/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2008-2009 The OpenLDAP Foundation.
+ * Copyright 2008-2010 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
}
static char *
-tlso_session_errmsg( int rc, char *buf, size_t len )
+tlso_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
{
+ char err[256] = "";
+ const char *certerr=NULL;
+ tlso_session *s = (tlso_session *)sess;
+
rc = ERR_peek_error();
if ( rc ) {
- ERR_error_string_n( rc, buf, len );
+ ERR_error_string_n( rc, err, sizeof(err) );
+ if ( ( ERR_GET_LIB(rc) == ERR_LIB_SSL ) &&
+ ( ERR_GET_REASON(rc) == SSL_R_CERTIFICATE_VERIFY_FAILED ) ) {
+ int certrc = SSL_get_verify_result(s);
+ certerr = (char *)X509_verify_cert_error_string(certrc);
+ }
+ snprintf(buf, len, "%s%s%s%s", err, certerr ? " (" :"",
+ certerr ? certerr : "", certerr ? ")" : "" );
return buf;
}
return NULL;
} else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
char *domain = strchr(name, '.');
if( domain ) {
- size_t dlen;
+ int dlen;
dlen = nlen - (domain-name);
tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
{
RSA *tmp_rsa;
-
/* FIXME: Pregenerate the key on startup */
/* FIXME: Who frees the key? */
+#if OPENSSL_VERSION_NUMBER >= 0x00908000
+ BIGNUM *bn = BN_new();
+ tmp_rsa = NULL;
+ if ( bn ) {
+ if ( BN_set_word( bn, RSA_F4 )) {
+ tmp_rsa = RSA_new();
+ if ( tmp_rsa && !RSA_generate_key_ex( tmp_rsa, key_length, bn, NULL )) {
+ RSA_free( tmp_rsa );
+ tmp_rsa = NULL;
+ }
+ }
+ BN_free( bn );
+ }
+#else
tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
+#endif
if ( !tmp_rsa ) {
Debug( LDAP_DEBUG_ANY,
"TLS: Failed to generate temporary %d-bit %s RSA key\n",
key_length, is_export ? "export" : "domestic", 0 );
- return NULL;
}
return tmp_rsa;
}