[rpms/openldap] rawhide: Fix build against OpenSSL 4

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/openldap] rawhide: Fix build against OpenSSL 4
@ 2026-06-12 12:55 Simon Pichugin
  0 siblings, 0 replies; only message in thread
From: Simon Pichugin @ 2026-06-12 12:55 UTC (permalink / raw)
  To: git-commits

            A new commit has been pushed.

            Repo   : rpms/openldap
            Branch : rawhide
            Commit : a60cf65fd1e8d4835eeeb682638e3269d1b37a2e
            Author : Simon Pichugin <spichugi@redhat.com>
            Date   : 2026-05-06T20:14:43-07:00
            Stats  : +165/-1 in 2 file(s)
            URL    : https://src.fedoraproject.org/rpms/openldap/c/a60cf65fd1e8d4835eeeb682638e3269d1b37a2e?branch=rawhide

            Log:
            Fix build against OpenSSL 4

Bump version 2.6.13-2

---
diff --git a/openldap-ITS-10498-libldap-fix-for-OpenSSL-4-compatibility.patch b/openldap-ITS-10498-libldap-fix-for-OpenSSL-4-compatibility.patch
new file mode 100644
index 0000000..64ba5ee
--- /dev/null
+++ b/openldap-ITS-10498-libldap-fix-for-OpenSSL-4-compatibility.patch
@@ -0,0 +1,158 @@
+From 8db14ac862bd9730851a280007a899c113b7958d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 28 Apr 2026 16:49:32 +0100
+Subject: [PATCH] ITS#10498 libldap: fix for OpenSSL 4 compatibility
+
+---
+ libraries/libldap/tls_o.c       | 53 ++++++++++++++++++---------------
+ servers/slapd/overlays/autoca.c |  7 ++++-
+ 2 files changed, 35 insertions(+), 25 deletions(-)
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index cad42f8333..8d247e12c1 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -194,8 +194,8 @@ tlso_ca_list( char * bundle, char * dir, X509 *cert )
+ 		ldap_charray_free( dirs );
+ 	}
+ 	if ( cert ) {
+-		X509_NAME *xn = X509_get_subject_name( cert );
+-		xn = X509_NAME_dup( xn );
++		const X509_NAME *cxn = X509_get_subject_name( cert );
++		X509_NAME *xn = X509_NAME_dup( cxn );
+ 		if ( !ca_list )
+ 			ca_list = sk_X509_NAME_new_null();
+ 		if ( xn && ca_list )
+@@ -751,7 +751,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
+ {
+ 	tlso_session *s = (tlso_session *)sess;
+ 	X509 *x;
+-	X509_NAME *xn;
++	const X509_NAME *xn;
+ 
+ 	x = SSL_get_certificate( s );
+ 
+@@ -788,7 +788,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
+ {
+ 	tlso_session *s = (tlso_session *)sess;
+ 	X509 *x = tlso_get_cert( s );
+-	X509_NAME *xn;
++	const X509_NAME *xn;
+ 
+ 	if ( !x )
+ 		return LDAP_INVALID_CREDENTIALS;
+@@ -864,7 +864,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ 		X509_EXTENSION *ex;
+ 		STACK_OF(GENERAL_NAME) *alt;
+ 
+-		ex = X509_get_ext(x, i);
++		ex = (X509_EXTENSION *)X509_get_ext(x, i);
+ 		alt = X509V3_EXT_d2i(ex);
+ 		if (alt) {
+ 			int n, len2 = 0;
+@@ -967,10 +967,12 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ 	}
+ 
+ 	if (ret != LDAP_SUCCESS) {
+-		X509_NAME *xn;
+-		X509_NAME_ENTRY *ne;
++		const X509_NAME *xn;
++		const X509_NAME_ENTRY *ne;
+ 		ASN1_OBJECT *obj;
+-		ASN1_STRING *cn = NULL;
++		const ASN1_STRING *cn = NULL;
++		char *cnstr;
++		int cnlen;
+ 		int navas;
+ 
+ 		/* find the last CN */
+@@ -998,22 +1000,25 @@ no_cn:
+ 			}
+ 			ld->ld_error = LDAP_STRDUP(
+ 				_("TLS: unable to get CN from peer certificate"));
++		} else {
++			cnlen = ASN1_STRING_length( cn );
++			cnstr = (char *)ASN1_STRING_get0_data( cn );
++			if ( cnlen == nlen &&
++				strncasecmp( name, (char *) cnstr, nlen ) == 0 ) {
++				ret = LDAP_SUCCESS;
+ 
+-		} else if ( cn->length == nlen &&
+-			strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
+-			ret = LDAP_SUCCESS;
+-
+-		} else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
+-			char *domain = strchr(name, '.');
+-			if( domain ) {
+-				int dlen;
++			} else if (( cnstr[0] == '*' ) && ( cnstr[1] == '.' )) {
++				char *domain = strchr(name, '.');
++				if( domain ) {
++					int dlen;
+ 
+-				dlen = nlen - (domain-name);
++					dlen = nlen - (domain-name);
+ 
+-				/* Is this a wildcard match? */
+-				if ((dlen == cn->length-1) &&
+-					!strncasecmp(domain, (char *) &cn->data[1], dlen)) {
+-					ret = LDAP_SUCCESS;
++					/* Is this a wildcard match? */
++					if ((dlen == cnlen-1) &&
++						!strncasecmp(domain, cnstr+1, dlen)) {
++						ret = LDAP_SUCCESS;
++					}
+ 				}
+ 			}
+ 		}
+@@ -1021,7 +1026,7 @@ no_cn:
+ 		if( ret == LDAP_LOCAL_ERROR ) {
+ 			Debug3( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ 				"common name in certificate (%.*s).\n", 
+-				name, cn->length, cn->data );
++				name, cnlen, cnstr );
+ 			ret = LDAP_CONNECT_ERROR;
+ 			if ( ld->ld_error ) {
+ 				LDAP_FREE( ld->ld_error );
+@@ -1561,8 +1566,8 @@ tlso_verify_cb( int ok, X509_STORE_CTX *ctx )
+ 	X509 *cert;
+ 	int errnum;
+ 	int errdepth;
+-	X509_NAME *subject;
+-	X509_NAME *issuer;
++	const X509_NAME *subject;
++	const X509_NAME *issuer;
+ 	char *sname;
+ 	char *iname;
+ 	char *certerr = NULL;
+diff --git a/servers/slapd/overlays/autoca.c b/servers/slapd/overlays/autoca.c
+index 43761655d2..da978c3233 100644
+--- a/servers/slapd/overlays/autoca.c
++++ b/servers/slapd/overlays/autoca.c
+@@ -44,9 +44,13 @@
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000
+ #include <openssl/rsa.h>
++#ifndef X509_get_notBefore
+ #define X509_get_notBefore(x)	X509_getm_notBefore(x)
++#endif
++#ifndef X509_get_notAfter
+ #define X509_get_notAfter(x)	X509_getm_notAfter(x)
+ #endif
++#endif
+ 
+ #if OPENSSL_VERSION_MAJOR >= 3
+ #define BN_pseudo_rand(bn, bits, top, bottom)	BN_rand(bn, bits, top, bottom)
+@@ -272,7 +276,8 @@ typedef struct genargs {
+ 
+ static int autoca_gencert( Operation *op, genargs *args )
+ {
+-	X509_NAME *subj_name, *issuer_name;
++	X509_NAME *subj_name;
++	const X509_NAME *issuer_name;
+ 	X509 *subj_cert;
+ 	struct berval derdn;
+ 	unsigned char *pp;
+-- 
+2.52.0
+

diff --git a/openldap.spec b/openldap.spec
index 671522e..4753b2f 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -20,7 +20,7 @@
 
 Name: openldap
 Version: 2.6.13
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: LDAP support libraries
 License: OLDAP-2.8
 URL: http://www.openldap.org/
@@ -54,6 +54,7 @@ Patch7: openldap-openssl-manpage-defaultCA.patch
 Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
 Patch9: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
 Patch10: openldap-ITS-10297-Defer-hostname-resolution-til-first-use.patch
+Patch11: openldap-ITS-10498-libldap-fix-for-OpenSSL-4-compatibility.patch
 
 # check-password module specific patches
 Patch90: check-password-makefile.patch
@@ -178,6 +179,7 @@ pushd openldap-%{version}
 %patch -P8 -p1
 %patch -P9 -p1
 %patch -P10 -p1
+%patch -P11 -p1
 
 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@@ -565,6 +567,10 @@ exit 0
 %endif
 
 %changelog
+* Thu May 07 2026 Simon Pichugin <spichugi@redhat.com> - 2.6.13-2
+- Fix build against OpenSSL 4
+- Bump version 2.6.13-2
+
 * Thu Mar 12 2026 Simon Pichugin <spichugi@redhat.com> - 2.6.13-1
 - Rebase to version 2.6.13 (rhbz#2445848)
 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-06-12 12:55 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-12 12:55 [rpms/openldap] rawhide: Fix build against OpenSSL 4 Simon Pichugin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox