X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;ds=sidebyside;f=libraries%2Flibldap%2Ftls.c;h=1186bfeb0a9ff8defbeada1df1069c7063528195;hb=bf5fc54473f2143586e43aada98ae8f5dab7570b;hp=95cf256d01938ecb4efe6fd885fe700ce0439c39;hpb=ab3be5d76d8e85e4adabd671567eba405d14869f;p=openldap

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 95cf256d01..1186bfeb0a 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -31,6 +31,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/safestack.h>
 #elif defined( HAVE_SSL_H )
 #include <ssl.h>
 #endif
@@ -97,6 +98,17 @@ static void tls_init_threads( void )
 }
 #endif /* LDAP_R_COMPILE */
 
+/*
+ * Tear down the TLS subsystem. Should only be called once.
+ */
+void
+ldap_pvt_tls_destroy( void )
+{
+	SSL_CTX_free(tls_def_ctx);
+	EVP_cleanup();
+	ERR_free_strings();
+}
+
 /*
  * Initialize TLS subsystem. Should be called only once.
  */
@@ -137,12 +149,14 @@ ldap_pvt_tls_init_def_ctx( void )
 		tls_def_ctx = SSL_CTX_new( SSLv23_method() );
 		if ( tls_def_ctx == NULL ) {
 			Debug( LDAP_DEBUG_ANY,
-			       "TLS: could not allocate default ctx.\n",0,0,0);
+		       "TLS: could not allocate default ctx (%d).\n",
+				ERR_peek_error(),0,0);
 			goto error_exit;
 		}
 		if ( tls_opt_ciphersuite &&
 		     !SSL_CTX_set_cipher_list( tls_def_ctx,
-			tls_opt_ciphersuite ) ) {
+			tls_opt_ciphersuite ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not set cipher list %s.\n",
 			       tls_opt_ciphersuite, 0, 0 );
@@ -155,17 +169,21 @@ ldap_pvt_tls_init_def_ctx( void )
 							     tls_opt_cacertdir )
 			     || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
 			{
-				Debug( LDAP_DEBUG_ANY,
-		 	"TLS: could not load verify locations (file:`%s',dir:`%s').\n",
-				       tls_opt_cacertfile,tls_opt_cacertdir,0);
+				Debug( LDAP_DEBUG_ANY, "TLS: "
+					"could not load verify locations (file:`%s',dir:`%s').\n",
+					tls_opt_cacertfile ? tls_opt_cacertfile : "",
+					tls_opt_cacertdir ? tls_opt_cacertdir : "",
+					0 );
 				tls_report_error();
 				goto error_exit;
 			}
 			calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
 			if ( !calist ) {
-				Debug( LDAP_DEBUG_ANY,
-		 	"TLS: could not load client CA list (file:`%s',dir:`%s').\n",
-				       tls_opt_cacertfile,tls_opt_cacertdir,0);
+				Debug( LDAP_DEBUG_ANY, "TLS: "
+					"could not load client CA list (file:`%s',dir:`%s').\n",
+					tls_opt_cacertfile ? tls_opt_cacertfile : "",
+					tls_opt_cacertdir ? tls_opt_cacertdir : "",
+					0 );
 				tls_report_error();
 				goto error_exit;
 			}
@@ -174,7 +192,8 @@ ldap_pvt_tls_init_def_ctx( void )
 		if ( tls_opt_keyfile &&
 		     !SSL_CTX_use_PrivateKey_file( tls_def_ctx,
 						   tls_opt_keyfile,
-						   SSL_FILETYPE_PEM ) ) {
+						   SSL_FILETYPE_PEM ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not use key file `%s'.\n",
 			       tls_opt_keyfile,0,0);
@@ -184,7 +203,8 @@ ldap_pvt_tls_init_def_ctx( void )
 		if ( tls_opt_certfile &&
 		     !SSL_CTX_use_certificate_file( tls_def_ctx,
 						    tls_opt_certfile,
-						    SSL_FILETYPE_PEM ) ) {
+						    SSL_FILETYPE_PEM ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not use certificate `%s'.\n",
 			       tls_opt_certfile,0,0);
@@ -192,7 +212,8 @@ ldap_pvt_tls_init_def_ctx( void )
 			goto error_exit;
 		}
 		if ( ( tls_opt_certfile || tls_opt_keyfile ) &&
-		     !SSL_CTX_check_private_key( tls_def_ctx ) ) {
+		     !SSL_CTX_check_private_key( tls_def_ctx ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: private key mismatch.\n",
 			       0,0,0);
@@ -249,8 +270,7 @@ alloc_handle( void *ctx_arg )
 	if ( ctx_arg ) {
 		ctx = (SSL_CTX *) ctx_arg;
 	} else {
-		if ( ldap_pvt_tls_init_def_ctx() < 0 )
-			return NULL;
+		if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL;
 		ctx = tls_def_ctx;
 	}
 
@@ -259,10 +279,6 @@ alloc_handle( void *ctx_arg )
 		Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0);
 		return NULL;
 	}
-
-	if ( tls_opt_trace ) {
-		SSL_set_info_callback( ssl, tls_info_cb );
-	}
 	return ssl;
 }
 
@@ -361,6 +377,11 @@ sb_tls_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
 	if ( opt == LBER_SB_OPT_GET_SSL ) {
 		*((SSL **)arg) = p->ssl;
 		return 1;
+
+	} else if ( opt == LBER_SB_OPT_DATA_READY ) {
+		if( SSL_pending( p->ssl ) > 0 ) {
+			return 1;
+		}
 	}
 	
 	return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
@@ -477,7 +498,7 @@ sb_tls_bio_read( BIO *b, char *buf, int len )
 }
 
 static int
-sb_tls_bio_write( BIO *b, char *buf, int len )
+sb_tls_bio_write( BIO *b, const char *buf, int len )
 {
 	struct tls_data		*p;
 	int			ret;
@@ -490,7 +511,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len )
 	if ( p == NULL || p->sbiod == NULL )
 		return 0;
 
-	ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, buf, len );
+	ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
 
 	BIO_clear_retry_flags( b );
 	if ( ret < 0 && errno == EWOULDBLOCK )
@@ -500,7 +521,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len )
 }
 
 static long
-sb_tls_bio_ctrl( BIO *b, int cmd, long num, char *ptr )
+sb_tls_bio_ctrl( BIO *b, int cmd, long num, void *ptr )
 {
 	if ( cmd == BIO_CTRL_FLUSH ) {
 		/* The OpenSSL library needs this */
@@ -516,7 +537,7 @@ sb_tls_bio_gets( BIO *b, char *buf, int len )
 }
 
 static int
-sb_tls_bio_puts( BIO *b, char *str )
+sb_tls_bio_puts( BIO *b, const char *str )
 {
 	return sb_tls_bio_write( b, str, strlen( str ) );
 }
@@ -547,24 +568,34 @@ BIO_METHOD ldap_pvt_sb_bio_method =
  *		and call again.
  */
 
-int
-ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg )
+static int
+ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 {
+	Sockbuf *sb = conn->lconn_sb;
 	int	err;
 	SSL	*ssl;
 
 	if ( HAS_TLS( sb ) ) {
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
+
 	} else {
-		ssl = alloc_handle( ctx_arg );
-		if ( ssl == NULL )
-			return -1;
+		void *ctx = ld->ld_defconn
+			? ld->ld_defconn->lconn_tls_ctx : NULL;
+
+		ssl = alloc_handle( ctx );
+
+		if ( ssl == NULL ) return -1;
+
 #ifdef LDAP_DEBUG
 		ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
 #endif
 		ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls,
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
+
+		if( ctx == NULL ) {
+			conn->lconn_tls_ctx = tls_def_ctx;
+		}
 	}
 
 	err = SSL_connect( ssl );
@@ -573,8 +604,9 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 	errno = WSAGetLastError();
 #endif
 	if ( err <= 0 ) {
-		if ( update_flags( sb, ssl, err ))
+		if ( update_flags( sb, ssl, err )) {
 			return 1;
+		}
 		if ((err = ERR_peek_error())) {
 			char buf[256];
 			ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
@@ -588,6 +620,7 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 #endif
 		return -1;
 	}
+
 	return 0;
 }
 
@@ -646,7 +679,7 @@ ldap_pvt_tls_inplace ( Sockbuf *sb )
 }
 
 void *
-ldap_pvt_tls_sb_handle( Sockbuf *sb )
+ldap_pvt_tls_sb_ctx( Sockbuf *sb )
 {
 	void			*p;
 	
@@ -658,12 +691,6 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb )
 	return NULL;
 }
 
-void *
-ldap_pvt_tls_get_handle( LDAP *ld )
-{
-	return ldap_pvt_tls_sb_handle( ld->ld_sb );
-}
-
 int
 ldap_pvt_tls_get_strength( void *s )
 {
@@ -674,7 +701,7 @@ ldap_pvt_tls_get_strength( void *s )
 }
 
 
-const char *
+char *
 ldap_pvt_tls_get_peer( void *s )
 {
     X509 *x;
@@ -692,6 +719,149 @@ ldap_pvt_tls_get_peer( void *s )
     return p;
 }
 
+char *
+ldap_pvt_tls_get_peer_dn( void *s )
+{
+	X509 *x;
+	X509_NAME *xn;
+	char buf[2048], *p, *dn;
+
+	x = SSL_get_peer_certificate((SSL *)s);
+
+	if (!x) return NULL;
+    
+	xn = X509_get_subject_name(x);
+	p = X509_NAME_oneline(xn, buf, sizeof(buf));
+
+	dn = ldap_dcedn2dn( p );
+
+	X509_free(x);
+	return dn;
+}
+
+char *
+ldap_pvt_tls_get_peer_hostname( void *s )
+{
+	X509 *x;
+	X509_NAME *xn;
+	char buf[2048], *p;
+	int ret;
+
+	x = SSL_get_peer_certificate((SSL *)s);
+
+	if (!x)
+		return NULL;
+	
+	xn = X509_get_subject_name(x);
+
+	ret = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf));
+	if( ret == -1 ) {
+		X509_free(x);
+		return NULL;
+	}
+
+	p = LDAP_STRDUP(buf);
+	X509_free(x);
+	return p;
+}
+
+int
+ldap_pvt_tls_check_hostname( void *s, const char *name_in )
+{
+    int i, ret = LDAP_LOCAL_ERROR;
+    X509 *x;
+	const char *name;
+
+	if( ldap_int_hostname &&
+		( !name_in || !strcasecmp( name_in, "localhost" ) ) )
+	{
+		name = ldap_int_hostname;
+	} else {
+		name = name_in;
+	}
+
+    x = SSL_get_peer_certificate((SSL *)s);
+    if (!x)
+    {
+	Debug( LDAP_DEBUG_ANY,
+		"TLS: unable to get peer certificate.\n",
+		0, 0, 0 );
+	return ret;
+    }
+
+    i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
+    if (i >= 0)
+    {
+	X509_EXTENSION *ex;
+	STACK_OF(GENERAL_NAME) *alt;
+
+	ex = X509_get_ext(x, i);
+	alt = X509V3_EXT_d2i(ex);
+	if (alt)
+	{
+	    int n, len1, len2;
+	    char *domain;
+	    GENERAL_NAME *gn;
+	    X509V3_EXT_METHOD *method;
+
+	    len1 = strlen(name);
+	    n = sk_GENERAL_NAME_num(alt);
+	    domain = strchr(name, '.');
+	    if (domain)
+	    	len2 = len1 - (domain-name);
+	    for (i=0; i<n; i++)
+	    {
+		gn = sk_GENERAL_NAME_value(alt, i);
+		if (gn->type == GEN_DNS)
+		{
+		    char *sn = ASN1_STRING_data(gn->d.ia5);
+		    int sl = ASN1_STRING_length(gn->d.ia5);
+
+		    /* Is this an exact match? */
+		    if ((len1 == sl) && !strncasecmp(name, sn, len1))
+			break;
+
+		    /* Is this a wildcard match? */
+		    if ((*sn == '*') && domain && (len2 == sl-1) &&
+		    	!strncasecmp(domain, sn+1, len2))
+			break;
+		}
+	    }
+	    method = X509V3_EXT_get(ex);
+	    method->ext_free(alt);
+	    if (i < n)	/* Found a match */
+		ret = LDAP_SUCCESS;
+	}
+    }
+
+    if (ret != LDAP_SUCCESS)
+    {
+	X509_NAME *xn;
+	char buf[2048];
+
+	xn = X509_get_subject_name(x);
+
+	if (X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf))
+	    == -1)
+	{
+	    Debug( LDAP_DEBUG_ANY,
+		    "TLS: unable to get common name from peer certificate.\n",
+		    0, 0, 0 );
+	} else if (strcasecmp(name, buf))
+	{
+	    Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+		    "common name in certificate (%s).\n", 
+		    name, buf, 0 );
+	    ret =  LDAP_CONNECT_ERROR;
+	} else
+	{
+	    ret = LDAP_SUCCESS;
+	}
+    }
+    X509_free(x);
+    return ret;
+}
+
 const char *
 ldap_pvt_tls_get_peer_issuer( void *s )
 {
@@ -715,7 +885,7 @@ ldap_pvt_tls_get_peer_issuer( void *s )
 }
 
 int
-ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
+ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 {
 	int i;
 
@@ -725,12 +895,14 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
 	case LDAP_OPT_X_TLS_CERTFILE:
 	case LDAP_OPT_X_TLS_KEYFILE:
 	case LDAP_OPT_X_TLS_RANDOM_FILE:
-		return ldap_pvt_tls_set_option( NULL, option, (void *) arg );
+		return ldap_pvt_tls_set_option( ld, option, (void *) arg );
+
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		i = ( ( strcasecmp( arg, "on" ) == 0 ) ||
 		      ( strcasecmp( arg, "yes" ) == 0) ||
 		      ( strcasecmp( arg, "true" ) == 0 ) );
-		return ldap_pvt_tls_set_option( NULL, option, (void *) &i );
+		return ldap_pvt_tls_set_option( ld, option, (void *) &i );
+
 	case LDAP_OPT_X_TLS:
 		i = -1;
 		if ( strcasecmp( arg, "never" ) == 0 )
@@ -743,8 +915,10 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
 			i = LDAP_OPT_X_TLS_TRY ;
 		if ( strcasecmp( arg, "hard" ) == 0 )
 			i = LDAP_OPT_X_TLS_HARD ;
-		if (i >= 0)
-			return ldap_pvt_tls_set_option( lo, option, &i );
+
+		if (i >= 0) {
+			return ldap_pvt_tls_set_option( ld, option, &i );
+		}
 		return -1;
 	}
 
@@ -752,17 +926,36 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
 }
 
 int
-ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg )
+ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 {
+	struct ldapoptions *lo;
+
+	if( ld != NULL ) {
+		assert( LDAP_VALID( ld ) );
+
+		if( !LDAP_VALID( ld ) ) {
+			return LDAP_OPT_ERROR;
+		}
+
+		lo = &ld->ld_options;
+
+	} else {
+		/* Get pointer to global option structure */
+		lo = LDAP_INT_GLOBAL_OPT();   
+		if ( lo == NULL ) {
+			return LDAP_NO_MEMORY;
+		}
+	}
+
 	switch( option ) {
 	case LDAP_OPT_X_TLS:
 		*(int *)arg = lo->ldo_tls_mode;
 		break;
-	case LDAP_OPT_X_TLS_CERT:
-		if ( lo == NULL )
+	case LDAP_OPT_X_TLS_CTX:
+		if ( ld == NULL )
 			*(void **)arg = (void *) tls_def_ctx;
 		else
-			*(void **)arg = lo->ldo_tls_ctx;
+			*(void **)arg = ld->ld_defconn->lconn_tls_ctx;
 		break;
 	case LDAP_OPT_X_TLS_CACERTFILE:
 		*(char **)arg = tls_opt_cacertfile ?
@@ -793,8 +986,27 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg )
 }
 
 int
-ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
+ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 {
+	struct ldapoptions *lo;
+
+	if( ld != NULL ) {
+		assert( LDAP_VALID( ld ) );
+
+		if( !LDAP_VALID( ld ) ) {
+			return LDAP_OPT_ERROR;
+		}
+
+		lo = &ld->ld_options;
+
+	} else {
+		/* Get pointer to global option structure */
+		lo = LDAP_INT_GLOBAL_OPT();   
+		if ( lo == NULL ) {
+			return LDAP_NO_MEMORY;
+		}
+	}
+
 	switch( option ) {
 	case LDAP_OPT_X_TLS:
 		switch( *(int *) arg ) {
@@ -811,46 +1023,46 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 		}
 		return -1;
 
-	case LDAP_OPT_X_TLS_CERT:
-		if ( lo == NULL ) {
+	case LDAP_OPT_X_TLS_CTX:
+		if ( ld == NULL ) {
 			tls_def_ctx = (SSL_CTX *) arg;
 
 		} else {
-			lo->ldo_tls_ctx = arg;
+			ld->ld_defconn->lconn_tls_ctx = arg;
 		}
 		return 0;
 	}
 
-	if ( lo != NULL ) {
+	if ( ld != NULL ) {
 		return -1;
 	}
 
 	switch( option ) {
 	case LDAP_OPT_X_TLS_CACERTFILE:
-		if ( tls_opt_cacertfile ) free( tls_opt_cacertfile );
+		if ( tls_opt_cacertfile ) LDAP_FREE( tls_opt_cacertfile );
 		tls_opt_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_CACERTDIR:
-		if ( tls_opt_cacertdir ) free( tls_opt_cacertdir );
+		if ( tls_opt_cacertdir ) LDAP_FREE( tls_opt_cacertdir );
 		tls_opt_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_CERTFILE:
-		if ( tls_opt_certfile ) free( tls_opt_certfile );
+		if ( tls_opt_certfile ) LDAP_FREE( tls_opt_certfile );
 		tls_opt_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_KEYFILE:
-		if ( tls_opt_keyfile ) free( tls_opt_keyfile );
+		if ( tls_opt_keyfile ) LDAP_FREE( tls_opt_keyfile );
 		tls_opt_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		tls_opt_require_cert = * (int *) arg;
 		break;
 	case LDAP_OPT_X_TLS_CIPHER_SUITE:
-		if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite );
+		if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite );
 		tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	case LDAP_OPT_X_TLS_RANDOM_FILE:
-		if (tls_opt_randfile ) free (tls_opt_randfile );
+		if (tls_opt_randfile ) LDAP_FREE (tls_opt_randfile );
 		tls_opt_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		break;
 	default:
@@ -860,20 +1072,57 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 }
 
 int
-ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
+ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 {
-	ldap_pvt_tls_init();
+	Sockbuf *sb = conn->lconn_sb;
+	char *host;
+	void *ssl;
+
+	if( srv ) {
+		host = srv->lud_host;
+	} else {
+ 		host = conn->lconn_server->lud_host;
+	}
+
+	/* avoid NULL host */
+	if( host == NULL ) {
+		host = "localhost";
+	}
+
+	(void) ldap_pvt_tls_init();
 
 	/*
 	 * Fortunately, the lib uses blocking io...
 	 */
-	if ( ldap_pvt_tls_connect( ld, sb, ctx_arg ) < 0 ) {
-		return LDAP_CONNECT_ERROR;
+	if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
+		ld->ld_errno = LDAP_CONNECT_ERROR;
+		return (ld->ld_errno);
+	}
+
+	ssl = (void *) ldap_pvt_tls_sb_ctx( sb );
+	assert( ssl != NULL );
+
+	/* 
+	 * compare host with name(s) in certificate
+	 */
+	ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host );
+	if (ld->ld_errno != LDAP_SUCCESS) {
+		return ld->ld_errno;
 	}
 
-	/* FIXME: hostname of server must be compared with name in
-	 * certificate....
+	/*
+	 * set SASL properties to TLS ssf and authid
 	 */
+	{
+		const char *authid;
+		ber_len_t ssf;
+
+		/* we need to let SASL know */
+		ssf = ldap_pvt_tls_get_strength( ssl );
+		authid = ldap_pvt_tls_get_peer( ssl );
+
+		(void) ldap_int_sasl_external( ld, conn, authid, ssf );
+	}
 
 	return LDAP_SUCCESS;
 }
@@ -993,6 +1242,7 @@ tls_seed_PRNG( const char *randfile )
 {
 #ifndef URANDOM_DEVICE
 	/* no /dev/urandom (or equiv) */
+	long total=0;
 	char buffer[MAXPATHLEN];
 
 	if (randfile == NULL) {
@@ -1010,19 +1260,25 @@ tls_seed_PRNG( const char *randfile )
 
 	if (randfile == NULL) {
 		Debug( LDAP_DEBUG_ANY,
-			"TLS: Use configuration file or $RANDFILE to define seed PRNG",
+			"TLS: Use configuration file or $RANDFILE to define seed PRNG\n",
 			0, 0, 0);
 		return -1;
 	}
 
-	RAND_load_file(randfile, -1);
+	total = RAND_load_file(randfile, -1);
 
 	if (RAND_status() == 0) {
 		Debug( LDAP_DEBUG_ANY,
-			"TLS: PRNG not been seeded with enough data",
+			"TLS: PRNG not been seeded with enough data\n",
 			0, 0, 0);
 		return -1;
 	}
+
+	/* assume if there was enough bits to seed that it's okay
+	 * to write derived bits to the file
+	 */
+	RAND_write_file(randfile);
+
 #endif
 
 	return 0;
@@ -1042,12 +1298,13 @@ ldap_start_tls_s ( LDAP *ld,
 	LDAPControl **serverctrls,
 	LDAPControl **clientctrls )
 {
-#ifdef HAVE_TLS
 	int rc;
+
+#ifdef HAVE_TLS
 	char *rspoid = NULL;
 	struct berval *rspdata = NULL;
 
-	/* XXYYZ: this initiates operaton only on default connection! */
+	/* XXYYZ: this initiates operation only on default connection! */
 
 	if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) {
 		return LDAP_LOCAL_ERROR;
@@ -1067,10 +1324,10 @@ ldap_start_tls_s ( LDAP *ld,
 		ber_bvfree( rspdata );
 	}
 
-	rc = ldap_pvt_tls_start( ld, ld->ld_sb, ld->ld_options.ldo_tls_ctx );
-	return rc;
+	rc = ldap_int_tls_start( ld, ld->ld_defconn, NULL );
 #else
-	return LDAP_NOT_SUPPORTED;
+	rc = LDAP_NOT_SUPPORTED;
 #endif
+	return rc;
 }