From caacad91d662dec7b749d13489d8792d0629e3ea Mon Sep 17 00:00:00 2001
From: roy <yupeng@kylinos.cn>
Date: Tue, 2 Sep 2025 13:48:13 +0800
Subject: [PATCH] Sync some patches from upstream

---
 ...-Fix-TLS-connection-timeout-handling.patch | 103 ++++++++++++++++++
 openldap.spec                                 |  10 +-
 2 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 backport-8047-Fix-TLS-connection-timeout-handling.patch

diff --git a/backport-8047-Fix-TLS-connection-timeout-handling.patch b/backport-8047-Fix-TLS-connection-timeout-handling.patch
new file mode 100644
index 0000000..4045062
--- /dev/null
+++ b/backport-8047-Fix-TLS-connection-timeout-handling.patch
@@ -0,0 +1,103 @@
+From d143f7a2dc82fb66e7741b93a1ae9e874ce2ac46 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 21 Oct 2024 11:50:11 +0100
+Subject: [PATCH] ITS#8047 Fix TLS connection timeout handling
+
+The test for async in ldap_int_tls_start was inverted, we already
+support calling ldap_int_tls_connect repeatedly. And so long as
+LBER_SB_OPT_NEEDS_* are managed correctly, the application should be
+able to do the right thing.
+
+Might require a new result code rather than reporposing
+LDAP_X_CONNECTING for this.
+---
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/tls2.c     | 18 +++++++++++++++++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 3ef17643b1..7e754775e8 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -368,6 +368,7 @@ typedef struct ldap_conn {
+ #define LDAP_CONNST_NEEDSOCKET		1
+ #define LDAP_CONNST_CONNECTING		2
+ #define LDAP_CONNST_CONNECTED		3
++#define LDAP_CONNST_TLS_INPROGRESS	4
+ 	LDAPURLDesc		*lconn_server;
+ 	BerElement		*lconn_ber;	/* ber receiving on this conn. */
+ 
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 18950c7050..0841005a59 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -383,6 +383,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ 		if ( lo && lo->ldo_tls_connect_cb && lo->ldo_tls_connect_cb !=
+ 			ld->ld_options.ldo_tls_connect_cb )
+ 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
++		conn->lconn_status = LDAP_CONNST_TLS_INPROGRESS;
+ 	}
+ 
+ 	/* pass hostname for SNI, but only if it's an actual name
+@@ -441,12 +442,14 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
+ 		ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
+ 			LBER_SBIOD_LEVEL_TRANSPORT );
+ #endif
++		conn->lconn_status = LDAP_CONNST_CONNECTED;
+ 		return -1;
+ 	}
+ 
+ 	Debug2( LDAP_DEBUG_CONNS, "TLS: session established tls_proto=%s tls_cipher=%s\n",
+ 		ldap_pvt_tls_get_version( ssl ), ldap_pvt_tls_get_cipher( ssl ) );
+ 
++	conn->lconn_status = LDAP_CONNST_CONNECTED;
+ 	return 0;
+ }
+ 
+@@ -519,8 +522,9 @@ int
+ ldap_tls_inplace( LDAP *ld )
+ {
+ 	Sockbuf		*sb = NULL;
++	LDAPConn	*lc = ld->ld_defconn;
+ 
+-	if ( ld->ld_defconn && ld->ld_defconn->lconn_sb ) {
++	if ( lc && lc->lconn_sb ) {
+ 		sb = ld->ld_defconn->lconn_sb;
+ 
+ 	} else if ( ld->ld_sb ) {
+@@ -530,6 +534,10 @@ ldap_tls_inplace( LDAP *ld )
+ 		return 0;
+ 	}
+ 
++	if ( lc && lc->lconn_status == LDAP_CONNST_TLS_INPROGRESS ) {
++		return 0;
++	}
++
+ 	return ldap_pvt_tls_inplace( sb );
+ }
+ 
+@@ -1162,6 +1170,9 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 	  */
+ 	while ( ret > 0 ) {
+ 		if ( async ) {
++			ld->ld_errno = LDAP_X_CONNECTING;
++			return (ld->ld_errno);
++		} else {
+ 			struct timeval curr_time_tv, delta_tv;
+ 			int wr=0;
+ 
+@@ -1220,6 +1231,11 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
+ 		ret = ldap_int_tls_connect( ld, conn, host );
+ 	}
+ 
++	if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
++		/* Restore original sb status */
++		ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)0 );
++	}
++
+ 	if ( ret < 0 ) {
+ 		if ( ld->ld_errno == LDAP_SUCCESS )
+ 			ld->ld_errno = LDAP_CONNECT_ERROR;
+-- 
+2.20.1
+
diff --git a/openldap.spec b/openldap.spec
index 568b73a..3075cfa 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -2,7 +2,7 @@
 
 Name:           openldap
 Version:        2.6.5
-Release:        6
+Release:        7
 Summary:        LDAP support libraries
 License:        OLDAP-2.8
 URL:            https://www.openldap.org/
@@ -32,6 +32,7 @@ Patch12:        backport-ITS-10211-slapd-Fix-peercred-uid-and-gid-format.patch
 Patch13:        backport-ITS-9037-mdb_page_search-fix-error-code-when-DBI-rec.patch
 Patch14:        backport-ITS-10264-free-NoD-data-we-stored-locally.patch
 Patch15:        backport-ITS-8047-fix-tls-connection-timeout-handling.patch
+Patch16:        backport-8047-Fix-TLS-connection-timeout-handling.patch
 
 BuildRequires:  cyrus-sasl-devel openssl-devel krb5-devel unixODBC-devel
 BuildRequires:  glibc-devel libtool libtool-ltdl-devel groff perl-interpreter perl-devel perl-generators perl-ExtUtils-Embed
@@ -112,6 +113,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
 mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
@@ -405,6 +407,12 @@ popd
 %doc ltb-project-openldap-ppolicy-check-password-1.1/README.check_pwd
 
 %changelog
+* Tue Sep 02 2025 Yu Peng <yupeng@kylinos.cn> - 2.6.5-7
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:sync some patches from upstream
+
 * Thu Feb 13 2025 yanglu <yanglu72@h-partners.com> - 2.6.5-6
 - Type:bugfix
 - ID:NA
-- 
Gitee