X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls.c;h=d6d1465249c8cd1068b008a30d53745f4eea749a;hb=8c30114d847ff034dd9e9382d88e276fa7f82833;hp=41b4c0dd26f4ed5565c0a5513df3f2ea3557cde1;hpb=778b665242451f4a6d8219a748e3cab1f6e06408;p=openldap diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 41b4c0dd26..d6d1465249 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -1,12 +1,13 @@ /* $OpenLDAP$ */ /* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. + * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. * COPYING RESTRICTIONS APPLY, see COPYRIGHT file * * tls.c - Handle tls/ssl using SSLeay or OpenSSL. */ #include "portable.h" +#include "ldap_config.h" #include @@ -17,6 +18,7 @@ #include #include #include +#include #include "ldap-int.h" @@ -31,6 +33,7 @@ #include #include #include +#include #elif defined( HAVE_SSL_H ) #include #endif @@ -40,17 +43,18 @@ static char *tls_opt_certfile = NULL; static char *tls_opt_keyfile = NULL; static char *tls_opt_cacertfile = NULL; static char *tls_opt_cacertdir = NULL; -static int tls_opt_require_cert = 0; +static int tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND; static char *tls_opt_ciphersuite = NULL; static char *tls_opt_randfile = NULL; #define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \ - (void *)&ldap_pvt_sockbuf_io_tls ) + (void *)&sb_tls_sbio ) static void tls_report_error( void ); static void tls_info_cb( SSL *ssl, int where, int ret ); static int tls_verify_cb( int ok, X509_STORE_CTX *ctx ); +static int tls_verify_ok( int ok, X509_STORE_CTX *ctx ); static RSA * tls_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); static STACK_OF(X509_NAME) * get_ca_list( char * bundle, char * dir ); @@ -97,6 +101,44 @@ static void tls_init_threads( void ) } #endif /* LDAP_R_COMPILE */ +/* + * Tear down the TLS subsystem. Should only be called once. + */ +void +ldap_pvt_tls_destroy( void ) +{ + SSL_CTX_free(tls_def_ctx); + tls_def_ctx = NULL; + + EVP_cleanup(); + ERR_free_strings(); + + if ( tls_opt_certfile ) { + LDAP_FREE( tls_opt_certfile ); + tls_opt_certfile = NULL; + } + if ( tls_opt_keyfile ) { + LDAP_FREE( tls_opt_keyfile ); + tls_opt_keyfile = NULL; + } + if ( tls_opt_cacertfile ) { + LDAP_FREE( tls_opt_cacertfile ); + tls_opt_cacertfile = NULL; + } + if ( tls_opt_cacertdir ) { + LDAP_FREE( tls_opt_cacertdir ); + tls_opt_cacertdir = NULL; + } + if ( tls_opt_ciphersuite ) { + LDAP_FREE( tls_opt_ciphersuite ); + tls_opt_ciphersuite = NULL; + } + if ( tls_opt_randfile ) { + LDAP_FREE( tls_opt_randfile ); + tls_opt_randfile = NULL; + } +} + /* * Initialize TLS subsystem. Should be called only once. */ @@ -134,79 +176,146 @@ ldap_pvt_tls_init_def_ctx( void ) ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex ); #endif if ( tls_def_ctx == NULL ) { + int i; tls_def_ctx = SSL_CTX_new( SSLv23_method() ); if ( tls_def_ctx == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: " + "TLS could not allocate default ctx (%d).\n", + ERR_peek_error(), 0, 0 ); +#else Debug( LDAP_DEBUG_ANY, - "TLS: could not allocate default ctx.\n",0,0,0); + "TLS: could not allocate default ctx (%lu).\n", + ERR_peek_error(),0,0); +#endif goto error_exit; } + if ( tls_opt_ciphersuite && - !SSL_CTX_set_cipher_list( tls_def_ctx, - tls_opt_ciphersuite ) ) { + !SSL_CTX_set_cipher_list( tls_def_ctx, tls_opt_ciphersuite ) ) + { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: " + "TLS could not set cipher list %s.\n", + tls_opt_ciphersuite, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY, - "TLS: could not set cipher list %s.\n", - tls_opt_ciphersuite, 0, 0 ); + "TLS: could not set cipher list %s.\n", + tls_opt_ciphersuite, 0, 0 ); +#endif tls_report_error(); goto error_exit; } + if (tls_opt_cacertfile != NULL || tls_opt_cacertdir != NULL) { if ( !SSL_CTX_load_verify_locations( tls_def_ctx, - tls_opt_cacertfile, - tls_opt_cacertdir ) - || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) ) + tls_opt_cacertfile, tls_opt_cacertdir ) || + !SSL_CTX_set_default_verify_paths( tls_def_ctx ) ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not load verify locations (file:`%s',dir:`%s').\n", - tls_opt_cacertfile,tls_opt_cacertdir,0); +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "ldap_pvt_tls_init_def_ctx: " + "TLS could not load verify locations " + "(file:`%s',dir:`%s').\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", 0 ); +#else + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not load verify locations (file:`%s',dir:`%s').\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", + 0 ); +#endif tls_report_error(); goto error_exit; } + calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir ); if ( !calist ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not load client CA list (file:`%s',dir:`%s').\n", - tls_opt_cacertfile,tls_opt_cacertdir,0); +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: " + "TLS could not load client CA list (file: `%s',dir:`%s')\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", 0 ); +#else + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not load client CA list (file:`%s',dir:`%s').\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", + 0 ); +#endif tls_report_error(); goto error_exit; } + SSL_CTX_set_client_CA_list( tls_def_ctx, calist ); } + if ( tls_opt_keyfile && - !SSL_CTX_use_PrivateKey_file( tls_def_ctx, - tls_opt_keyfile, - SSL_FILETYPE_PEM ) ) { + !SSL_CTX_use_PrivateKey_file( tls_def_ctx, + tls_opt_keyfile, SSL_FILETYPE_PEM ) ) + { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: " + "TLS could not use key file `%s'.\n", tls_opt_keyfile, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY, - "TLS: could not use key file `%s'.\n", - tls_opt_keyfile,0,0); + "TLS: could not use key file `%s'.\n", + tls_opt_keyfile,0,0); +#endif tls_report_error(); goto error_exit; } + if ( tls_opt_certfile && - !SSL_CTX_use_certificate_file( tls_def_ctx, - tls_opt_certfile, - SSL_FILETYPE_PEM ) ) { + !SSL_CTX_use_certificate_file( tls_def_ctx, + tls_opt_certfile, SSL_FILETYPE_PEM ) ) + { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: " + "TLS could not use certificate `%s'.\n", + tls_opt_certfile, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY, - "TLS: could not use certificate `%s'.\n", - tls_opt_certfile,0,0); + "TLS: could not use certificate `%s'.\n", + tls_opt_certfile,0,0); +#endif tls_report_error(); goto error_exit; } + if ( ( tls_opt_certfile || tls_opt_keyfile ) && - !SSL_CTX_check_private_key( tls_def_ctx ) ) { + !SSL_CTX_check_private_key( tls_def_ctx ) ) + { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "ldap_pvt_tls_init_def_ctx: TLS private key mismatch.\n", + 0, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY, - "TLS: private key mismatch.\n", - 0,0,0); + "TLS: private key mismatch.\n", + 0,0,0); +#endif tls_report_error(); goto error_exit; } + if ( tls_opt_trace ) { SSL_CTX_set_info_callback( tls_def_ctx, tls_info_cb ); } - SSL_CTX_set_verify( tls_def_ctx, - tls_opt_require_cert ? - (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) : - SSL_VERIFY_NONE, - tls_verify_cb ); + + i = SSL_VERIFY_NONE; + if ( tls_opt_require_cert ) { + i = SSL_VERIFY_PEER; + if ( tls_opt_require_cert == LDAP_OPT_X_TLS_DEMAND || + tls_opt_require_cert == LDAP_OPT_X_TLS_HARD ) { + i |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + } + } + + SSL_CTX_set_verify( tls_def_ctx, i, + tls_opt_require_cert == LDAP_OPT_X_TLS_ALLOW ? + tls_verify_ok : tls_verify_cb ); SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb ); /* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */ } @@ -214,6 +323,7 @@ ldap_pvt_tls_init_def_ctx( void ) ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex ); #endif return 0; + error_exit: if ( tls_def_ctx != NULL ) { SSL_CTX_free( tls_def_ctx ); @@ -233,10 +343,45 @@ get_ca_list( char * bundle, char * dir ) if ( bundle ) { ca_list = SSL_load_client_CA_file( bundle ); } - /* - * FIXME: We have now to go over all files in dir, load them - * and add every certificate there to ca_list. - */ +#if defined(HAVE_DIRENT_H) || defined(dirent) + if ( dir ) { + DIR *dirp; + struct dirent *d; + char buf[MAXPATHLEN]; + int l = strlen(dir), freeit = 0; + + if (l > sizeof(buf)) + goto done; + + dirp = opendir( dir ); + + if ( !ca_list ) { + ca_list = sk_X509_NAME_new_null(); + freeit = 1; + } + + strcpy(buf, dir); + + while ( dirp ) { + if ( ( d = readdir( dirp )) == NULL) { + closedir( dirp ); + break; + } + if (l + sizeof(LDAP_DIRSEP) + NAMLEN(d) > sizeof(buf)) + continue; + + sprintf( buf+l, LDAP_DIRSEP "%s", d->d_name ); + if ( SSL_add_file_cert_subjects_to_stack(ca_list, buf)) { + freeit = 0; + } + } + if ( freeit ) { + sk_X509_NAME_free( ca_list ); + ca_list = NULL; + } + } +#endif +done: return ca_list; } @@ -249,20 +394,20 @@ alloc_handle( void *ctx_arg ) if ( ctx_arg ) { ctx = (SSL_CTX *) ctx_arg; } else { - if ( ldap_pvt_tls_init_def_ctx() < 0 ) - return NULL; + if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL; ctx = tls_def_ctx; } ssl = SSL_new( ctx ); if ( ssl == NULL ) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "alloc_handle: TLS can't create ssl handle.\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0); +#endif return NULL; } - - if ( tls_opt_trace ) { - SSL_set_info_callback( ssl, tls_info_cb ); - } return ssl; } @@ -273,17 +418,17 @@ update_flags( Sockbuf *sb, SSL * ssl, int rc ) sb->sb_trans_needs_read = 0; sb->sb_trans_needs_write = 0; - if (err == SSL_ERROR_WANT_READ) - { - sb->sb_trans_needs_read = 1; - return 1; - } else if (err == SSL_ERROR_WANT_WRITE) - { - sb->sb_trans_needs_write = 1; - return 1; - } else if (err == SSL_ERROR_WANT_CONNECT) - { - return 1; + + if (err == SSL_ERROR_WANT_READ) { + sb->sb_trans_needs_read = 1; + return 1; + + } else if (err == SSL_ERROR_WANT_WRITE) { + sb->sb_trans_needs_write = 1; + return 1; + + } else if (err == SSL_ERROR_WANT_CONNECT) { + return 1; } return 0; } @@ -297,7 +442,7 @@ struct tls_data { Sockbuf_IO_Desc *sbiod; }; -extern BIO_METHOD ldap_pvt_sb_bio_method; +static BIO_METHOD sb_tls_bio_method; static int sb_tls_setup( Sockbuf_IO_Desc *sbiod, void *arg ) @@ -308,12 +453,13 @@ sb_tls_setup( Sockbuf_IO_Desc *sbiod, void *arg ) assert( sbiod != NULL ); p = LBER_MALLOC( sizeof( *p ) ); - if ( p == NULL ) + if ( p == NULL ) { return -1; + } p->ssl = (SSL *)arg; p->sbiod = sbiod; - bio = BIO_new( &ldap_pvt_sb_bio_method ); + bio = BIO_new( &sb_tls_bio_method ); bio->ptr = (void *)p; SSL_set_bio( p->ssl, bio, bio ); sbiod->sbiod_pvt = p; @@ -361,6 +507,11 @@ sb_tls_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg ) if ( opt == LBER_SB_OPT_GET_SSL ) { *((SSL **)arg) = p->ssl; return 1; + + } else if ( opt == LBER_SB_OPT_DATA_READY ) { + if( SSL_pending( p->ssl ) > 0 ) { + return 1; + } } return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg ); @@ -385,9 +536,7 @@ sb_tls_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) err = SSL_get_error( p->ssl, ret ); if (err == SSL_ERROR_WANT_READ ) { sbiod->sbiod_sb->sb_trans_needs_read = 1; -#ifdef WIN32 errno = EWOULDBLOCK; -#endif } else sbiod->sbiod_sb->sb_trans_needs_read = 0; @@ -413,16 +562,15 @@ sb_tls_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len) err = SSL_get_error( p->ssl, ret ); if (err == SSL_ERROR_WANT_WRITE ) { sbiod->sbiod_sb->sb_trans_needs_write = 1; -#ifdef WIN32 errno = EWOULDBLOCK; -#endif - } - else + + } else { sbiod->sbiod_sb->sb_trans_needs_write = 0; + } return ret; } -Sockbuf_IO ldap_pvt_sockbuf_io_tls = +static Sockbuf_IO sb_tls_sbio = { sb_tls_setup, /* sbi_setup */ sb_tls_remove, /* sbi_remove */ @@ -444,8 +592,7 @@ sb_tls_bio_create( BIO *b ) { static int sb_tls_bio_destroy( BIO *b ) { - if ( b == NULL ) - return 0; + if ( b == NULL ) return 0; b->ptr = NULL; /* sb_tls_remove() will free it */ b->init = 0; @@ -459,48 +606,50 @@ sb_tls_bio_read( BIO *b, char *buf, int len ) struct tls_data *p; int ret; - if ( buf == NULL || len <= 0 ) - return 0; + if ( buf == NULL || len <= 0 ) return 0; p = (struct tls_data *)b->ptr; - if ( p == NULL || p->sbiod == NULL ) + if ( p == NULL || p->sbiod == NULL ) { return 0; + } ret = LBER_SBIOD_READ_NEXT( p->sbiod, buf, len ); BIO_clear_retry_flags( b ); - if ( ret < 0 && errno == EWOULDBLOCK ) + if ( ret < 0 && errno == EWOULDBLOCK ) { BIO_set_retry_read( b ); + } return ret; } static int -sb_tls_bio_write( BIO *b, char *buf, int len ) +sb_tls_bio_write( BIO *b, const char *buf, int len ) { struct tls_data *p; int ret; - if ( buf == NULL || len <= 0 ) - return 0; + if ( buf == NULL || len <= 0 ) return 0; p = (struct tls_data *)b->ptr; - if ( p == NULL || p->sbiod == NULL ) + if ( p == NULL || p->sbiod == NULL ) { return 0; + } - ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, buf, len ); + ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len ); BIO_clear_retry_flags( b ); - if ( ret < 0 && errno == EWOULDBLOCK ) + if ( ret < 0 && errno == EWOULDBLOCK ) { BIO_set_retry_write( b ); + } return ret; } static long -sb_tls_bio_ctrl( BIO *b, int cmd, long num, char *ptr ) +sb_tls_bio_ctrl( BIO *b, int cmd, long num, void *ptr ) { if ( cmd == BIO_CTRL_FLUSH ) { /* The OpenSSL library needs this */ @@ -516,12 +665,12 @@ sb_tls_bio_gets( BIO *b, char *buf, int len ) } static int -sb_tls_bio_puts( BIO *b, char *str ) +sb_tls_bio_puts( BIO *b, const char *str ) { return sb_tls_bio_write( b, str, strlen( str ) ); } -BIO_METHOD ldap_pvt_sb_bio_method = +static BIO_METHOD sb_tls_bio_method = { ( 100 | 0x400 ), /* it's a source/sink BIO */ "sockbuf glue", @@ -547,24 +696,34 @@ BIO_METHOD ldap_pvt_sb_bio_method = * and call again. */ -int -ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +static int +ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) { + Sockbuf *sb = conn->lconn_sb; int err; SSL *ssl; if ( HAS_TLS( sb ) ) { ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); + } else { - ssl = alloc_handle( ctx_arg ); - if ( ssl == NULL ) - return -1; + void *ctx = ld->ld_defconn + ? ld->ld_defconn->lconn_tls_ctx : NULL; + + ssl = alloc_handle( ctx ); + + if ( ssl == NULL ) return -1; + #ifdef LDAP_DEBUG ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug, LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" ); #endif - ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls, + ber_sockbuf_add_io( sb, &sb_tls_sbio, LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl ); + + if( ctx == NULL ) { + conn->lconn_tls_ctx = tls_def_ctx; + } } err = SSL_connect( ssl ); @@ -572,15 +731,25 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) #ifdef HAVE_WINSOCK errno = WSAGetLastError(); #endif + if ( err <= 0 ) { - if ( update_flags( sb, ssl, err )) + if ( update_flags( sb, ssl, err )) { return 1; + } + if ((err = ERR_peek_error())) { char buf[256]; ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf)); } + +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "ldap_int_tls_connect: TLS can't connect.\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY,"TLS: can't connect.\n",0,0,0); - ber_sockbuf_remove_io( sb, &ldap_pvt_sockbuf_io_tls, +#endif + + ber_sockbuf_remove_io( sb, &sb_tls_sbio, LBER_SBIOD_LEVEL_TRANSPORT ); #ifdef LDAP_DEBUG ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug, @@ -588,6 +757,7 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) #endif return -1; } + return 0; } @@ -603,15 +773,16 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg ) if ( HAS_TLS( sb ) ) { ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); + } else { ssl = alloc_handle( ctx_arg ); - if ( ssl == NULL ) - return -1; + if ( ssl == NULL ) return -1; + #ifdef LDAP_DEBUG ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug, LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" ); #endif - ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls, + ber_sockbuf_add_io( sb, &sb_tls_sbio, LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl ); } @@ -621,11 +792,17 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg ) errno = WSAGetLastError(); #endif if ( err <= 0 ) { - if ( update_flags( sb, ssl, err )) - return 1; + if ( update_flags( sb, ssl, err )) return 1; + +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "ldap_pvt_tls_accept: TLS can't accept.\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY,"TLS: can't accept.\n",0,0,0 ); +#endif + tls_report_error(); - ber_sockbuf_remove_io( sb, &ldap_pvt_sockbuf_io_tls, + ber_sockbuf_remove_io( sb, &sb_tls_sbio, LBER_SBIOD_LEVEL_TRANSPORT ); #ifdef LDAP_DEBUG ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug, @@ -640,13 +817,11 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg ) int ldap_pvt_tls_inplace ( Sockbuf *sb ) { - if ( HAS_TLS( sb ) ) - return(1); - return(0); + return HAS_TLS( sb ) ? 1 : 0; } void * -ldap_pvt_tls_sb_handle( Sockbuf *sb ) +ldap_pvt_tls_sb_ctx( Sockbuf *sb ) { void *p; @@ -658,64 +833,238 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb ) return NULL; } -void * -ldap_pvt_tls_get_handle( LDAP *ld ) +int +ldap_pvt_tls_get_strength( void *s ) { - return ldap_pvt_tls_sb_handle( ld->ld_sb ); + SSL_CIPHER *c; + + c = SSL_get_current_cipher((SSL *)s); + return SSL_CIPHER_get_bits(c, NULL); } + int -ldap_pvt_tls_get_strength( void *s ) +ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func, unsigned flags ) { - SSL_CIPHER *c; + X509 *x; + X509_NAME *xn; + int rc; - c = SSL_get_current_cipher((SSL *)s); - return SSL_CIPHER_get_bits(c, NULL); + x = SSL_get_certificate((SSL *)s); + + if (!x) return LDAP_INVALID_CREDENTIALS; + + xn = X509_get_subject_name(x); + rc = ldap_X509dn2bv(xn, dn, (LDAPDN_rewrite_func *)func, flags ); + X509_free(x); + return rc; } +static X509 * +tls_get_cert( SSL *s ) +{ + /* If peer cert was bad, treat as if no cert was given */ + if (SSL_get_verify_result(s)) { + /* If we can send an alert, do so */ + if (SSL_version(s) != SSL2_VERSION) { + ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE); + } + return NULL; + } + return SSL_get_peer_certificate(s); +} -const char * -ldap_pvt_tls_get_peer( void *s ) +int +ldap_pvt_tls_get_peer_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func, unsigned flags ) +{ + X509 *x; + X509_NAME *xn; + int rc; + + x = tls_get_cert((SSL *)s); + + if (!x) return LDAP_INVALID_CREDENTIALS; + + xn = X509_get_subject_name(x); + rc = ldap_X509dn2bv(xn, dn, (LDAPDN_rewrite_func *)func, flags); + X509_free(x); + return rc; +} + +char * +ldap_pvt_tls_get_peer_hostname( void *s ) +{ + X509 *x; + X509_NAME *xn; + char buf[2048], *p; + int ret; + + x = tls_get_cert((SSL *)s); + if (!x) return NULL; + + xn = X509_get_subject_name(x); + + ret = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)); + if( ret == -1 ) { + X509_free(x); + return NULL; + } + + p = LDAP_STRDUP(buf); + X509_free(x); + return p; +} + +int +ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in ) { - X509 *x; - X509_NAME *xn; - char buf[2048], *p; - - x = SSL_get_peer_certificate((SSL *)s); - - if (!x) - return NULL; - - xn = X509_get_subject_name(x); - p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf))); - X509_free(x); - return p; + int i, ret = LDAP_LOCAL_ERROR; + X509 *x; + const char *name; + + if( ldap_int_hostname && + ( !name_in || !strcasecmp( name_in, "localhost" ) ) ) + { + name = ldap_int_hostname; + } else { + name = name_in; + } + + x = tls_get_cert((SSL *)s); + if (!x) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "ldap_pvt_tls_check_hostname: " + "TLS unable to get peer certificate.\n" , 0, 0, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get peer certificate.\n", + 0, 0, 0 ); +#endif + /* If this was a fatal condition, things would have + * aborted long before now. + */ + return LDAP_SUCCESS; + } + + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) { + X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + + ex = X509_get_ext(x, i); + alt = X509V3_EXT_d2i(ex); + if (alt) { + int n, len1, len2 = 0; + char *domain; + GENERAL_NAME *gn; + + len1 = strlen(name); + n = sk_GENERAL_NAME_num(alt); + domain = strchr(name, '.'); + if (domain) { + len2 = len1 - (domain-name); + } + for (i=0; itype == GEN_DNS) { + char *sn = ASN1_STRING_data(gn->d.ia5); + int sl = ASN1_STRING_length(gn->d.ia5); + + /* Is this an exact match? */ + if ((len1 == sl) && !strncasecmp(name, sn, len1)) { + break; + } + + /* Is this a wildcard match? */ + if ((*sn == '*') && domain && (len2 == sl-1) && + !strncasecmp(domain, sn+1, len2)) + { + break; + } + +#if 0 + /* Is this a RFC 2549 style wildcard match? */ + if ((*sn == '.') && domain && (len2 == sl) && + !strncasecmp(domain, sn, len2)) + { + break; + } +#endif + } + } + + GENERAL_NAMES_free(alt); + if (i < n) { /* Found a match */ + ret = LDAP_SUCCESS; + } + } + } + + if (ret != LDAP_SUCCESS) { + X509_NAME *xn; + char buf[2048]; + + xn = X509_get_subject_name(x); + + if( X509_NAME_get_text_by_NID( xn, NID_commonName, + buf, sizeof(buf)) == -1) + { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_check_hostname: " + "TLS unable to get common name from peer certificate.\n", + 0, 0, 0 ); +#else + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get common name from peer certificate.\n", + 0, 0, 0 ); +#endif + ld->ld_error = LDAP_STRDUP("TLS: unable to get CN from peer certificate"); + + } else if (strcasecmp(name, buf)) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_check_hostname: " + "TLS hostname (%s) does not match " + "common name in certificate (%s).\n", name, buf, 0 ); +#else + Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " + "common name in certificate (%s).\n", + name, buf, 0 ); +#endif + ret = LDAP_CONNECT_ERROR; + ld->ld_error = LDAP_STRDUP("TLS: hostname does not match CN in peer certificate"); + + } else { + ret = LDAP_SUCCESS; + } + } + X509_free(x); + return ret; } const char * ldap_pvt_tls_get_peer_issuer( void *s ) { -#if 0 /* currently unused; see ldap_pvt_tls_get_peer() if needed */ - X509 *x; - X509_NAME *xn; - char buf[2048], *p; - - x = SSL_get_peer_certificate((SSL *)s); - - if (!x) - return NULL; - - xn = X509_get_issuer_name(x); - p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf))); - X509_free(x); - return p; +#if 0 /* currently unused; see ldap_pvt_tls_get_peer_dn() if needed */ + X509 *x; + X509_NAME *xn; + char buf[2048], *p; + + x = SSL_get_peer_certificate((SSL *)s); + + if (!x) return NULL; + + xn = X509_get_issuer_name(x); + p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf))); + X509_free(x); + return p; #else - return NULL; + return NULL; #endif } int -ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) +ldap_int_tls_config( LDAP *ld, int option, const char *arg ) { int i; @@ -725,26 +1074,34 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) case LDAP_OPT_X_TLS_CERTFILE: case LDAP_OPT_X_TLS_KEYFILE: case LDAP_OPT_X_TLS_RANDOM_FILE: - return ldap_pvt_tls_set_option( NULL, option, (void *) arg ); + return ldap_pvt_tls_set_option( ld, option, (void *) arg ); + case LDAP_OPT_X_TLS_REQUIRE_CERT: - i = ( ( strcasecmp( arg, "on" ) == 0 ) || - ( strcasecmp( arg, "yes" ) == 0) || - ( strcasecmp( arg, "true" ) == 0 ) ); - return ldap_pvt_tls_set_option( NULL, option, (void *) &i ); case LDAP_OPT_X_TLS: i = -1; - if ( strcasecmp( arg, "never" ) == 0 ) + if ( strcasecmp( arg, "never" ) == 0 ) { i = LDAP_OPT_X_TLS_NEVER ; - if ( strcasecmp( arg, "demand" ) == 0 ) + + } else if ( strcasecmp( arg, "demand" ) == 0 ) { i = LDAP_OPT_X_TLS_DEMAND ; - if ( strcasecmp( arg, "allow" ) == 0 ) + + } else if ( strcasecmp( arg, "allow" ) == 0 ) { i = LDAP_OPT_X_TLS_ALLOW ; - if ( strcasecmp( arg, "try" ) == 0 ) + + } else if ( strcasecmp( arg, "try" ) == 0 ) { i = LDAP_OPT_X_TLS_TRY ; - if ( strcasecmp( arg, "hard" ) == 0 ) + + } else if ( ( strcasecmp( arg, "hard" ) == 0 ) || + ( strcasecmp( arg, "on" ) == 0 ) || + ( strcasecmp( arg, "yes" ) == 0) || + ( strcasecmp( arg, "true" ) == 0 ) ) + { i = LDAP_OPT_X_TLS_HARD ; - if (i >= 0) - return ldap_pvt_tls_set_option( lo, option, &i ); + } + + if (i >= 0) { + return ldap_pvt_tls_set_option( ld, option, &i ); + } return -1; } @@ -752,17 +1109,37 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) } int -ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + if( ld != NULL ) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + + } else { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if ( lo == NULL ) { + return LDAP_NO_MEMORY; + } + } + switch( option ) { case LDAP_OPT_X_TLS: *(int *)arg = lo->ldo_tls_mode; break; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) { *(void **)arg = (void *) tls_def_ctx; - else - *(void **)arg = lo->ldo_tls_ctx; + } else { + *(void **)arg = ld->ld_defconn->lconn_tls_ctx; + } break; case LDAP_OPT_X_TLS_CACERTFILE: *(char **)arg = tls_opt_cacertfile ? @@ -784,8 +1161,21 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) *(int *)arg = tls_opt_require_cert; break; case LDAP_OPT_X_TLS_RANDOM_FILE: - *(char **)arg = tls_opt_randfile; + *(char **)arg = tls_opt_randfile ? + LDAP_STRDUP( tls_opt_randfile ) : NULL; + break; + case LDAP_OPT_X_TLS_SSL_CTX: { + void *retval = 0; + if ( ld != NULL ) { + LDAPConn *conn = ld->ld_defconn; + if ( conn != NULL ) { + Sockbuf *sb = conn->lconn_sb; + retval = ldap_pvt_tls_sb_ctx( sb ); + } + } + *(void **)arg = retval; break; + } default: return -1; } @@ -793,8 +1183,27 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) } int -ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + if( ld != NULL ) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + + } else { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if ( lo == NULL ) { + return LDAP_NO_MEMORY; + } + } + switch( option ) { case LDAP_OPT_X_TLS: switch( *(int *) arg ) { @@ -811,17 +1220,17 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) } return -1; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) { + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) { tls_def_ctx = (SSL_CTX *) arg; } else { - lo->ldo_tls_ctx = arg; + ld->ld_defconn->lconn_tls_ctx = arg; } return 0; } - if ( lo != NULL ) { + if ( ld != NULL ) { return -1; } @@ -843,8 +1252,16 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) tls_opt_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; case LDAP_OPT_X_TLS_REQUIRE_CERT: - tls_opt_require_cert = * (int *) arg; - break; + switch( *(int *) arg ) { + case LDAP_OPT_X_TLS_NEVER: + case LDAP_OPT_X_TLS_DEMAND: + case LDAP_OPT_X_TLS_ALLOW: + case LDAP_OPT_X_TLS_TRY: + case LDAP_OPT_X_TLS_HARD: + tls_opt_require_cert = * (int *) arg; + return 0; + } + return -1; case LDAP_OPT_X_TLS_CIPHER_SUITE: if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite ); tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; @@ -860,20 +1277,59 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) } int -ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { + Sockbuf *sb = conn->lconn_sb; + char *host; + void *ssl; + + if( srv ) { + host = srv->lud_host; + } else { + host = conn->lconn_server->lud_host; + } + + /* avoid NULL host */ + if( host == NULL ) { + host = "localhost"; + } + (void) ldap_pvt_tls_init(); /* * Fortunately, the lib uses blocking io... */ - if ( ldap_pvt_tls_connect( ld, sb, ctx_arg ) < 0 ) { - return LDAP_CONNECT_ERROR; + if ( ldap_int_tls_connect( ld, conn ) < 0 ) { + ld->ld_errno = LDAP_CONNECT_ERROR; + return (ld->ld_errno); } - /* FIXME: hostname of server must be compared with name in - * certificate.... + ssl = ldap_pvt_tls_sb_ctx( sb ); + assert( ssl != NULL ); + + /* + * compare host with name(s) in certificate */ + ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); + if (ld->ld_errno != LDAP_SUCCESS) { + return ld->ld_errno; + } + + /* + * set SASL properties to TLS ssf and authid + */ + { + struct berval authid = { 0, NULL }; + ber_len_t ssf; + + /* we need to let SASL know */ + ssf = ldap_pvt_tls_get_strength( ssl ); + /* failure is OK, we just can't use SASL EXTERNAL */ + (void) ldap_pvt_tls_get_my_dn( ssl, &authid, NULL, 0 ); + + (void) ldap_int_sasl_external( ld, conn, authid.bv_val, ssf ); + LDAP_FREE( authid.bv_val ); + } return LDAP_SUCCESS; } @@ -894,26 +1350,52 @@ tls_info_cb( SSL *ssl, int where, int ret ) op = "undefined"; } - if ( where & SSL_CB_LOOP ) { + if ( where & SSL_CB_LOOP ) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, DETAIL1, "tls_info_cb: " + "TLS trace: %s:%s\n", op, SSL_state_string_long( ssl ), 0 ); +#else Debug( LDAP_DEBUG_TRACE, - "TLS trace: %s:%s\n", - op, SSL_state_string_long( ssl ), 0 ); + "TLS trace: %s:%s\n", + op, SSL_state_string_long( ssl ), 0 ); +#endif + } else if ( where & SSL_CB_ALERT ) { - op = ( where & SSL_CB_READ ) ? "read" : "write"; + op = ( where & SSL_CB_READ ) ? "read" : "write"; +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, DETAIL1, + "tls_info_cb: TLS trace: SSL3 alert %s:%s:%s\n", + op, SSL_alert_type_string_long( ret ), + SSL_alert_desc_string_long( ret) ); +#else Debug( LDAP_DEBUG_TRACE, - "TLS trace: SSL3 alert %s:%s:%s\n", - op, - SSL_alert_type_string_long( ret ), - SSL_alert_desc_string_long( ret) ); + "TLS trace: SSL3 alert %s:%s:%s\n", + op, + SSL_alert_type_string_long( ret ), + SSL_alert_desc_string_long( ret) ); +#endif + } else if ( where & SSL_CB_EXIT ) { - if ( ret == 0 ) { + if ( ret == 0 ) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "tls_info_cb: TLS trace: %s:failed in %s\n", + op, SSL_state_string_long( ssl ), 0 ); +#else Debug( LDAP_DEBUG_TRACE, - "TLS trace: %s:failed in %s\n", - op, SSL_state_string_long( ssl ), 0 ); - } else if ( ret < 0 ) { + "TLS trace: %s:failed in %s\n", + op, SSL_state_string_long( ssl ), 0 ); +#endif + } else if ( ret < 0 ) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "tls_info_cb: TLS trace: %s:error in %s\n", + op, SSL_state_string_long( ssl ), 0 ); +#else Debug( LDAP_DEBUG_TRACE, - "TLS trace: %s:error in %s\n", - op, SSL_state_string_long( ssl ), 0 ); + "TLS trace: %s:error in %s\n", + op, SSL_state_string_long( ssl ), 0 ); +#endif } } } @@ -942,11 +1424,29 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx ) /* X509_NAME_oneline, if passed a NULL buf, allocate memomry */ sname = X509_NAME_oneline( subject, NULL, 0 ); iname = X509_NAME_oneline( issuer, NULL, 0 ); +#ifdef NEW_LOGGING + LDAP_LOG( TRANSPORT, ERR, + "TLS certificate verification: depth: %d, err: %d, subject: %s,", + errdepth, errnum, + sname ? sname : "-unknown-" ); + LDAP_LOG( TRANSPORT, ERR, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 ); + if ( !ok ) { + LDAP_LOG ( TRANSPORT, ERR, + "TLS certificate verification: Error, %s\n", + X509_verify_cert_error_string(errnum), 0, 0 ); + } +#else Debug( LDAP_DEBUG_TRACE, - "TLS certificate verification: depth: %d, subject: %s, issuer: %s\n", - errdepth, - sname ? sname : "-unknown-", - iname ? iname : "-unknown-" ); + "TLS certificate verification: depth: %d, err: %d, subject: %s,", + errdepth, errnum, + sname ? sname : "-unknown-" ); + Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 ); + if ( !ok ) { + Debug( LDAP_DEBUG_ANY, + "TLS certificate verification: Error, %s\n", + X509_verify_cert_error_string(errnum), 0, 0 ); + } +#endif if ( sname ) CRYPTO_free ( sname ); if ( iname ) @@ -955,19 +1455,32 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx ) return ok; } +static int +tls_verify_ok( int ok, X509_STORE_CTX *ctx ) +{ + (void) tls_verify_cb( ok, ctx ); + return 1; +} + /* Inspired by ERR_print_errors in OpenSSL */ static void tls_report_error( void ) { - unsigned long l; - char buf[200]; - const char *file; - int line; - - while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) { - Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n", - ERR_error_string( l, buf ), file, line ); - } + unsigned long l; + char buf[200]; + const char *file; + int line; + + while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "tls_report_error: TLS %s %s:%d\n", + ERR_error_string( l, buf ), file, line ); +#else + Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n", + ERR_error_string( l, buf ), file, line ); +#endif + } } static RSA * @@ -980,9 +1493,15 @@ tls_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL ); if ( !tmp_rsa ) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, ERR, + "tls_tmp_rsa_cb: TLS Failed to generate temporary %d-bit %s " + "RSA key\n", key_length, is_export ? "export" : "domestic", 0 ); +#else Debug( LDAP_DEBUG_ANY, "TLS: Failed to generate temporary %d-bit %s RSA key\n", key_length, is_export ? "export" : "domestic", 0 ); +#endif return NULL; } return tmp_rsa; @@ -993,12 +1512,13 @@ tls_seed_PRNG( const char *randfile ) { #ifndef URANDOM_DEVICE /* no /dev/urandom (or equiv) */ + long total=0; char buffer[MAXPATHLEN]; if (randfile == NULL) { /* The seed file is $RANDFILE if defined, otherwise $HOME/.rnd. * If $HOME is not set or buffer too small to hold the pathname, - * an error occurs. - From RAND_file_name() man page. + * an error occurs. - From RAND_file_name() man page. * The fact is that when $HOME is NULL, .rnd is used. */ randfile = RAND_file_name( buffer, sizeof( buffer ) ); @@ -1009,20 +1529,38 @@ tls_seed_PRNG( const char *randfile ) } if (randfile == NULL) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, DETAIL1, + "tls_seed_PRNG: TLS Use configuration file or " + "$RANDFILE to define seed PRNG\n", 0, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY, - "TLS: Use configuration file or $RANDFILE to define seed PRNG", + "TLS: Use configuration file or $RANDFILE to define seed PRNG\n", 0, 0, 0); +#endif return -1; } - RAND_load_file(randfile, -1); + total = RAND_load_file(randfile, -1); if (RAND_status() == 0) { +#ifdef NEW_LOGGING + LDAP_LOG ( TRANSPORT, DETAIL1, + "tls_seed_PRNG: TLS PRNG not been seeded with enough data\n", + 0, 0, 0 ); +#else Debug( LDAP_DEBUG_ANY, - "TLS: PRNG not been seeded with enough data", + "TLS: PRNG not been seeded with enough data\n", 0, 0, 0); +#endif return -1; } + + /* assume if there was enough bits to seed that it's okay + * to write derived bits to the file + */ + RAND_write_file(randfile); + #endif return 0; @@ -1042,14 +1580,15 @@ ldap_start_tls_s ( LDAP *ld, LDAPControl **serverctrls, LDAPControl **clientctrls ) { -#ifdef HAVE_TLS int rc; + +#ifdef HAVE_TLS char *rspoid = NULL; struct berval *rspdata = NULL; - /* XXYYZ: this initiates operaton only on default connection! */ + /* XXYYZ: this initiates operation only on default connection! */ - if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) { + if ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) { return LDAP_LOCAL_ERROR; } @@ -1067,10 +1606,10 @@ ldap_start_tls_s ( LDAP *ld, ber_bvfree( rspdata ); } - rc = ldap_pvt_tls_start( ld, ld->ld_sb, ld->ld_options.ldo_tls_ctx ); - return rc; + rc = ldap_int_tls_start( ld, ld->ld_defconn, NULL ); #else - return LDAP_NOT_SUPPORTED; + rc = LDAP_NOT_SUPPORTED; #endif + return rc; }