ITS#7428 Use non-blocking IO during SSL Handshake

[openldap] / libraries / libldap / tls_o.c
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c

index 90cade8f4ef6b1639d0baf90f3b44a775efbd8de..338e5279696f2504500f939c6be102c44a8e02e8 100644 (file)
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -2,7 +2,7 @@
  /* $OpenLDAP$ */
  /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
   *
- * Copyright 2008-2009 The OpenLDAP Foundation.
+ * Copyright 2008-2012 The OpenLDAP Foundation.
   * All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
@@ -37,10 +37,6 @@
  #include "ldap-int.h"
  #include "ldap-tls.h"
  
-#ifdef LDAP_R_COMPILE
-#include <ldap_pvt_thread.h>
-#endif
-
  #ifdef HAVE_OPENSSL_SSL_H
  #include <openssl/ssl.h>
  #include <openssl/x509v3.h>
@@ -398,11 +394,22 @@ tlso_session_upflags( Sockbuf *sb, tls_session *sess, int rc )
  }
  
  static char *
-tlso_session_errmsg( int rc, char *buf, size_t len )
+tlso_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
  {
+       char err[256] = "";
+       const char *certerr=NULL;
+       tlso_session *s = (tlso_session *)sess;
+
         rc = ERR_peek_error();
         if ( rc ) {
-               ERR_error_string_n( rc, buf, len );
+               ERR_error_string_n( rc, err, sizeof(err) );
+               if ( ( ERR_GET_LIB(rc) == ERR_LIB_SSL ) && 
+                               ( ERR_GET_REASON(rc) == SSL_R_CERTIFICATE_VERIFY_FAILED ) ) {
+                       int certrc = SSL_get_verify_result(s);
+                       certerr = (char *)X509_verify_cert_error_string(certrc);
+               }
+               snprintf(buf, len, "%s%s%s%s", err, certerr ? " (" :"", 
+                               certerr ? certerr : "", certerr ?  ")" : "" );
                 return buf;
         }
         return NULL;
@@ -494,12 +501,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
         }
  
  #ifdef LDAP_PF_INET6
-       if (name[0] == '[' && strchr(name, ']')) {
-               char *n2 = ldap_strdup(name+1);
-               *strchr(n2, ']') = 0;
-               if (inet_pton(AF_INET6, n2, &addr))
-                       ntype = IS_IP6;
-               LDAP_FREE(n2);
+       if (inet_pton(AF_INET6, name, &addr)) {
+               ntype = IS_IP6;
         } else 
  #endif
         if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
@@ -618,7 +621,7 @@ no_cn:
                 } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
                         char *domain = strchr(name, '.');
                         if( domain ) {
-                               size_t dlen;
+                               int dlen;
  
                                 dlen = nlen - (domain-name);
  
@@ -650,10 +653,8 @@ static int
  tlso_session_strength( tls_session *sess )
  {
         tlso_session *s = (tlso_session *)sess;
-       SSL_CIPHER *c;
  
-       c = SSL_get_current_cipher(s);
-       return SSL_CIPHER_get_bits(c, NULL);
+       return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
  }
  
  /*
@@ -1066,16 +1067,29 @@ static RSA *
  tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
  {
         RSA *tmp_rsa;
-
         /* FIXME:  Pregenerate the key on startup */
         /* FIXME:  Who frees the key? */
+#if OPENSSL_VERSION_NUMBER >= 0x00908000
+       BIGNUM *bn = BN_new();
+       tmp_rsa = NULL;
+       if ( bn ) {
+               if ( BN_set_word( bn, RSA_F4 )) {
+                       tmp_rsa = RSA_new();
+                       if ( tmp_rsa && !RSA_generate_key_ex( tmp_rsa, key_length, bn, NULL )) {
+                               RSA_free( tmp_rsa );
+                               tmp_rsa = NULL;
+                       }
+               }
+               BN_free( bn );
+       }
+#else
         tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
+#endif
  
         if ( !tmp_rsa ) {
                 Debug( LDAP_DEBUG_ANY,
                         "TLS: Failed to generate temporary %d-bit %s RSA key\n",
                         key_length, is_export ? "export" : "domestic", 0 );
-               return NULL;
         }
         return tmp_rsa;
  }
@@ -1190,14 +1204,10 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
         int i;
  
         /* Do we have params of this length already? */
-#ifdef LDAP_R_COMPILE
-       ldap_pvt_thread_mutex_lock( &tlso_dh_mutex );
-#endif
+       LDAP_MUTEX_LOCK( &tlso_dh_mutex );
         for ( p = tlso_dhparams; p; p=p->next ) {
                 if ( p->keylength == key_length ) {
-#ifdef LDAP_R_COMPILE
-                       ldap_pvt_thread_mutex_unlock( &tlso_dh_mutex );
-#endif
+                       LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
                         return p->param;
                 }
         }
@@ -1230,9 +1240,7 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
                 }
         }
  
-#ifdef LDAP_R_COMPILE
-       ldap_pvt_thread_mutex_unlock( &tlso_dh_mutex );
-#endif
+       LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
         return dh;
  }