slapd reports wrong ssf using gnutls

The BSD licence is compatible with the GPL by any serious interpretation that I've ever heard (including the FSF's), provided that the advertising clause is not present. Most modern BSD code does not include the advertising clause and can legitimately be linked with GPL code.

If you know of instances where we are distributing GPL code linked with other code under an incompatible licence, please tell us. I don't believe that we are any less strict about this than Debian, and it would be rather foolish for us to be so since we're a bigger target for lawsuits.

This has been reported upstream: http://www.openldap.org/its/index.cgi/?findid=5585

And upstream commited a patch:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls.c.diff?r1=1.160&r2=1.161&hideattic=1&sortbydate=0

This bug was fixed in the package openldap2.3 - 2.4.10-1ubuntu1

---------------
openldap2.3 (2.4.10-1ubuntu1) intrepid; urgency=low

  * Merge from debian unstable, remaining changes:
    - debian/apparmor-profile: add AppArmor profile
    - debian/slapd.postinst: Reload AA profile on configuration
    - updated debian/slapd.README.Debian for note on AppArmor
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6
    - debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4
      to make sure that if earlier version of apparmour-profiles gets
      installed it won't overwrite our profile.
    - Modify Maintainer value to match the DebianMaintainerField
      speficication.
    - follow ApparmorProfileMigration and force apparmor compalin mode on
      some upgrades (LP: #203529)
    - debian/slapd.dirs: add etc/apparmor.d/force-complain
    - debian/slapd.preinst: create symlink for force-complain on pre-feisty
      upgrades, upgrades where apparmor-profiles profile is unchanged (ie
      non-enforcing) and upgrades where apparmor profile does not exist.
    - debian/slapd.postrm: remove symlink in force-complain/ on purge
    - debian/patches/fix-ucred-libc due to changes how newer glibc handle
      the ucred struct now.
    - debian/patches/fix-unique-overlay-assertion.patch:
      Fix another assertion error in unique overlay (LP: #243337).
      Backport from head.
  * debian/control:
    - add time as build dependency: needed by make test.
  * debian/rules:
    - support debuild nocheck option: don't run tests if nocheck is set.
  * debian/patches/fix-gnutls-key-strength.patch:
    - fix slapd handling of ssf using gnutls. (LP: #244925).
  * Dropped - accepted in Debian:
    - debian/rules, debian/slapd.links: use hard links to slapd instead of
      symlinks for slap* so these applications aren't confined by apparmor
      (LP: #203898)
  * Dropped - fixed in new upstream release:
    - debian/patches/fix-assertion-io.patch: Fixes ber_flush2 assertion.
      (LP: #215904)
    - debian/patches/fix-dnpretty-assertion.patch: Fix dnPrettyNormal assertion
      error. (LP: #234196)
    - dropped debian/patches/fix-notify-crasher.patch: Fix modify timestamp crashes.
      (LP: #220724)
    - debian/patches/fix-syncrepl-oops: Fixes segmentation fault when using
      syncrepl. (LP: #227178)
    - dropped debian/patches/SECURITY_CVE-2008-0658.patch. Already applied
      upstream.

openldap2.3 (2.4.10-1) unstable; urgency=low

  [ Steve Langasek ]
  * New upstream release.
    - Clean up ld_defconn if it was freed, fixing an assertion failure in
      various clients. Closes: #469232.
    - Fixes slapd syncrepl hang on back-config. Closes: #471253.
    - Drop patch hurd-path-max, integrated upstream.
  * Drop spurious build-dependency on heimdal-dev, introduced accidentally
    as part of an aborted attempt to build the smbk5pwd overlay.
  * Use hardlinks instead of symlinks for the various slap* commands; this
    is functionally equivalent for us, and reduces divergence from
    derivatives such as Ubuntu that use apparmor. Closes: #488409.
  * New patch, no_backend_inter-linking, to fix the meta backend to not
  ...

The SSF reported when using startTLS is incorrect. This is because GnuTLS reports the strength in bytes,
while the OpenLDAP code expects the strength in bits. Code needs to be updated
to adjust the SSF value when linked against GnuTLS to our expected result.

The attached patch fixes this issue.

1. Install openldap2.3
2. Enable TLS

If you have any questions please let me know.

Regards
chuck

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Any testers?

I can confirm it is fixed in Intrepid. My Hardy box has a custom build in production so that may be a ways before testing can be done.

Chuck (or Pat): can you put together a simple test case description? I've been trying to modify the security team's openldap test script (at http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/annotate/267?file_id=testopenldap.py-20071127215143-r2h2d557ttml1mia-1), but my knowledge of openldap configuration is limited.

Thanks.

For me installing slapd from hardy-proposed fixed the problem.

same problem on intepid

slapd_2.4.11-0ubuntu6.1_amd64.deb

This bug was fixed in the package openldap2.3 - 2.4.9-0ubuntu0.8.04.2

---------------
openldap2.3 (2.4.9-0ubuntu0.8.04.2) hardy-proposed; urgency=low

  [Chuck Short]
  * debian/patches/fix-gnutls-key-strength.patch: fixes ssf matching key
    strength with gnutls 2.3. (LP: #244925)

  [Jamie Strandboge]
  * adjust apparmor profile to allow gssapi (LP: #229252)
  * adjust apparmor profile to allow cnconfig (LP: #243525)

 -- Chuck Short <email address hidden> Tue, 05 Aug 2008 14:37:01 +0000