*/
#include "portable.h"
+#include "ldap_config.h"
#include <stdio.h>
#include <ac/time.h>
#include <ac/unistd.h>
#include <ac/param.h>
+#include <ac/dirent.h>
#include "ldap-int.h"
tls_def_ctx = SSL_CTX_new( SSLv23_method() );
if ( tls_def_ctx == NULL ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
+ LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
"TLS could not allocate default ctx (%d).\n",
- ERR_peek_error() ));
+ ERR_peek_error(), 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: could not allocate default ctx (%lu).\n",
!SSL_CTX_set_cipher_list( tls_def_ctx, tls_opt_ciphersuite ) )
{
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
+ LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
"TLS could not set cipher list %s.\n",
- tls_opt_ciphersuite ));
+ tls_opt_ciphersuite, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list %s.\n",
!SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
{
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR,
+ LDAP_LOG ( TRANSPORT, ERR,
"ldap_pvt_tls_init_def_ctx: "
"TLS could not load verify locations "
"(file:`%s',dir:`%s').\n",
tls_opt_cacertfile ? tls_opt_cacertfile : "",
- tls_opt_cacertdir ? tls_opt_cacertdir : "" ));
+ tls_opt_cacertdir ? tls_opt_cacertdir : "", 0 );
#else
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",
calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
if ( !calist ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
+ LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
"TLS could not load client CA list (file: `%s',dir:`%s')\n",
tls_opt_cacertfile ? tls_opt_cacertfile : "",
- tls_opt_cacertdir ? tls_opt_cacertdir : "" ));
+ tls_opt_cacertdir ? tls_opt_cacertdir : "", 0 );
#else
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load client CA list (file:`%s',dir:`%s').\n",
tls_opt_keyfile, SSL_FILETYPE_PEM ) )
{
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
- "TLS could not use key file `%s'.\n", tls_opt_keyfile ));
+ LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
+ "TLS could not use key file `%s'.\n", tls_opt_keyfile, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: could not use key file `%s'.\n",
tls_opt_certfile, SSL_FILETYPE_PEM ) )
{
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
- "TLS could not use certificate `%s'.\n", tls_opt_certfile ));
+ LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
+ "TLS could not use certificate `%s'.\n",
+ tls_opt_certfile, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: could not use certificate `%s'.\n",
!SSL_CTX_check_private_key( tls_def_ctx ) )
{
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
- "TLS private key mismatch.\n" ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "ldap_pvt_tls_init_def_ctx: TLS private key mismatch.\n",
+ 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: private key mismatch.\n",
if ( bundle ) {
ca_list = SSL_load_client_CA_file( bundle );
}
- /*
- * FIXME: We have now to go over all files in dir, load them
- * and add every certificate there to ca_list.
- */
+#if defined(HAVE_DIRENT_H) || defined(dirent)
+ if ( dir ) {
+ DIR *dirp;
+ struct dirent *d;
+ char buf[MAXPATHLEN];
+ int l = strlen(dir), freeit = 0;
+
+ if (l > sizeof(buf))
+ goto done;
+
+ dirp = opendir( dir );
+
+ if ( !ca_list ) {
+ ca_list = sk_X509_NAME_new_null();
+ freeit = 1;
+ }
+
+ strcpy(buf, dir);
+
+ while ( dirp ) {
+ if ( ( d = readdir( dirp )) == NULL) {
+ closedir( dirp );
+ break;
+ }
+ if (l + sizeof(LDAP_DIRSEP) + NAMLEN(d) > sizeof(buf))
+ continue;
+
+ sprintf( buf+l, LDAP_DIRSEP "%s", d->d_name );
+ if ( SSL_add_file_cert_subjects_to_stack(ca_list, buf)) {
+ freeit = 0;
+ }
+ }
+ if ( freeit ) {
+ sk_X509_NAME_free( ca_list );
+ ca_list = NULL;
+ }
+ }
+#endif
+done:
return ca_list;
}
ssl = SSL_new( ctx );
if ( ssl == NULL ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "alloc_handle: "
- "TLS can't create ssl handle.\n" ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "alloc_handle: TLS can't create ssl handle.\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0);
#endif
}
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_int_tls_connect: "
- "TLS can't connect.\n" ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "ldap_int_tls_connect: TLS can't connect.\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,"TLS: can't connect.\n",0,0,0);
#endif
if ( update_flags( sb, ssl, err )) return 1;
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_accept: "
- "TLS can't accept.\n" ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "ldap_pvt_tls_accept: TLS can't accept.\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,"TLS: can't accept.\n",0,0,0 );
#endif
}
int
-ldap_pvt_tls_check_hostname( void *s, const char *name_in )
+ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
{
int i, ret = LDAP_LOCAL_ERROR;
X509 *x;
x = tls_get_cert((SSL *)s);
if (!x) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
- "TLS unable to get peer certificate.\n" ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "ldap_pvt_tls_check_hostname: "
+ "TLS unable to get peer certificate.\n" , 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get peer certificate.\n",
int n, len1, len2 = 0;
char *domain;
GENERAL_NAME *gn;
- X509V3_EXT_METHOD *method;
len1 = strlen(name);
n = sk_GENERAL_NAME_num(alt);
}
}
- method = X509V3_EXT_get(ex);
- method->ext_free(alt);
+ GENERAL_NAMES_free(alt);
if (i < n) { /* Found a match */
ret = LDAP_SUCCESS;
}
buf, sizeof(buf)) == -1)
{
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
- "TLS unable to get common name from peer certificate.\n" ));
+ LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_check_hostname: "
+ "TLS unable to get common name from peer certificate.\n",
+ 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
#endif
+ ld->ld_error = LDAP_STRDUP("TLS: unable to get CN from peer certificate");
} else if (strcasecmp(name, buf)) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
+ LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_check_hostname: "
"TLS hostname (%s) does not match "
- "common name in certificate (%s).\n", name, buf ));
+ "common name in certificate (%s).\n", name, buf, 0 );
#else
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%s).\n",
name, buf, 0 );
#endif
ret = LDAP_CONNECT_ERROR;
+ ld->ld_error = LDAP_STRDUP("TLS: hostname does not match CN in peer certificate");
} else {
ret = LDAP_SUCCESS;
/*
* compare host with name(s) in certificate
*/
- ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host );
+ ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
if (ld->ld_errno != LDAP_SUCCESS) {
return ld->ld_errno;
}
if ( where & SSL_CB_LOOP ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1, "tls_info_cb: "
- "TLS trace: %s:%s\n", op, SSL_state_string_long( ssl ) ));
+ LDAP_LOG ( TRANSPORT, DETAIL1, "tls_info_cb: "
+ "TLS trace: %s:%s\n", op, SSL_state_string_long( ssl ), 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:%s\n",
} else if ( where & SSL_CB_ALERT ) {
op = ( where & SSL_CB_READ ) ? "read" : "write";
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1, "tls_info_cb: "
- "TLS trace: SSL3 alert %s:%s:%s\n", op,
- SSL_alert_type_string_long( ret ),
- SSL_alert_desc_string_long( ret) ));
+ LDAP_LOG ( TRANSPORT, DETAIL1,
+ "tls_info_cb: TLS trace: SSL3 alert %s:%s:%s\n",
+ op, SSL_alert_type_string_long( ret ),
+ SSL_alert_desc_string_long( ret) );
#else
Debug( LDAP_DEBUG_TRACE,
"TLS trace: SSL3 alert %s:%s:%s\n",
} else if ( where & SSL_CB_EXIT ) {
if ( ret == 0 ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "tls_info_cb: "
- "TLS trace: %s:failed in %s\n", op, SSL_state_string_long( ssl ) ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "tls_info_cb: TLS trace: %s:failed in %s\n",
+ op, SSL_state_string_long( ssl ), 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:failed in %s\n",
#endif
} else if ( ret < 0 ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "tls_info_cb: "
- "TLS trace: %s:error in %s\n", op, SSL_state_string_long( ssl ) ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "tls_info_cb: TLS trace: %s:error in %s\n",
+ op, SSL_state_string_long( ssl ), 0 );
#else
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:error in %s\n",
sname = X509_NAME_oneline( subject, NULL, 0 );
iname = X509_NAME_oneline( issuer, NULL, 0 );
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "tls_verify_cb"
- "TLS certificate verification: depth: %d, err: %d: "
- "subject: %s, issuer: %s\n", errdepth, errnum,
- sname ? sname : "-unknown-", iname ? iname : "-unknown-" ));
+ LDAP_LOG( TRANSPORT, ERR,
+ "TLS certificate verification: depth: %d, err: %d, subject: %s,",
+ errdepth, errnum,
+ sname ? sname : "-unknown-" );
+ LDAP_LOG( TRANSPORT, ERR, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 );
if ( !ok ) {
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "TLS certificate verification: Error, %s\n",
- X509_verify_cert_error_string(errnum)));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "TLS certificate verification: Error, %s\n",
+ X509_verify_cert_error_string(errnum), 0, 0 );
}
#else
Debug( LDAP_DEBUG_TRACE,
while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR,
+ LDAP_LOG ( TRANSPORT, ERR,
"tls_report_error: TLS %s %s:%d\n",
- ERR_error_string( l, buf ), file, line ));
+ ERR_error_string( l, buf ), file, line );
#else
Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
ERR_error_string( l, buf ), file, line );
if ( !tmp_rsa ) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_ERR,
- "tls_tmp_rsa_cb: TLS Failed to generate temporary %d-bit %s RSA key\n",
- key_length, is_export ? "export" : "domestic" ));
+ LDAP_LOG ( TRANSPORT, ERR,
+ "tls_tmp_rsa_cb: TLS Failed to generate temporary %d-bit %s "
+ "RSA key\n", key_length, is_export ? "export" : "domestic", 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: Failed to generate temporary %d-bit %s RSA key\n",
if (randfile == NULL) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1,
+ LDAP_LOG ( TRANSPORT, DETAIL1,
"tls_seed_PRNG: TLS Use configuration file or "
- "$RANDFILE to define seed PRNG\n" ));
+ "$RANDFILE to define seed PRNG\n", 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: Use configuration file or $RANDFILE to define seed PRNG\n",
if (RAND_status() == 0) {
#ifdef NEW_LOGGING
- LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1,
- "tls_seed_PRNG: TLS PRNG not been seeded with enough data\n" ));
+ LDAP_LOG ( TRANSPORT, DETAIL1,
+ "tls_seed_PRNG: TLS PRNG not been seeded with enough data\n",
+ 0, 0, 0 );
#else
Debug( LDAP_DEBUG_ANY,
"TLS: PRNG not been seeded with enough data\n",