const qualifiers. +--- + libraries/libldap/tls_o.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 93a7070f81..4dd4ff5205 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -557,7 +557,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + if ( is_server ) { + STACK_OF(X509_NAME) *ca_list = SSL_CTX_get_client_CA_list( ctx ); + if ( ca_list ) { +- X509_NAME *xn = X509_get_subject_name( cert ); ++ X509_NAME *xn = (X509_NAME *)X509_get_subject_name( cert ); + if ( xn ) + xn = X509_NAME_dup( xn ); + if ( xn ) +@@ -1037,10 +1037,10 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + if (chkSAN) { + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) { +- const X509_EXTENSION *ex; ++ X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + +- ex = X509_get_ext(x, i); ++ ex = (X509_EXTENSION *)X509_get_ext(x, i); + alt = X509V3_EXT_d2i(ex); + if (alt) { + int n, len2 = 0; +-- +GitLab + diff --git a/deps-packaging/openldap/cfbuild-openldap-aix.spec b/deps-packaging/openldap/cfbuild-openldap-aix.spec index cbc24973b..19ce4bc5a 100644 --- a/deps-packaging/openldap/cfbuild-openldap-aix.spec +++ b/deps-packaging/openldap/cfbuild-openldap-aix.spec @@ -6,6 +6,11 @@ Version: %{version} Release: 1 Source0: openldap-%{openldap_version}.tgz Patch0: no_Sockaddr_redefine.patch +# patches for openssl 4.0.0 unavailable in a release as of 2.6.13 +Patch1: f3b49ffa10d93e841d00f05d9f56b88078acf235.patch +Patch2: a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch +Patch3: 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch +Patch4: a704373426e37fd7f4e4beb3be451b5555799517.patch License: MIT Group: Other Url: https://cfengine.com @@ -20,6 +25,10 @@ mkdir -p %{_builddir} %setup -q -n openldap-%{openldap_version} %patch0 -p0 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 # Either "$LDFLAGS -L%{prefix}lib" # Or "-bsvr4 $LDFLAGS -Wl,-R,%{prefix}/lib" diff --git a/deps-packaging/openldap/cfbuild-openldap.spec b/deps-packaging/openldap/cfbuild-openldap.spec index 91ba0ddef..cc3acc666 100644 --- a/deps-packaging/openldap/cfbuild-openldap.spec +++ b/deps-packaging/openldap/cfbuild-openldap.spec @@ -6,6 +6,11 @@ Version: %{version} Release: 1 Source0: openldap-%{openldap_version}.tgz Patch0: no_Sockaddr_redefine.patch +# patches for openssl 4.0.0 unavailable in a release as of 2.6.13 +Patch1: f3b49ffa10d93e841d00f05d9f56b88078acf235.patch +Patch2: a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch +Patch3: 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch +Patch4: a704373426e37fd7f4e4beb3be451b5555799517.patch License: MIT Group: Other Url: https://cfengine.com @@ -20,6 +25,10 @@ mkdir -p %{_builddir} %setup -q -n openldap-%{openldap_version} %patch0 -p0 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 # we don't bundle OpenSSL on RHEL 8 (and newer in the future) %if %{?rhel}%{!?rhel:0} > 7 diff --git a/deps-packaging/openldap/debian/rules b/deps-packaging/openldap/debian/rules index 7117f9794..dc7ec5f90 100755 --- a/deps-packaging/openldap/debian/rules +++ b/deps-packaging/openldap/debian/rules @@ -26,6 +26,11 @@ build: build-stamp build-stamp: dh_testdir + patch -p1 < f3b49ffa10d93e841d00f05d9f56b88078acf235.patch + patch -p1 < a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch + patch -p1 < 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch + patch -p1 < a704373426e37fd7f4e4beb3be451b5555799517.patch + ./configure --prefix=$(PREFIX) \ --enable-shared \ --disable-slapd \ diff --git a/deps-packaging/openldap/f3b49ffa10d93e841d00f05d9f56b88078acf235.patch b/deps-packaging/openldap/f3b49ffa10d93e841d00f05d9f56b88078acf235.patch new file mode 100644 index 000000000..4328a2d3f --- /dev/null +++ b/deps-packaging/openldap/f3b49ffa10d93e841d00f05d9f56b88078acf235.patch @@ -0,0 +1,493 @@ +From f3b49ffa10d93e841d00f05d9f56b88078acf235 Mon Sep 17 00:00:00 2001 +From: Graham Leggett +Date: Mon, 15 Dec 2025 22:52:13 +0000 +Subject: [PATCH] ITS#10149 - Allow certificates and keys to be read from URIs + +--- + doc/man/man3/ldap_get_option.3 | 33 +++++ + include/ldap.h | 2 + + libraries/libldap/ldap-int.h | 6 +- + libraries/libldap/tls2.c | 39 +++++- + libraries/libldap/tls_g.c | 28 ++++ + libraries/libldap/tls_o.c | 227 +++++++++++++++++++++++++++++---- + 6 files changed, 305 insertions(+), 30 deletions(-) + +diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 +index 45e91a28e5..63601f28a7 100644 +--- a/doc/man/man3/ldap_get_option.3 ++++ b/doc/man/man3/ldap_get_option.3 +@@ -678,6 +678,22 @@ must be + and its contents need to be freed by the caller using + .BR ldap_memfree (3). + .TP ++.B LDAP_OPT_X_TLS_CACERTURIS ++Sets/gets an array containing the URIs of CA certificates. The ++URIs accepted are based on the underlying crypto library. In the ++case of OpenSSL, the URIs are handled by the provider interface, and a ++URI without a scheme is treated as a file path. ++.BR outvalue ++must be a ++.BR "char ***" , ++and the caller is responsible of freeing the returned string by calling ++.BR ldap_memvfree (3), ++while ++.BR invalue ++must be a NULL-terminated ++.BR "char *const *" ; ++the library duplicates the corresponding string. ++.TP + .B LDAP_OPT_X_TLS_CERTFILE + Sets/gets the full-path of the certificate file. + .BR invalue +@@ -883,6 +899,23 @@ When using the OpenSSL library this is an SSL*. When using other + crypto libraries this is a pointer to an OpenLDAP private structure. + Applications generally should not use this option. + .TP ++.B LDAP_OPT_X_TLS_URIS ++Sets/gets an array containing the URIs of certificates, intermediate ++certificates and keys. The URIs accepted are based on the underlying ++crypto library. In the case of OpenSSL, the URIs are handled by the ++provider interface, and a URI without a scheme is treated as a file ++path. ++.BR outvalue ++must be a ++.BR "char ***" , ++and the caller is responsible of freeing the returned string by calling ++.BR ldap_memvfree (3), ++while ++.BR invalue ++must be a NULL-terminated ++.BR "char *const *" ; ++the library duplicates the corresponding string. ++.TP + .B LDAP_OPT_X_TLS_VERSION + Gets the TLS version being used on an established TLS session. + .BR outvalue +diff --git a/include/ldap.h b/include/ldap.h +index 521bc0caba..f916226f46 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -164,6 +164,8 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PEERKEY_HASH 0x6019 + #define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a + #define LDAP_OPT_X_TLS_PROTOCOL_MAX 0x601b ++#define LDAP_OPT_X_TLS_URIS 0x601c ++#define LDAP_OPT_X_TLS_CACERTURIS 0x601d + + #define LDAP_OPT_X_TLS_NEVER 0 + #define LDAP_OPT_X_TLS_HARD 1 +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 78e1f806a2..33b94a59bd 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -187,6 +187,8 @@ struct ldaptls { + struct berval lt_cacert; + struct berval lt_cert; + struct berval lt_key; ++ char **lt_cacerturis; ++ char **lt_uris; + }; + #endif + +@@ -310,7 +312,9 @@ struct ldapoptions { + #define ldo_tls_cacert ldo_tls_info.lt_cacert + #define ldo_tls_cert ldo_tls_info.lt_cert + #define ldo_tls_key ldo_tls_info.lt_key +- int ldo_tls_mode; ++#define ldo_tls_uris ldo_tls_info.lt_uris ++#define ldo_tls_cacerturis ldo_tls_info.lt_cacerturis ++ int ldo_tls_mode; + int ldo_tls_require_cert; + int ldo_tls_impl; + int ldo_tls_crlcheck; +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 1fb878aab8..158b552b1a 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -849,7 +849,20 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + } + break; + } +- ++ case LDAP_OPT_X_TLS_URIS: ++ if( lo->ldo_tls_uris == NULL ) { ++ * (char ***) arg = NULL; ++ } else { ++ * (char ***) arg = ldap_value_dup(lo->ldo_tls_uris); ++ } ++ break; ++ case LDAP_OPT_X_TLS_CACERTURIS: ++ if( lo->ldo_tls_cacerturis == NULL ) { ++ * (char ***) arg = NULL; ++ } else { ++ * (char ***) arg = ldap_value_dup(lo->ldo_tls_cacerturis); ++ } ++ break; + default: + return -1; + } +@@ -1107,7 +1120,29 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + } + + return rc; +- } ++ } ++ case LDAP_OPT_X_TLS_URIS: { ++ char *const *uris = (char *const *) arg; ++ ++ if( lo->ldo_tls_uris ) { ++ LDAP_VFREE(lo->ldo_tls_uris); ++ } ++ if ( uris ) { ++ lo->ldo_tls_uris = ldap_value_dup(uris); ++ } ++ return 0; ++ } ++ case LDAP_OPT_X_TLS_CACERTURIS: { ++ char *const *uris = (char *const *) arg; ++ ++ if( lo->ldo_tls_cacerturis ) { ++ LDAP_VFREE(lo->ldo_tls_cacerturis); ++ } ++ if ( uris ) { ++ lo->ldo_tls_cacerturis = ldap_value_dup(uris); ++ } ++ return 0; ++ } + default: + return -1; + } +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index d4e7ee0bf7..2652cf6713 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -395,6 +395,34 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + + ctx->reqcert = lo->ldo_tls_require_cert; + ++ if ( lo->ldo_tls_uris ) ++ { ++ /* ++ * TODO: figure out URL enumeration. ++ * ++ * Hopeful functions: ++ * gnutls_privkey_import_url ++ * gnutls_url_is_supported ++ * gnutls_tpm_get_registered ++ * gnutls_tpm_key_list_get_url ++ * gnutls_pkcs11_obj_list_import_url4 ++ * gnutls_pkcs11_obj_get_type ++ */ ++ ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: uris are not supported.\n" ); ++ strncpy( errmsg, "TLS uris are not supported", ERRBUFSIZE ); ++ return -1; ++ } ++ ++ if ( lo->ldo_tls_cacerturis ) ++ { ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: cacerturis are not supported.\n" ); ++ strncpy( errmsg, "TLS cacerturis are not supported", ERRBUFSIZE ); ++ return -1; ++ } ++ + return 0; + } + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 155f685c99..729b6e9308 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -46,6 +46,9 @@ + #include + #include + #include ++#if OPENSSL_VERSION_MAJOR >= 3 ++#include ++#endif + #endif + + #if OPENSSL_VERSION_NUMBER >= 0x10100000 +@@ -169,37 +172,42 @@ BIO_meth_free( BIO_METHOD *meth ) + #endif /* OpenSSL 1.1 */ + + static STACK_OF(X509_NAME) * +-tlso_ca_list( char * bundle, char * dir, X509 *cert ) ++tlso_ca_list( char * bundle, char * dir, X509 *cert, STACK_OF(X509_NAME) *ca_list ) + { +- STACK_OF(X509_NAME) *ca_list = NULL; +- + if ( bundle ) { +- ca_list = SSL_load_client_CA_file( bundle ); ++ if ( !SSL_add_file_cert_subjects_to_stack( ca_list, bundle ) ) { ++ Debug1( LDAP_DEBUG_ANY, "TLS: " ++ "could not load client CA list (file:`%s').\n", ++ bundle ); ++ return NULL; ++ } + } + if ( dir ) { + char **dirs = ldap_str2charray( dir, CERTPATHSEP ); +- int freeit = 0, i, success = 0; ++ int i; + +- if ( !ca_list ) { +- ca_list = sk_X509_NAME_new_null(); +- freeit = 1; +- } + for ( i=0; dirs[i]; i++ ) { +- success += SSL_add_dir_cert_subjects_to_stack( ca_list, dir ); +- } +- if ( !success && freeit ) { +- sk_X509_NAME_free( ca_list ); +- ca_list = NULL; ++ if ( !SSL_add_dir_cert_subjects_to_stack( ca_list, dirs[i] )) { ++ Debug1( LDAP_DEBUG_ANY, "TLS: " ++ "could not load client CA list (dir:`%s').\n", ++ dirs[i] ); ++ ldap_charray_free( dirs ); ++ return NULL; ++ } + } + ldap_charray_free( dirs ); + } + if ( cert ) { + X509_NAME *xn = X509_get_subject_name( cert ); + xn = X509_NAME_dup( xn ); +- if ( !ca_list ) +- ca_list = sk_X509_NAME_new_null(); +- if ( xn && ca_list ) ++ if ( xn && ca_list ) { + sk_X509_NAME_push( ca_list, xn ); ++ } ++ else { ++ Debug0( LDAP_DEBUG_ANY, "TLS: " ++ "could not load client CA list: subject missing\n" ); ++ return NULL; ++ } + } + return ca_list; + } +@@ -456,7 +464,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + } + + if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL && +- lo->ldo_tls_cacert.bv_val == NULL ) { ++ lo->ldo_tls_cacert.bv_val == NULL && lo->ldo_tls_cacerturis == NULL ) { + if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { + Debug0( LDAP_DEBUG_ANY, "TLS: " + "could not use default certificate paths" ); +@@ -465,6 +473,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + } + } else { + X509 *cert = NULL; ++ ++ if ( is_server ) { ++ STACK_OF(X509_NAME) *ca_list = sk_X509_NAME_new_null(); ++ SSL_CTX_set_client_CA_list( ctx, ca_list ); ++ } ++ + if ( lo->ldo_tls_cacert.bv_val ) { + const unsigned char *pp = (const unsigned char *) (lo->ldo_tls_cacert.bv_val); + cert = d2i_X509( NULL, &pp, lo->ldo_tls_cacert.bv_len ); +@@ -509,20 +523,81 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + } + } + ++ if ( lo->ldo_tls_cacerturis ) ++ { ++#if OPENSSL_VERSION_MAJOR >= 3 ++ int i; ++ ++ for(i=0; lo->ldo_tls_cacerturis[i] != NULL; i++) { ++ OSSL_STORE_CTX *sctx; ++ OSSL_STORE_INFO *info; ++ ++ sctx = OSSL_STORE_open( lo->ldo_tls_cacerturis[i], NULL, NULL, NULL, NULL ); ++ if (!sctx) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not open uri `%s'.\n", ++ lo->ldo_tls_cacerturis[i] ); ++ tlso_report_error( errmsg ); ++ return -1; ++ } ++ ++ while ((info = OSSL_STORE_load( sctx ))) { ++ switch (OSSL_STORE_INFO_get_type( info )) { ++ case OSSL_STORE_INFO_CERT: ++ X509 *cert = OSSL_STORE_INFO_get0_CERT( info ); ++ X509_STORE *store = SSL_CTX_get_cert_store( ctx ); ++ if ( !X509_STORE_add_cert( store, cert ) ) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate from uri `%s'.\n", ++ lo->ldo_tls_cacerturis[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close( sctx ); ++ return -1; ++ } ++ if ( is_server ) { ++ STACK_OF(X509_NAME) *ca_list = SSL_CTX_get_client_CA_list( ctx ); ++ if ( ca_list ) { ++ X509_NAME *xn = X509_get_subject_name( cert ); ++ if ( xn ) ++ xn = X509_NAME_dup( xn ); ++ if ( xn ) ++ sk_X509_NAME_push( ca_list, xn ); ++ } ++ } ++ break; ++ default: ++ /* ignore other types */ ++ break; ++ } ++ OSSL_STORE_INFO_free( info ); ++ } ++ if (!OSSL_STORE_eof(sctx) && OSSL_STORE_error(sctx)) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not load from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close( sctx ); ++ return -1; ++ } ++ OSSL_STORE_close( sctx ); ++ } ++#else ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: cacerturis are not supported.\n" ); ++ strncpy( errmsg, "TLS: cacerturis are not supported", ERRBUFSIZE ); ++ return -1; ++#endif ++ } ++ + if ( is_server ) { +- STACK_OF(X509_NAME) *calist; ++ STACK_OF(X509_NAME) *ca_list = SSL_CTX_get_client_CA_list( ctx ); ++ + /* List of CA names to send to a client */ +- calist = tlso_ca_list( lt->lt_cacertfile, lt->lt_cacertdir, cert ); +- if ( !calist ) { +- Debug2( LDAP_DEBUG_ANY, "TLS: " +- "could not load client CA list (file:`%s',dir:`%s').\n", +- lo->ldo_tls_cacertfile ? lo->ldo_tls_cacertfile : "", +- lo->ldo_tls_cacertdir ? lo->ldo_tls_cacertdir : "" ); ++ ca_list = tlso_ca_list( lt->lt_cacertfile, lt->lt_cacertdir, cert, ca_list ); ++ if ( !ca_list ) { + tlso_report_error( errmsg ); + return -1; + } +- +- SSL_CTX_set_client_CA_list( ctx, calist ); + } + if ( cert ) + X509_free( cert ); +@@ -636,6 +711,104 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char * + #endif /* OPENSSL_NO_EC */ + } + ++ if ( lo->ldo_tls_uris ) ++ { ++#if OPENSSL_VERSION_MAJOR >= 3 ++ int i; ++ ++ for(i=0; lo->ldo_tls_uris[i] != NULL; i++) { ++ OSSL_STORE_CTX *sctx; ++ OSSL_STORE_INFO *info; ++ ++ sctx = OSSL_STORE_open(lo->ldo_tls_uris[i], NULL, NULL, NULL, NULL); ++ if (!sctx) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not open uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ return -1; ++ } ++ ++ while ((info = OSSL_STORE_load(sctx))) { ++ switch (OSSL_STORE_INFO_get_type(info)) { ++ case OSSL_STORE_INFO_PARAMS: ++ if ( !SSL_CTX_set0_tmp_dh_pkey( ctx, ++ OSSL_STORE_INFO_get0_PARAMS(info) )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use params from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ case OSSL_STORE_INFO_PKEY: ++ if ( !SSL_CTX_use_PrivateKey( ctx, ++ OSSL_STORE_INFO_get0_PKEY(info) )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use private key from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ case OSSL_STORE_INFO_CERT: ++ X509 *cert = OSSL_STORE_INFO_get0_CERT(info); ++ int is_ca = X509_check_ca( cert ); ++ if ( !is_ca && !SSL_CTX_use_certificate( ctx, cert )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use leaf certificate from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ if ( is_ca && !SSL_CTX_add_extra_chain_cert( ctx, cert )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use intermediate certificate from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ case OSSL_STORE_INFO_CRL: ++ X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); ++ if ( !X509_STORE_add_crl( x509_s, ++ OSSL_STORE_INFO_get0_CRL(info) )) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not use crl from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ break; ++ default: ++ /* ignore other types */ ++ break; ++ } ++ OSSL_STORE_INFO_free(info); ++ } ++ if (!OSSL_STORE_eof(sctx) && OSSL_STORE_error(sctx)) { ++ Debug1( LDAP_DEBUG_ANY, ++ "TLS: could not load from uri `%s'.\n", ++ lo->ldo_tls_uris[i] ); ++ tlso_report_error( errmsg ); ++ OSSL_STORE_close(sctx); ++ return -1; ++ } ++ OSSL_STORE_close(sctx); ++ } ++#else ++ Debug0( LDAP_DEBUG_ANY, ++ "TLS: uris are not supported.\n" ); ++ strncpy( errmsg, "TLS: uris are not supported", ERRBUFSIZE ); ++ return -1; ++#endif ++ } ++ + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); + } +-- +GitLab + diff --git a/deps-packaging/openldap/mingw/debian/rules b/deps-packaging/openldap/mingw/debian/rules index 61ce10e5a..cb7fa5029 100755 --- a/deps-packaging/openldap/mingw/debian/rules +++ b/deps-packaging/openldap/mingw/debian/rules @@ -15,6 +15,11 @@ build-stamp: patch -p0 < mingw_build_fixes.patch ln -s $(PREFIX)/bin/libgnurx-0.dll . + patch -p1 < f3b49ffa10d93e841d00f05d9f56b88078acf235.patch + patch -p1 < a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch + patch -p1 < 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch + patch -p1 < a704373426e37fd7f4e4beb3be451b5555799517.patch + # Configure is unable to test memcmp for cross-compilation # getaddrinfo/getnameinfo are broken in MinGW as well as socklen in2.4.36 work around it ac_cv_type_socklen_t=yes \ diff --git a/deps-packaging/openldap/solaris/build b/deps-packaging/openldap/solaris/build index 8803da231..0f82ce79f 100755 --- a/deps-packaging/openldap/solaris/build +++ b/deps-packaging/openldap/solaris/build @@ -8,6 +8,10 @@ OL=${BUILD_ROOT}/cfbuild-openldap${PREFIX} OLD=${BUILD_ROOT}/cfbuild-openldap-devel${PREFIX} # Patch +$PATCH -p1 < f3b49ffa10d93e841d00f05d9f56b88078acf235.patch +$PATCH -p1 < a599597cb3cb6d36f888bffcbd0b010a644b92c5.patch +$PATCH -p1 < 75b624f47574dffb1f5041625cf9d6218dbcb07d.patch +$PATCH -p1 < a704373426e37fd7f4e4beb3be451b5555799517.patch # Configure diff --git a/deps-packaging/openssl/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch b/deps-packaging/openssl/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch deleted file mode 100644 index 18a8f94a7..000000000 --- a/deps-packaging/openssl/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 40d8060c0e8af7c7d3f0d70a7e2d3bf96a15fc10 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Alexander=20Hansen=20F=C3=A6r=C3=B8y?= -Date: Wed, 28 Jan 2026 17:55:02 +0100 -Subject: [PATCH 001/670] Explicitly define `SIO_UDP_NETRESET` for MinGW - builds. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch explicitly defines the value `SIO_UDP_NETRESET` according to -both what Windows and ReactOS does. - -Fixes: #29818. - -Reviewed-by: Eugene Syromiatnikov -Reviewed-by: Saša Nedvědický -MergeDate: Thu Feb 5 08:54:17 2026 -(Merged from https://github.com/openssl/openssl/pull/29826) ---- - ssl/quic/quic_reactor.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssl/quic/quic_reactor.c b/ssl/quic/quic_reactor.c -index a754f28..deec428 100644 ---- a/ssl/quic/quic_reactor.c -+++ b/ssl/quic/quic_reactor.c -@@ -76,6 +76,12 @@ void ossl_quic_reactor_cleanup(QUIC_REACTOR *rtor) - } - - #if defined(OPENSSL_SYS_WINDOWS) -+ -+/* Work around for MinGW builds. */ -+#if defined(__MINGW32__) && !defined(SIO_UDP_NETRESET) -+#define SIO_UDP_NETRESET _WSAIOW(IOC_VENDOR, 15) -+#endif -+ - /* - * On Windows recvfrom() may return WSAECONNRESET when destination port - * used in preceding call to sendto() is no longer reachable. The reset --- -2.52.0 - diff --git a/deps-packaging/openssl/cfbuild-openssl.spec b/deps-packaging/openssl/cfbuild-openssl.spec index 6efacc0c9..1be73b2f9 100644 --- a/deps-packaging/openssl/cfbuild-openssl.spec +++ b/deps-packaging/openssl/cfbuild-openssl.spec @@ -1,4 +1,4 @@ -%define openssl_version 3.6.1 +%define openssl_version 4.0.0 Summary: CFEngine Build Automation -- openssl Name: cfbuild-openssl @@ -59,6 +59,11 @@ then then HACK_FLAGS=-D_GNU_SOURCE # CentOS 4 issue fi + if [ "$OS_VERSION_MAJOR" = "7" ] + then + # apparently our build doesn't quite work with devtoolset on centos so give it a hint where to find libraries with -L/opt/rh/devtoolset-11/root/usr/lib64 + HACK_FLAGS="-L/opt/rh/devtoolset-11/root/usr/lib64" + fi fi if [ x$SYS = "xAIX" ]; then @@ -163,8 +168,8 @@ CFEngine Build Automation -- openssl -- development files %{prefix}/bin/openssl %dir %{prefix}/lib -%{prefix}/lib/libssl.so.3 -%{prefix}/lib/libcrypto.so.3 +%{prefix}/lib/libssl.so.4 +%{prefix}/lib/libcrypto.so.4 %{prefix}/ssl/openssl.cnf %{prefix}/ssl/ct_log_list.cnf %{prefix}/ssl/ct_log_list.cnf.dist diff --git a/deps-packaging/openssl/distfiles b/deps-packaging/openssl/distfiles index 51bfdf889..460505ce9 100644 --- a/deps-packaging/openssl/distfiles +++ b/deps-packaging/openssl/distfiles @@ -1 +1 @@ -b1bfedcd5b289ff22aee87c9d600f515767ebf45f77168cb6d64f231f518a82e openssl-3.6.1.tar.gz +c32cf49a959c4f345f9606982dd36e7d28f7c58b19c2e25d75624d2b3d2f79ac openssl-4.0.0.tar.gz diff --git a/deps-packaging/openssl/mingw/debian/rules b/deps-packaging/openssl/mingw/debian/rules index 66e49dc93..6c3b901fe 100755 --- a/deps-packaging/openssl/mingw/debian/rules +++ b/deps-packaging/openssl/mingw/debian/rules @@ -22,7 +22,6 @@ endif build: build-stamp build-stamp: dh_testdir - patch -p1 < $(CURDIR)/0001-Explicitly-define-SIO_UDP_NETRESET-for-MinGW-builds.patch # Removed "no-psk" from the options, mingw builds breaks with it CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- ./Configure \ diff --git a/deps-packaging/openssl/source b/deps-packaging/openssl/source index eab874077..0c863cbb7 100644 --- a/deps-packaging/openssl/source +++ b/deps-packaging/openssl/source @@ -1 +1 @@ -https://github.com/openssl/openssl/releases/download/openssl-3.6.1/ +https://github.com/openssl/openssl/releases/download/openssl-4.0.0/ diff --git a/deps-packaging/php/cfbuild-php.spec b/deps-packaging/php/cfbuild-php.spec index f9e4806ad..3dba916b2 100644 --- a/deps-packaging/php/cfbuild-php.spec +++ b/deps-packaging/php/cfbuild-php.spec @@ -1,4 +1,4 @@ -%define php_version 8.5.4 +%define php_version 8.5.6 Summary: CFEngine Build Automation -- php Name: cfbuild-php diff --git a/deps-packaging/php/distfiles b/deps-packaging/php/distfiles index 162142d29..718f64fcb 100644 --- a/deps-packaging/php/distfiles +++ b/deps-packaging/php/distfiles @@ -1 +1 @@ -4fef7f44eff3c18e329504cb0d3eb30b41cf54e2db05cb4ebe8b78fc37d38ce1 php-8.5.4.tar.gz +169aaa21c2834b38df8e39169f43bc5bea8d4059a816cfbc59be08fc2bae60cd php-8.5.6.tar.gz diff --git a/deps-packaging/rsync/cfbuild-rsync.spec b/deps-packaging/rsync/cfbuild-rsync.spec index 2f8b8fa24..9bd68eaaa 100644 --- a/deps-packaging/rsync/cfbuild-rsync.spec +++ b/deps-packaging/rsync/cfbuild-rsync.spec @@ -1,4 +1,4 @@ -%define rsync_version 3.4.1 +%define rsync_version 3.4.2 Summary: CFEngine Build Automation -- rsync Name: cfbuild-rsync diff --git a/deps-packaging/rsync/distfiles b/deps-packaging/rsync/distfiles index 1c230fdb8..ffbf276fc 100644 --- a/deps-packaging/rsync/distfiles +++ b/deps-packaging/rsync/distfiles @@ -1 +1 @@ -2924bcb3a1ed8b551fc101f740b9f0fe0a202b115027647cf69850d65fd88c52 rsync-3.4.1.tar.gz +ff10aa2c151cd4b2dbbe6135126dbc854046113d2dfb49572a348233267eb315 rsync-3.4.2.tar.gz diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index 26d966570..5ea72b9aa 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -31,23 +31,6 @@ Requires(post): /usr/sbin/usermod, /bin/sed Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# we don't bundle OpenSSL on RHEL 8 (and newer in the future) -%if %{?rhel}%{!?rhel:0} == 8 -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -Requires: openssl -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: openssl -%endif - # cfbs/Build requires Python 3.5+ (not available on RHEL 6) %if %{?rhel}%{!?rhel:0} == 7 Requires: python3 >= 3.5 @@ -106,10 +89,6 @@ rm -f %{prefix}/ssl/misc/tsget rm -f %{prefix}/ssl/openssl.cnf.dist rm -f %{prefix}/ssl/misc/tsget.pl -# Add an openssl symlink if openssl binary doesn't exist -if ! [ -f $RPM_BUILD_ROOT%{prefix}/bin/openssl ]; then - ln -s `which openssl` $RPM_BUILD_ROOT%{prefix}/bin/openssl -fi # Hub does not need cf-upgrade, it is only present in host packages rm -f $RPM_BUILD_ROOT%{prefix}/bin/cf-upgrade @@ -253,16 +232,10 @@ exit 0 # init.d script enterprise part %{prefix}/bin/cfengine3-nova-hub-init-d.sh -# OpenSSL tools (we don't bundle OpenSSL on RHEL 8) -# Note that prefix/bin/openssl is outside of `if`, since -# on RHEL8 it's a symlink to a system-wide openssl binary -%{prefix}/bin/openssl -%if %{?rhel}%{!?rhel:0} <= 7 %dir %{prefix}/ssl %{prefix}/ssl/openssl.cnf %{prefix}/ssl/ct_log_list.cnf %{prefix}/ssl/ct_log_list.cnf.dist -%endif %prefix/bin/git %prefix/bin/gitk diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in index afe2d65f4..81b018910 100644 --- a/packaging/cfengine-nova/cfengine-nova.spec.in +++ b/packaging/cfengine-nova/cfengine-nova.spec.in @@ -23,21 +23,6 @@ Recommends: gzip Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif -# We don't bundle OpenSSL on RHEL >= 8 and SuSE >= 15 -%if 0%{?SYSTEM_SSL} -Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) -Requires: libcrypto.so.1.1()(64bit) libcrypto.so.1.1(OPENSSL_1_1_0)(64bit) -%endif - -# We build against systems with the latest available dependencies such as OpenSSL. -# We use rpm -q --provides to determine the highest API present in OpenSSL and then use that as a Requires. -# OPENSSL_VERSION is determined in build-scripts/package script. -# This should ensure that when packages are installed with yum/dnf any required OpenSSL package upgrades will be performed or the installation will fail. -%if %{?rhel}%{!?rhel:0} > 8 -Requires: libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -Requires: libssl.so.3()(64bit) libssl.so.3(OPENSSL_@@OPENSSL_VERSION@@)(64bit) -%endif - AutoReqProv: no %if %{?with_debugsym}%{!?with_debugsym:0}