X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls_o.c;h=338e5279696f2504500f939c6be102c44a8e02e8;hb=52a0b4f83c34de4966870af62db829c913993fdf;hp=5b5bfb94a9c16921a05ad14587cabeadaac93633;hpb=d4f2a06887a2c5ae8588f3b9847c757c96cc14a6;p=openldap
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 5b5bfb94a9..338e527969 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
- * Copyright 2008-2009 The OpenLDAP Foundation.
+ * Copyright 2008-2012 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -37,10 +37,6 @@
#include "ldap-int.h"
#include "ldap-tls.h"
-#ifdef LDAP_R_COMPILE
-#include
-#endif
-
#ifdef HAVE_OPENSSL_SSL_H
#include
#include
@@ -398,11 +394,22 @@ tlso_session_upflags( Sockbuf *sb, tls_session *sess, int rc )
}
static char *
-tlso_session_errmsg( int rc, char *buf, size_t len )
+tlso_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
{
+ char err[256] = "";
+ const char *certerr=NULL;
+ tlso_session *s = (tlso_session *)sess;
+
rc = ERR_peek_error();
if ( rc ) {
- ERR_error_string_n( rc, buf, len );
+ ERR_error_string_n( rc, err, sizeof(err) );
+ if ( ( ERR_GET_LIB(rc) == ERR_LIB_SSL ) &&
+ ( ERR_GET_REASON(rc) == SSL_R_CERTIFICATE_VERIFY_FAILED ) ) {
+ int certrc = SSL_get_verify_result(s);
+ certerr = (char *)X509_verify_cert_error_string(certrc);
+ }
+ snprintf(buf, len, "%s%s%s%s", err, certerr ? " (" :"",
+ certerr ? certerr : "", certerr ? ")" : "" );
return buf;
}
return NULL;
@@ -494,12 +501,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
}
#ifdef LDAP_PF_INET6
- if (name[0] == '[' && strchr(name, ']')) {
- char *n2 = ldap_strdup(name+1);
- *strchr(n2, ']') = 0;
- if (inet_pton(AF_INET6, n2, &addr))
- ntype = IS_IP6;
- LDAP_FREE(n2);
+ if (inet_pton(AF_INET6, name, &addr)) {
+ ntype = IS_IP6;
} else
#endif
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
@@ -579,15 +582,28 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
if (ret != LDAP_SUCCESS) {
X509_NAME *xn;
- char buf[2048];
- int clen;
- buf[0] = '\0';
+ X509_NAME_ENTRY *ne;
+ ASN1_OBJECT *obj;
+ ASN1_STRING *cn = NULL;
+ int navas;
+
+ /* find the last CN */
+ obj = OBJ_nid2obj( NID_commonName );
+ if ( !obj ) goto no_cn; /* should never happen */
xn = X509_get_subject_name(x);
- clen = X509_NAME_get_text_by_NID( xn, NID_commonName,
- buf, sizeof(buf));
- if( clen == -1 )
+ navas = X509_NAME_entry_count( xn );
+ for ( i=navas-1; i>=0; i-- ) {
+ ne = X509_NAME_get_entry( xn, i );
+ if ( !OBJ_cmp( ne->object, obj )) {
+ cn = X509_NAME_ENTRY_get_data( ne );
+ break;
+ }
+ }
+
+ if( !cn )
{
+no_cn:
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
@@ -598,18 +614,20 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
- } else if (clen == nlen && strcasecmp(name, buf) == 0 ) {
+ } else if ( cn->length == nlen &&
+ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
ret = LDAP_SUCCESS;
- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
+ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
char *domain = strchr(name, '.');
if( domain ) {
- size_t dlen;
+ int dlen;
dlen = nlen - (domain-name);
/* Is this a wildcard match? */
- if ((dlen == clen-1) && !strncasecmp(domain, &buf[1], dlen)) {
+ if ((dlen == cn->length-1) &&
+ !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
ret = LDAP_SUCCESS;
}
}
@@ -617,8 +635,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
if( ret == LDAP_LOCAL_ERROR ) {
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
- "common name in certificate (%s).\n",
- name, buf, 0 );
+ "common name in certificate (%.*s).\n",
+ name, cn->length, cn->data );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
@@ -635,10 +653,8 @@ static int
tlso_session_strength( tls_session *sess )
{
tlso_session *s = (tlso_session *)sess;
- SSL_CIPHER *c;
- c = SSL_get_current_cipher(s);
- return SSL_CIPHER_get_bits(c, NULL);
+ return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
}
/*
@@ -1051,16 +1067,29 @@ static RSA *
tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
{
RSA *tmp_rsa;
-
/* FIXME: Pregenerate the key on startup */
/* FIXME: Who frees the key? */
+#if OPENSSL_VERSION_NUMBER >= 0x00908000
+ BIGNUM *bn = BN_new();
+ tmp_rsa = NULL;
+ if ( bn ) {
+ if ( BN_set_word( bn, RSA_F4 )) {
+ tmp_rsa = RSA_new();
+ if ( tmp_rsa && !RSA_generate_key_ex( tmp_rsa, key_length, bn, NULL )) {
+ RSA_free( tmp_rsa );
+ tmp_rsa = NULL;
+ }
+ }
+ BN_free( bn );
+ }
+#else
tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
+#endif
if ( !tmp_rsa ) {
Debug( LDAP_DEBUG_ANY,
"TLS: Failed to generate temporary %d-bit %s RSA key\n",
key_length, is_export ? "export" : "domestic", 0 );
- return NULL;
}
return tmp_rsa;
}
@@ -1175,14 +1204,10 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
int i;
/* Do we have params of this length already? */
-#ifdef LDAP_R_COMPILE
- ldap_pvt_thread_mutex_lock( &tlso_dh_mutex );
-#endif
+ LDAP_MUTEX_LOCK( &tlso_dh_mutex );
for ( p = tlso_dhparams; p; p=p->next ) {
if ( p->keylength == key_length ) {
-#ifdef LDAP_R_COMPILE
- ldap_pvt_thread_mutex_unlock( &tlso_dh_mutex );
-#endif
+ LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
return p->param;
}
}
@@ -1215,9 +1240,7 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
}
}
-#ifdef LDAP_R_COMPILE
- ldap_pvt_thread_mutex_unlock( &tlso_dh_mutex );
-#endif
+ LDAP_MUTEX_UNLOCK( &tlso_dh_mutex );
return dh;
}