X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls.c;h=afe55f0775bf70f0f8044c822d3e6ba19d38d6cb;hb=2b0819c4a9209784f762ec154ce4721038522a8a;hp=f31c97973c5958fb9fb7156b98cb400618e8213f;hpb=241d6a558e3bfd7a7cfc70a1de65fa527fe40e60;p=openldap

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index f31c97973c..afe55f0775 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -31,6 +31,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/safestack.h>
 #elif defined( HAVE_SSL_H )
 #include <ssl.h>
 #endif
@@ -97,6 +98,17 @@ static void tls_init_threads( void )
 }
 #endif /* LDAP_R_COMPILE */
 
+/*
+ * Tear down the TLS subsystem. Should only be called once.
+ */
+void
+ldap_pvt_tls_destroy( void )
+{
+	SSL_CTX_free(tls_def_ctx);
+	EVP_cleanup();
+	ERR_free_strings();
+}
+
 /*
  * Initialize TLS subsystem. Should be called only once.
  */
@@ -143,7 +155,8 @@ ldap_pvt_tls_init_def_ctx( void )
 		}
 		if ( tls_opt_ciphersuite &&
 		     !SSL_CTX_set_cipher_list( tls_def_ctx,
-			tls_opt_ciphersuite ) ) {
+			tls_opt_ciphersuite ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not set cipher list %s.\n",
 			       tls_opt_ciphersuite, 0, 0 );
@@ -156,17 +169,21 @@ ldap_pvt_tls_init_def_ctx( void )
 							     tls_opt_cacertdir )
 			     || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
 			{
-				Debug( LDAP_DEBUG_ANY,
-		 	"TLS: could not load verify locations (file:`%s',dir:`%s').\n",
-				       tls_opt_cacertfile,tls_opt_cacertdir,0);
+				Debug( LDAP_DEBUG_ANY, "TLS: "
+					"could not load verify locations (file:`%s',dir:`%s').\n",
+					tls_opt_cacertfile ? tls_opt_cacertfile : "",
+					tls_opt_cacertdir ? tls_opt_cacertdir : "",
+					0 );
 				tls_report_error();
 				goto error_exit;
 			}
 			calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
 			if ( !calist ) {
-				Debug( LDAP_DEBUG_ANY,
-		 	"TLS: could not load client CA list (file:`%s',dir:`%s').\n",
-				       tls_opt_cacertfile,tls_opt_cacertdir,0);
+				Debug( LDAP_DEBUG_ANY, "TLS: "
+					"could not load client CA list (file:`%s',dir:`%s').\n",
+					tls_opt_cacertfile ? tls_opt_cacertfile : "",
+					tls_opt_cacertdir ? tls_opt_cacertdir : "",
+					0 );
 				tls_report_error();
 				goto error_exit;
 			}
@@ -175,7 +192,8 @@ ldap_pvt_tls_init_def_ctx( void )
 		if ( tls_opt_keyfile &&
 		     !SSL_CTX_use_PrivateKey_file( tls_def_ctx,
 						   tls_opt_keyfile,
-						   SSL_FILETYPE_PEM ) ) {
+						   SSL_FILETYPE_PEM ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not use key file `%s'.\n",
 			       tls_opt_keyfile,0,0);
@@ -185,7 +203,8 @@ ldap_pvt_tls_init_def_ctx( void )
 		if ( tls_opt_certfile &&
 		     !SSL_CTX_use_certificate_file( tls_def_ctx,
 						    tls_opt_certfile,
-						    SSL_FILETYPE_PEM ) ) {
+						    SSL_FILETYPE_PEM ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not use certificate `%s'.\n",
 			       tls_opt_certfile,0,0);
@@ -193,7 +212,8 @@ ldap_pvt_tls_init_def_ctx( void )
 			goto error_exit;
 		}
 		if ( ( tls_opt_certfile || tls_opt_keyfile ) &&
-		     !SSL_CTX_check_private_key( tls_def_ctx ) ) {
+		     !SSL_CTX_check_private_key( tls_def_ctx ) )
+		{
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: private key mismatch.\n",
 			       0,0,0);
@@ -478,7 +498,7 @@ sb_tls_bio_read( BIO *b, char *buf, int len )
 }
 
 static int
-sb_tls_bio_write( BIO *b, char *buf, int len )
+sb_tls_bio_write( BIO *b, const char *buf, int len )
 {
 	struct tls_data		*p;
 	int			ret;
@@ -491,7 +511,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len )
 	if ( p == NULL || p->sbiod == NULL )
 		return 0;
 
-	ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, buf, len );
+	ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
 
 	BIO_clear_retry_flags( b );
 	if ( ret < 0 && errno == EWOULDBLOCK )
@@ -501,7 +521,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len )
 }
 
 static long
-sb_tls_bio_ctrl( BIO *b, int cmd, long num, char *ptr )
+sb_tls_bio_ctrl( BIO *b, int cmd, long num, void *ptr )
 {
 	if ( cmd == BIO_CTRL_FLUSH ) {
 		/* The OpenSSL library needs this */
@@ -517,7 +537,7 @@ sb_tls_bio_gets( BIO *b, char *buf, int len )
 }
 
 static int
-sb_tls_bio_puts( BIO *b, char *str )
+sb_tls_bio_puts( BIO *b, const char *str )
 {
 	return sb_tls_bio_write( b, str, strlen( str ) );
 }
@@ -1055,6 +1075,9 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
  		host = conn->lconn_server->lud_host;
 	}
 
+	/* avoid NULL host */
+	if( host == NULL ) host = "localhost";
+
 	(void) ldap_pvt_tls_init();
 
 	/*
@@ -1069,9 +1092,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 	assert( ssl != NULL );
 
 	/* 
-	 * compare host with name(s) in certificate 
+	 * compare host with name(s) in certificate
 	 */
-
 	ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host );
 	if (ld->ld_errno != LDAP_SUCCESS) {
 		return ld->ld_errno;