/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 1998-2003 The OpenLDAP Foundation.
+ * Copyright 1998-2005 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
{
static int tls_initialized = 0;
- if ( tls_initialized ) return 0;
- tls_initialized = 1;
+ if ( tls_initialized++ ) return 0;
#ifdef HAVE_EBCDIC
{
if ((err = ERR_peek_error())) {
char buf[256];
+
+ if (ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
#ifdef HAVE_EBCDIC
if ( ld->ld_error ) __etoa(ld->ld_error);
}
int
-ldap_pvt_tls_get_peer_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func, unsigned flags )
+ldap_pvt_tls_get_peer_dn( void *s, struct berval *dn,
+ LDAPDN_rewrite_dummy *func, unsigned flags )
{
X509 *x;
X509_NAME *xn;
} else
#endif
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
- if (inet_aton(name, (struct in_addr *)&addr))
- ntype = IS_IP4;
+ if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
sn = (char *) ASN1_STRING_data(gn->d.ia5);
sl = ASN1_STRING_length(gn->d.ia5);
+ /* ignore empty */
+ if (sl == 0) continue;
+
/* Is this an exact match? */
if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
break;
}
/* Is this a wildcard match? */
- if ((*sn == '*') && domain && (len2 == sl-1) &&
- !strncasecmp(domain, sn+1, len2)) {
+ if (domain && (sn[0] == '*') && (sn[1] == '.') &&
+ (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
+ {
break;
}
-#if 0
- /* Is this a RFC 2459 style wildcard match? */
- if ((*sn == '.') && domain && (len2 == sl) &&
- !strncasecmp(domain, sn, len2)) {
- break;
- }
-#endif
} else if (gn->type == GEN_IPADD) {
if (ntype == IS_DNS) continue;
if (ret != LDAP_SUCCESS) {
X509_NAME *xn;
char buf[2048];
+ buf[0] = '\0';
xn = X509_get_subject_name(x);
-
if( X509_NAME_get_text_by_NID( xn, NID_commonName,
buf, sizeof(buf)) == -1)
{
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
#endif
+ ret = LDAP_CONNECT_ERROR;
+ if (ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
- } else if (strcasecmp(name, buf)) {
+ } else if (strcasecmp(name, buf) == 0 ) {
+ ret = LDAP_SUCCESS;
+
+ } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
+ char *domain = strchr(name, '.');
+ if( domain ) {
+ size_t dlen = 0;
+ size_t sl;
+
+ sl = strlen(name);
+ dlen = sl - (domain-name);
+ sl = strlen(buf);
+
+ /* Is this a wildcard match? */
+ if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {
+ ret = LDAP_SUCCESS;
+ }
+ }
+ }
+
+ if( ret == LDAP_LOCAL_ERROR ) {
#ifdef NEW_LOGGING
LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_check_hostname: "
"TLS hostname (%s) does not match "
name, buf, 0 );
#endif
ret = LDAP_CONNECT_ERROR;
+ if (ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
-
- } else {
- ret = LDAP_SUCCESS;
}
}
X509_free(x);
case LDAP_OPT_X_TLS_CERTFILE:
case LDAP_OPT_X_TLS_KEYFILE:
case LDAP_OPT_X_TLS_RANDOM_FILE:
+ case LDAP_OPT_X_TLS_CIPHER_SUITE:
return ldap_pvt_tls_set_option( ld, option, (void *) arg );
case LDAP_OPT_X_TLS_REQUIRE_CERT:
projects / openldap / blobdiff