More cleanup in ldap_pvt_tls_destroy()

[openldap] / libraries / libldap / tls.c

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 4cfd6a93dd77d0516f3ae162a924599e9ed3de4e..3c409404db004c0f0317faee1b5032c967bf7bca 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -1,6 +1,6 @@
 /* $OpenLDAP$ */
 /*
- * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
+ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
  * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
  *
  * tls.c - Handle tls/ssl using SSLeay or OpenSSL.
@@ -31,6 +31,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/safestack.h>
 #elif defined( HAVE_SSL_H )
 #include <ssl.h>
 #endif
@@ -45,7 +46,7 @@ static char *tls_opt_ciphersuite = NULL;
 static char *tls_opt_randfile = NULL;
 
 #define HAS_TLS( sb )  ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \
-                               (void *)&ldap_pvt_sockbuf_io_tls )
+                               (void *)&sb_tls_sbio )
 
 static void tls_report_error( void );
 
@@ -97,6 +98,44 @@ static void tls_init_threads( void )
 }
 #endif /* LDAP_R_COMPILE */
 
+/*
+ * Tear down the TLS subsystem. Should only be called once.
+ */
+void
+ldap_pvt_tls_destroy( void )
+{
+       SSL_CTX_free(tls_def_ctx);
+       tls_def_ctx = NULL;
+
+       EVP_cleanup();
+       ERR_free_strings();
+
+       if ( tls_opt_certfile ) {
+               LDAP_FREE( tls_opt_certfile );
+               tls_opt_certfile = NULL;
+       }
+       if ( tls_opt_keyfile ) {
+               LDAP_FREE( tls_opt_keyfile );
+               tls_opt_keyfile = NULL;
+       }
+       if ( tls_opt_cacertfile ) {
+               LDAP_FREE( tls_opt_cacertfile );
+               tls_opt_cacertfile = NULL;
+       }
+       if ( tls_opt_cacertdir ) {
+               LDAP_FREE( tls_opt_cacertdir );
+               tls_opt_cacertdir = NULL;
+       }
+       if ( tls_opt_ciphersuite ) {
+               LDAP_FREE( tls_opt_ciphersuite );
+               tls_opt_ciphersuite = NULL;
+       }
+       if ( tls_opt_randfile ) {
+               LDAP_FREE( tls_opt_randfile );
+               tls_opt_randfile = NULL;
+       }
+}
+
 /*
  * Initialize TLS subsystem. Should be called only once.
  */
@@ -301,7 +340,7 @@ struct tls_data {
        Sockbuf_IO_Desc         *sbiod;
 };
 
-extern BIO_METHOD ldap_pvt_sb_bio_method;
+static BIO_METHOD sb_tls_bio_method;
 
 static int
 sb_tls_setup( Sockbuf_IO_Desc *sbiod, void *arg )
@@ -317,7 +356,7 @@ sb_tls_setup( Sockbuf_IO_Desc *sbiod, void *arg )
        
        p->ssl = (SSL *)arg;
        p->sbiod = sbiod;
-       bio = BIO_new( &ldap_pvt_sb_bio_method );
+       bio = BIO_new( &sb_tls_bio_method );
        bio->ptr = (void *)p;
        SSL_set_bio( p->ssl, bio, bio );
        sbiod->sbiod_pvt = p;
@@ -431,7 +470,7 @@ sb_tls_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
        return ret;
 }
 
-Sockbuf_IO ldap_pvt_sockbuf_io_tls =
+static Sockbuf_IO sb_tls_sbio =
 {
        sb_tls_setup,           /* sbi_setup */
        sb_tls_remove,          /* sbi_remove */
@@ -530,7 +569,7 @@ sb_tls_bio_puts( BIO *b, const char *str )
        return sb_tls_bio_write( b, str, strlen( str ) );
 }
        
-BIO_METHOD ldap_pvt_sb_bio_method =
+static BIO_METHOD sb_tls_bio_method =
 {
        ( 100 | 0x400 ),                /* it's a source/sink BIO */
        "sockbuf glue",
@@ -578,7 +617,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
                ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
                        LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
 #endif
-               ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls,
+               ber_sockbuf_add_io( sb, &sb_tls_sbio,
                        LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
 
                if( ctx == NULL ) {
@@ -600,7 +639,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
                        ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
                }
                Debug( LDAP_DEBUG_ANY,"TLS: can't connect.\n",0,0,0);
-               ber_sockbuf_remove_io( sb, &ldap_pvt_sockbuf_io_tls,
+               ber_sockbuf_remove_io( sb, &sb_tls_sbio,
                        LBER_SBIOD_LEVEL_TRANSPORT );
 #ifdef LDAP_DEBUG
                ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
@@ -632,7 +671,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
                ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
                        LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
 #endif
-               ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls,
+               ber_sockbuf_add_io( sb, &sb_tls_sbio,
                        LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
        }
 
@@ -646,7 +685,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
                        return 1;
                Debug( LDAP_DEBUG_ANY,"TLS: can't accept.\n",0,0,0 );
                tls_report_error();
-               ber_sockbuf_remove_io( sb, &ldap_pvt_sockbuf_io_tls,
+               ber_sockbuf_remove_io( sb, &sb_tls_sbio,
                        LBER_SBIOD_LEVEL_TRANSPORT );
 #ifdef LDAP_DEBUG
                ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
@@ -754,10 +793,19 @@ ldap_pvt_tls_get_peer_hostname( void *s )
 }
 
 int
-ldap_pvt_tls_check_hostname( void *s, char *name )
+ldap_pvt_tls_check_hostname( void *s, const char *name_in )
 {
     int i, ret = LDAP_LOCAL_ERROR;
     X509 *x;
+       const char *name;
+
+       if( ldap_int_hostname &&
+               ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
+       {
+               name = ldap_int_hostname;
+       } else {
+               name = name_in;
+       }
 
     x = SSL_get_peer_certificate((SSL *)s);
     if (!x)
@@ -956,7 +1004,8 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
                *(int *)arg = tls_opt_require_cert;
                break;
        case LDAP_OPT_X_TLS_RANDOM_FILE:
-               *(char **)arg = tls_opt_randfile;
+               *(char **)arg = tls_opt_randfile ?
+                       LDAP_STRDUP( tls_opt_randfile ) : NULL;
                break;
        default:
                return -1;
@@ -1064,7 +1113,9 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
        }
 
        /* avoid NULL host */
-       if( host == NULL ) host = "localhost";
+       if( host == NULL ) {
+               host = "localhost";
+       }
 
        (void) ldap_pvt_tls_init();
 
@@ -1283,7 +1334,7 @@ ldap_start_tls_s ( LDAP *ld,
 
        /* XXYYZ: this initiates operation only on default connection! */
 
-       if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) {
+       if ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) {
                return LDAP_LOCAL_ERROR;
        }