#endif
static tls_impl *tls_imp = &ldap_int_tls_impl;
+#define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \
+ (void *)tls_imp->ti_sbio )
#endif /* HAVE_TLS */
{ BER_BVNULL, BER_BVNULL }
};
+#ifdef HAVE_TLS
+
void
ldap_pvt_tls_ctx_free ( void *c )
{
ldap_pvt_tls_destroy( void )
{
struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
- int i;
ldap_int_tls_destroy( lo );
int
ldap_pvt_tls_init( void )
{
- struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
-
return tls_init( tls_imp );
}
static int
ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
{
- int i, rc = 0;
+ int rc = 0;
tls_impl *ti = tls_imp;
struct ldaptls lts = lo->ldo_tls_info;
int err;
tls_session *ssl = NULL;
- ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
- if ( !ssl ) {
+ if ( HAS_TLS( sb )) {
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
+ } else {
struct ldapoptions *lo;
tls_ctx *ctx;
int err;
tls_session *ssl = NULL;
- ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
- if ( !ssl ) {
+ if ( HAS_TLS( sb )) {
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
+ } else {
ssl = alloc_handle( ctx_arg, 1 );
if ( ssl == NULL ) return -1;
if ( err < 0 )
{
- char buf[256];
if ( update_flags( sb, ssl, err )) return 1;
- Debug( LDAP_DEBUG_ANY,"TLS: can't accept: %s.\n",
- tls_imp->ti_session_errmsg( err, buf, sizeof(buf) ),0,0 );
+ if ( DebugTest( LDAP_DEBUG_ANY ) ) {
+ char buf[256], *msg;
+ msg = tls_imp->ti_session_errmsg( err, buf, sizeof(buf) );
+ Debug( LDAP_DEBUG_ANY,"TLS: can't accept: %s.\n",
+ msg ? msg : "(unknown)", 0, 0 );
+ }
ber_sockbuf_remove_io( sb, tls_imp->ti_sbio,
LBER_SBIOD_LEVEL_TRANSPORT );
int
ldap_pvt_tls_inplace ( Sockbuf *sb )
{
- tls_session *ssl = NULL;
-
- ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
- return ssl != NULL;
+ return HAS_TLS( sb ) ? 1 : 0;
}
int
}
return ldap_pvt_tls_set_option( ld, option, &i );
}
+#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
i = -1;
if ( strcasecmp( arg, "none" ) == 0 ) {
return ldap_pvt_tls_set_option( ld, option, &i );
}
return -1;
+#endif
}
return -1;
}
case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = lo->ldo_tls_require_cert;
break;
+#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck;
break;
+#endif
case LDAP_OPT_X_TLS_CIPHER_SUITE:
*(char **)arg = lo->ldo_tls_ciphersuite ?
LDAP_STRDUP( lo->ldo_tls_ciphersuite ) : NULL;
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
*(int *)arg = lo->ldo_tls_protocol_min;
break;
- case LDAP_OPT_X_TLS_RANDOM_FILE: /* OpenSSL only */
+ case LDAP_OPT_X_TLS_RANDOM_FILE:
*(char **)arg = lo->ldo_tls_randfile ?
LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL;
break;
return 0;
}
return -1;
+#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1;
switch( *(int *) arg ) {
return 0;
}
return -1;
+#endif
case LDAP_OPT_X_TLS_CIPHER_SUITE:
if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite );
lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
if ( !arg ) return -1;
lo->ldo_tls_protocol_min = *(int *)arg;
return 0;
-
- case LDAP_OPT_X_TLS_RANDOM_FILE: /* OpenSSL only */
+ case LDAP_OPT_X_TLS_RANDOM_FILE:
if ( ld != NULL )
return -1;
if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile );
lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
break;
-
case LDAP_OPT_X_TLS_NEWCTX:
if ( !arg ) return -1;
if ( lo->ldo_tls_ctx )
void *
ldap_pvt_tls_sb_ctx( Sockbuf *sb )
{
-#ifdef HAVE_TLS
void *p = NULL;
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&p );
return p;
-#endif
- return NULL;
}
int
return tls_imp->ti_session_strength( session );
}
-
int
ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func, unsigned flags )
{
-#ifdef HAVE_TLS
tls_session *session = s;
struct berval der_dn;
int rc;
- tls_imp->ti_session_my_dn( session, &der_dn );
- rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
+ rc = tls_imp->ti_session_my_dn( session, &der_dn );
+ if ( rc == LDAP_SUCCESS )
+ rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
return rc;
-#else /* !HAVE_TLS */
- return LDAP_NOT_SUPPORTED;
-#endif
}
+#endif /* HAVE_TLS */
int
ldap_start_tls( LDAP *ld,