Fix UTF8StringNormalize overrun on zero-length string

[openldap] / libraries / libldap / tls_o.c

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 6707e291536038cd58f81ac6679876c63902f190..8a3876779da711e7cef0e9dd8c5b9fa8fba1c4df 100644 (file)
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2008-2009 The OpenLDAP Foundation.
+ * Copyright 2008-2011 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37,10 +37,6 @@
 #include "ldap-int.h"
 #include "ldap-tls.h"
 
-#ifdef LDAP_R_COMPILE
-#include <ldap_pvt_thread.h>
-#endif
-
 #ifdef HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
 #include <openssl/x509v3.h>
@@ -398,11 +394,22 @@ tlso_session_upflags( Sockbuf *sb, tls_session *sess, int rc )
 }
 
 static char *
-tlso_session_errmsg( int rc, char *buf, size_t len )
+tlso_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
 {
+       char err[256] = "";
+       const char *certerr=NULL;
+       tlso_session *s = (tlso_session *)sess;
+
        rc = ERR_peek_error();
        if ( rc ) {
-               ERR_error_string_n( rc, buf, len );
+               ERR_error_string_n( rc, err, sizeof(err) );
+               if ( ( ERR_GET_LIB(rc) == ERR_LIB_SSL ) && 
+                               ( ERR_GET_REASON(rc) == SSL_R_CERTIFICATE_VERIFY_FAILED ) ) {
+                       int certrc = SSL_get_verify_result(s);
+                       certerr = (char *)X509_verify_cert_error_string(certrc);
+               }
+               snprintf(buf, len, "%s%s%s%s", err, certerr ? " (" :"", 
+                               certerr ? certerr : "", certerr ?  ")" : "" );
                return buf;
        }
        return NULL;
@@ -1068,8 +1075,9 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
        RSA *tmp_rsa;
        /* FIXME:  Pregenerate the key on startup */
        /* FIXME:  Who frees the key? */
-#if OPENSSL_VERSION_NUMBER > 0x00908000
+#if OPENSSL_VERSION_NUMBER >= 0x00908000
        BIGNUM *bn = BN_new();
+       tmp_rsa = NULL;
        if ( bn ) {
                if ( BN_set_word( bn, RSA_F4 )) {
                        tmp_rsa = RSA_new();
@@ -1079,8 +1087,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
                        }
                }
                BN_free( bn );
-       } else {
-               tmp_rsa = NULL;
        }
 #else
        tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
@@ -1090,7 +1096,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
                Debug( LDAP_DEBUG_ANY,
                        "TLS: Failed to generate temporary %d-bit %s RSA key\n",
                        key_length, is_export ? "export" : "domestic", 0 );
-               return NULL;
        }
        return tmp_rsa;
 }
@@ -1205,14 +1210,10 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
        int i;
 
        /* Do we have params of this length already? */
-#ifdef LDAP_R_COMPILE
-       ldap_pvt_thread_mutex_lock( &tlso_dh_mutex );
-#endif
+       LDAP_MUTEX_LOCK( &tlso_dh_mutex );
        for ( p = tlso_dhparams; p; p=p->next ) {
                if ( p->keylength == key_length ) {
-#ifdef LDAP_R_COMPILE
-                       ldap_pvt_thread_mutex_unlock( &tlso_dh_mutex );
-#endif
+                       LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
                        return p->param;
                }
        }
@@ -1245,9 +1246,7 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
                }
        }
 
-#ifdef LDAP_R_COMPILE
-       ldap_pvt_thread_mutex_unlock( &tlso_dh_mutex );
-#endif
+       LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
        return dh;
 }