if ( tls_initialized )
return -1;
+ tls_initialized = 1;
#ifdef LDAP_R_COMPILE
tls_init_threads();
#endif
tls_report_error();
goto error_exit;
}
- if ( !SSL_CTX_load_verify_locations( tls_def_ctx,
- tls_opt_cacertfile,
- tls_opt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( tls_def_ctx ) ) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not load verify locations (file:`%s',dir:`%s').\n",
- tls_opt_cacertfile,tls_opt_cacertdir,0);
- tls_report_error();
- goto error_exit;
- }
- calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
- if ( !calist ) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: could not load client CA list (file:`%s',dir:`%s').\n",
- tls_opt_cacertfile,tls_opt_cacertdir,0);
- tls_report_error();
- goto error_exit;
+ if (tls_opt_cacertfile != NULL || tls_opt_cacertdir != NULL) {
+ if ( !SSL_CTX_load_verify_locations( tls_def_ctx,
+ tls_opt_cacertfile,
+ tls_opt_cacertdir )
+ || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
+ {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not load verify locations (file:`%s',dir:`%s').\n",
+ tls_opt_cacertfile,tls_opt_cacertdir,0);
+ tls_report_error();
+ goto error_exit;
+ }
+ calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
+ if ( !calist ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not load client CA list (file:`%s',dir:`%s').\n",
+ tls_opt_cacertfile,tls_opt_cacertdir,0);
+ tls_report_error();
+ goto error_exit;
+ }
+ SSL_CTX_set_client_CA_list( tls_def_ctx, calist );
}
- SSL_CTX_set_client_CA_list( tls_def_ctx, calist );
if ( tls_opt_keyfile &&
!SSL_CTX_use_PrivateKey_file( tls_def_ctx,
tls_opt_keyfile,
#endif
return 0;
error_exit:
+ if ( tls_def_ctx != NULL ) {
+ SSL_CTX_free( tls_def_ctx );
+ tls_def_ctx = NULL;
+ }
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
#endif
static void
update_flags( Sockbuf *sb, SSL * ssl )
{
- sb->sb_trans_needs_read = SSL_want_read(ssl) ? 1 : 0;
- sb->sb_trans_needs_write = SSL_want_write(ssl) ? 1 : 0;
+ sb->sb_trans_needs_read = (SSL_want_read(ssl) ? 1 : 0);
+ sb->sb_trans_needs_write = (SSL_want_write(ssl) ? 1 : 0);
}
/*
return 0;
}
+int
+ldap_pvt_tls_inplace ( Sockbuf *sb )
+{
+ if ( HAS_TLS( sb ) )
+ return(1);
+ return(0);
+}
+
const char *
ldap_pvt_tls_get_peer( LDAP *ld )
{
( strcasecmp( arg, "true" ) == 0 ) );
return ldap_pvt_tls_set_option( NULL, option, (void *) &i );
case LDAP_OPT_X_TLS:
+ i = -1;
if ( strcasecmp( arg, "never" ) == 0 )
- return ldap_pvt_tls_set_option( lo, option,
- LDAP_OPT_X_TLS_NEVER );
+ i = LDAP_OPT_X_TLS_NEVER ;
if ( strcasecmp( arg, "demand" ) == 0 )
- return ldap_pvt_tls_set_option( lo, option,
- LDAP_OPT_X_TLS_DEMAND );
+ i = LDAP_OPT_X_TLS_DEMAND ;
if ( strcasecmp( arg, "allow" ) == 0 )
- return ldap_pvt_tls_set_option( lo, option,
- LDAP_OPT_X_TLS_ALLOW );
+ i = LDAP_OPT_X_TLS_ALLOW ;
if ( strcasecmp( arg, "try" ) == 0 )
- return ldap_pvt_tls_set_option( lo, option,
- LDAP_OPT_X_TLS_TRY );
+ i = LDAP_OPT_X_TLS_TRY ;
if ( strcasecmp( arg, "hard" ) == 0 )
- return ldap_pvt_tls_set_option( lo, option,
- LDAP_OPT_X_TLS_HARD );
+ i = LDAP_OPT_X_TLS_HARD ;
+ if (i >= 0)
+ return ldap_pvt_tls_set_option( lo, option, &i );
return -1;
default:
return -1;
case LDAP_OPT_X_TLS_ALLOW:
case LDAP_OPT_X_TLS_TRY:
case LDAP_OPT_X_TLS_HARD:
- lo->ldo_tls_mode = *(int *)arg;
- break;
+ if (lo != NULL)
+ lo->ldo_tls_mode = *(int *)arg;
+ return 0;
default:
return -1;
}
return 0;
}
+int
+ldap_pvt_tls_start ( Sockbuf *sb, void *ctx_arg )
+{
+ /*
+ * Fortunately, the lib uses blocking io...
+ */
+ if ( ldap_pvt_tls_connect( sb, ctx_arg ) < 0 ) {
+ return LDAP_CONNECT_ERROR;
+ }
+
+ /* FIXME: hostname of server must be compared with name in
+ * certificate....
+ */
+
+ return LDAP_SUCCESS;
+}
+
+
static int
tls_setup( Sockbuf *sb, void *arg )
{
int ret = SSL_write( (SSL *)sb->sb_iodata, buf, sz );
update_flags(sb, (SSL *)sb->sb_iodata );
+#ifdef WIN32
+ if (sb->sb_trans_needs_write)
+ errno = EWOULDBLOCK;
+#endif
return ret;
}
int ret = SSL_read( (SSL *)sb->sb_iodata, buf, sz );
update_flags(sb, (SSL *)sb->sb_iodata );
+#ifdef WIN32
+ if (sb->sb_trans_needs_read)
+ errno = EWOULDBLOCK;
+#endif
return ret;
}