X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls.c;h=4cfd6a93dd77d0516f3ae162a924599e9ed3de4e;hb=a2eec74fc1d535fa9092f4d7b82a669b39eef539;hp=c4a683edc26f6ba33f22e18cf34e9d626fad2c8b;hpb=b10e0029a5fd49f36f5ca2e75a1fc41285a3d72c;p=openldap diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index c4a683edc2..4cfd6a93dd 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -143,7 +143,8 @@ ldap_pvt_tls_init_def_ctx( void ) } if ( tls_opt_ciphersuite && !SSL_CTX_set_cipher_list( tls_def_ctx, - tls_opt_ciphersuite ) ) { + tls_opt_ciphersuite ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: could not set cipher list %s.\n", tls_opt_ciphersuite, 0, 0 ); @@ -156,17 +157,21 @@ ldap_pvt_tls_init_def_ctx( void ) tls_opt_cacertdir ) || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not load verify locations (file:`%s',dir:`%s').\n", - tls_opt_cacertfile,tls_opt_cacertdir,0); + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not load verify locations (file:`%s',dir:`%s').\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", + 0 ); tls_report_error(); goto error_exit; } calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir ); if ( !calist ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not load client CA list (file:`%s',dir:`%s').\n", - tls_opt_cacertfile,tls_opt_cacertdir,0); + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not load client CA list (file:`%s',dir:`%s').\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", + 0 ); tls_report_error(); goto error_exit; } @@ -175,7 +180,8 @@ ldap_pvt_tls_init_def_ctx( void ) if ( tls_opt_keyfile && !SSL_CTX_use_PrivateKey_file( tls_def_ctx, tls_opt_keyfile, - SSL_FILETYPE_PEM ) ) { + SSL_FILETYPE_PEM ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: could not use key file `%s'.\n", tls_opt_keyfile,0,0); @@ -185,7 +191,8 @@ ldap_pvt_tls_init_def_ctx( void ) if ( tls_opt_certfile && !SSL_CTX_use_certificate_file( tls_def_ctx, tls_opt_certfile, - SSL_FILETYPE_PEM ) ) { + SSL_FILETYPE_PEM ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: could not use certificate `%s'.\n", tls_opt_certfile,0,0); @@ -193,7 +200,8 @@ ldap_pvt_tls_init_def_ctx( void ) goto error_exit; } if ( ( tls_opt_certfile || tls_opt_keyfile ) && - !SSL_CTX_check_private_key( tls_def_ctx ) ) { + !SSL_CTX_check_private_key( tls_def_ctx ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: private key mismatch.\n", 0,0,0); @@ -478,7 +486,7 @@ sb_tls_bio_read( BIO *b, char *buf, int len ) } static int -sb_tls_bio_write( BIO *b, char *buf, int len ) +sb_tls_bio_write( BIO *b, const char *buf, int len ) { struct tls_data *p; int ret; @@ -491,7 +499,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len ) if ( p == NULL || p->sbiod == NULL ) return 0; - ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, buf, len ); + ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len ); BIO_clear_retry_flags( b ); if ( ret < 0 && errno == EWOULDBLOCK ) @@ -501,7 +509,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len ) } static long -sb_tls_bio_ctrl( BIO *b, int cmd, long num, char *ptr ) +sb_tls_bio_ctrl( BIO *b, int cmd, long num, void *ptr ) { if ( cmd == BIO_CTRL_FLUSH ) { /* The OpenSSL library needs this */ @@ -517,7 +525,7 @@ sb_tls_bio_gets( BIO *b, char *buf, int len ) } static int -sb_tls_bio_puts( BIO *b, char *str ) +sb_tls_bio_puts( BIO *b, const char *str ) { return sb_tls_bio_write( b, str, strlen( str ) ); } @@ -866,13 +874,13 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg ) case LDAP_OPT_X_TLS_CERTFILE: case LDAP_OPT_X_TLS_KEYFILE: case LDAP_OPT_X_TLS_RANDOM_FILE: - return ldap_pvt_tls_set_option( NULL, option, (void *) arg ); + return ldap_pvt_tls_set_option( ld, option, (void *) arg ); case LDAP_OPT_X_TLS_REQUIRE_CERT: i = ( ( strcasecmp( arg, "on" ) == 0 ) || ( strcasecmp( arg, "yes" ) == 0) || ( strcasecmp( arg, "true" ) == 0 ) ); - return ldap_pvt_tls_set_option( NULL, option, (void *) &i ); + return ldap_pvt_tls_set_option( ld, option, (void *) &i ); case LDAP_OPT_X_TLS: i = -1; @@ -1046,10 +1054,8 @@ int ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { Sockbuf *sb = conn->lconn_sb; - void *ctx = ld->ld_defconn->lconn_tls_ctx; char *host; void *ssl; - int ret; if( srv ) { host = srv->lud_host; @@ -1057,25 +1063,29 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) host = conn->lconn_server->lud_host; } + /* avoid NULL host */ + if( host == NULL ) host = "localhost"; + (void) ldap_pvt_tls_init(); /* * Fortunately, the lib uses blocking io... */ if ( ldap_int_tls_connect( ld, conn ) < 0 ) { - return LDAP_CONNECT_ERROR; + ld->ld_errno = LDAP_CONNECT_ERROR; + return (ld->ld_errno); } ssl = (void *) ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* - * compare host with name(s) in certificate + * compare host with name(s) in certificate */ - - ret = ldap_pvt_tls_check_hostname( ssl, host ); - if (ret != LDAP_SUCCESS) - return ret; + ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host ); + if (ld->ld_errno != LDAP_SUCCESS) { + return ld->ld_errno; + } /* * set SASL properties to TLS ssf and authid @@ -1088,7 +1098,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) ssf = ldap_pvt_tls_get_strength( ssl ); authid = ldap_pvt_tls_get_peer( ssl ); - (void) ldap_int_sasl_external( ld, authid, ssf ); + (void) ldap_int_sasl_external( ld, conn, authid, ssf ); } return LDAP_SUCCESS;