cleanup before working on changes

author Kurt Zeilenga <kurt@openldap.org>

Wed, 1 May 2002 04:23:59 +0000 (04:23 +0000)

committer Kurt Zeilenga <kurt@openldap.org>

Wed, 1 May 2002 04:23:59 +0000 (04:23 +0000)
author Kurt Zeilenga <kurt@openldap.org>
Wed, 1 May 2002 04:23:59 +0000 (04:23 +0000)
committer Kurt Zeilenga <kurt@openldap.org>
Wed, 1 May 2002 04:23:59 +0000 (04:23 +0000)
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c

index c9e161f6b19ba6e9304a89ae85af3dfabd2e9ca0..3795402426959e19798b2731ab3cfa74af04eda8 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -183,14 +183,14 @@ ldap_pvt_tls_init_def_ctx( void )
                                 ERR_peek_error() ));
  #else
                         Debug( LDAP_DEBUG_ANY,
-                      "TLS: could not allocate default ctx (%lu).\n",
+                          "TLS: could not allocate default ctx (%lu).\n",
                                 ERR_peek_error(),0,0);
  #endif
                         goto error_exit;
                 }
+
                 if ( tls_opt_ciphersuite &&
-                    !SSL_CTX_set_cipher_list( tls_def_ctx,
-                       tls_opt_ciphersuite ) )
+                       !SSL_CTX_set_cipher_list( tls_def_ctx, tls_opt_ciphersuite ) )
                 {
  #ifdef NEW_LOGGING
                         LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
@@ -198,21 +198,23 @@ ldap_pvt_tls_init_def_ctx( void )
                                 tls_opt_ciphersuite ));
  #else
                         Debug( LDAP_DEBUG_ANY,
-                              "TLS: could not set cipher list %s.\n",
-                              tls_opt_ciphersuite, 0, 0 );
+                                  "TLS: could not set cipher list %s.\n",
+                                  tls_opt_ciphersuite, 0, 0 );
  #endif
                         tls_report_error();
                         goto error_exit;
                 }
+
                 if (tls_opt_cacertfile != NULL || tls_opt_cacertdir != NULL) {
                         if ( !SSL_CTX_load_verify_locations( tls_def_ctx,
-                                                            tls_opt_cacertfile,
-                                                            tls_opt_cacertdir )
-                            || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
+                                       tls_opt_cacertfile, tls_opt_cacertdir ) ||
+                               !SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
                         {
  #ifdef NEW_LOGGING
-                               LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
-                               "TLS could not load verify locations (file:`%s',dir:`%s').\n",
+                               LDAP_LOG (( "tls", LDAP_LEVEL_ERR,
+                                       "ldap_pvt_tls_init_def_ctx: "
+                                       "TLS could not load verify locations "
+                                       "(file:`%s',dir:`%s').\n",
                                         tls_opt_cacertfile ? tls_opt_cacertfile : "",
                                         tls_opt_cacertdir ? tls_opt_cacertdir : "" ));
  #else
@@ -225,6 +227,7 @@ ldap_pvt_tls_init_def_ctx( void )
                                 tls_report_error();
                                 goto error_exit;
                         }
+
                         calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
                         if ( !calist ) {
  #ifdef NEW_LOGGING
@@ -242,65 +245,70 @@ ldap_pvt_tls_init_def_ctx( void )
                                 tls_report_error();
                                 goto error_exit;
                         }
+
                         SSL_CTX_set_client_CA_list( tls_def_ctx, calist );
                 }
+
                 if ( tls_opt_keyfile &&
-                    !SSL_CTX_use_PrivateKey_file( tls_def_ctx,
-                                                  tls_opt_keyfile,
-                                                  SSL_FILETYPE_PEM ) )
+                       !SSL_CTX_use_PrivateKey_file( tls_def_ctx,
+                               tls_opt_keyfile, SSL_FILETYPE_PEM ) )
                 {
  #ifdef NEW_LOGGING
                         LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
                                 "TLS could not use key file `%s'.\n", tls_opt_keyfile ));
  #else
                         Debug( LDAP_DEBUG_ANY,
-                              "TLS: could not use key file `%s'.\n",
-                              tls_opt_keyfile,0,0);
+                               "TLS: could not use key file `%s'.\n",
+                               tls_opt_keyfile,0,0);
  #endif
                         tls_report_error();
                         goto error_exit;
                 }
+
                 if ( tls_opt_certfile &&
-                    !SSL_CTX_use_certificate_file( tls_def_ctx,
-                                                   tls_opt_certfile,
-                                                   SSL_FILETYPE_PEM ) )
+                       !SSL_CTX_use_certificate_file( tls_def_ctx,
+                               tls_opt_certfile, SSL_FILETYPE_PEM ) )
                 {
  #ifdef NEW_LOGGING
                         LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
                                 "TLS could not use certificate `%s'.\n", tls_opt_certfile ));
  #else
                         Debug( LDAP_DEBUG_ANY,
-                              "TLS: could not use certificate `%s'.\n",
-                              tls_opt_certfile,0,0);
+                               "TLS: could not use certificate `%s'.\n",
+                               tls_opt_certfile,0,0);
  #endif
                         tls_report_error();
                         goto error_exit;
                 }
+
                 if ( ( tls_opt_certfile || tls_opt_keyfile ) &&
-                    !SSL_CTX_check_private_key( tls_def_ctx ) )
+                       !SSL_CTX_check_private_key( tls_def_ctx ) )
                 {
  #ifdef NEW_LOGGING
                         LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
                                 "TLS private key mismatch.\n" ));
  #else
                         Debug( LDAP_DEBUG_ANY,
-                              "TLS: private key mismatch.\n",
-                              0,0,0);
+                               "TLS: private key mismatch.\n",
+                               0,0,0);
  #endif
                         tls_report_error();
                         goto error_exit;
                 }
+
                 if ( tls_opt_trace ) {
                         SSL_CTX_set_info_callback( tls_def_ctx, tls_info_cb );
                 }
+
                 i = SSL_VERIFY_NONE;
                 if ( tls_opt_require_cert ) {
                         i = SSL_VERIFY_PEER;
                         if ( tls_opt_require_cert == LDAP_OPT_X_TLS_DEMAND ||
-                            tls_opt_require_cert == LDAP_OPT_X_TLS_HARD ) {
+                                tls_opt_require_cert == LDAP_OPT_X_TLS_HARD ) {
                                 i |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
                         }
                 }
+
                 SSL_CTX_set_verify( tls_def_ctx, i,
                         tls_opt_require_cert == LDAP_OPT_X_TLS_ALLOW ?
                         tls_verify_ok : tls_verify_cb );
@@ -311,6 +319,7 @@ ldap_pvt_tls_init_def_ctx( void )
         ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
  #endif
         return 0;
+
  error_exit:
         if ( tls_def_ctx != NULL ) {
                 SSL_CTX_free( tls_def_ctx );
@@ -370,17 +379,17 @@ update_flags( Sockbuf *sb, SSL * ssl, int rc )
  
         sb->sb_trans_needs_read  = 0;
         sb->sb_trans_needs_write = 0;
-       if (err == SSL_ERROR_WANT_READ)
-       {
-           sb->sb_trans_needs_read  = 1;
-           return 1;
-       } else if (err == SSL_ERROR_WANT_WRITE)
-       {
-           sb->sb_trans_needs_write = 1;
-           return 1;
-       } else if (err == SSL_ERROR_WANT_CONNECT)
-       {
-           return 1;
+
+       if (err == SSL_ERROR_WANT_READ) {
+               sb->sb_trans_needs_read  = 1;
+               return 1;
+
+       } else if (err == SSL_ERROR_WANT_WRITE) {
+               sb->sb_trans_needs_write = 1;
+               return 1;
+
+       } else if (err == SSL_ERROR_WANT_CONNECT) {
+               return 1;
         }
         return 0;
  }
@@ -405,8 +414,9 @@ sb_tls_setup( Sockbuf_IO_Desc *sbiod, void *arg )
         assert( sbiod != NULL );
  
         p = LBER_MALLOC( sizeof( *p ) );
-       if ( p == NULL )
+       if ( p == NULL ) {
                 return -1;
+       }
         
         p->ssl = (SSL *)arg;
         p->sbiod = sbiod;
@@ -514,9 +524,10 @@ sb_tls_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
         if (err == SSL_ERROR_WANT_WRITE ) {
                 sbiod->sbiod_sb->sb_trans_needs_write = 1;
                 errno = EWOULDBLOCK;
-       }
-       else
+
+       } else {
                 sbiod->sbiod_sb->sb_trans_needs_write = 0;
+       }
         return ret;
  }
  
@@ -542,8 +553,7 @@ sb_tls_bio_create( BIO *b ) {
  static int
  sb_tls_bio_destroy( BIO *b )
  {
-       if ( b == NULL )
-               return 0;
+       if ( b == NULL ) return 0;
  
         b->ptr = NULL;          /* sb_tls_remove() will free it */
         b->init = 0;
@@ -557,19 +567,20 @@ sb_tls_bio_read( BIO *b, char *buf, int len )
         struct tls_data         *p;
         int                     ret;
                 
-       if ( buf == NULL || len <= 0 )
-               return 0;
+       if ( buf == NULL || len <= 0 ) return 0;
  
         p = (struct tls_data *)b->ptr;
  
-       if ( p == NULL || p->sbiod == NULL )
+       if ( p == NULL || p->sbiod == NULL ) {
                 return 0;
+       }
  
         ret = LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
  
         BIO_clear_retry_flags( b );
-       if ( ret < 0 && errno == EWOULDBLOCK )
+       if ( ret < 0 && errno == EWOULDBLOCK ) {
                 BIO_set_retry_read( b );
+       }
  
         return ret;
  }
@@ -580,19 +591,20 @@ sb_tls_bio_write( BIO *b, const char *buf, int len )
         struct tls_data         *p;
         int                     ret;
         
-       if ( buf == NULL || len <= 0 )
-               return 0;
+       if ( buf == NULL || len <= 0 ) return 0;
         
         p = (struct tls_data *)b->ptr;
  
-       if ( p == NULL || p->sbiod == NULL )
+       if ( p == NULL || p->sbiod == NULL ) {
                 return 0;
+       }
  
         ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
  
         BIO_clear_retry_flags( b );
-       if ( ret < 0 && errno == EWOULDBLOCK )
+       if ( ret < 0 && errno == EWOULDBLOCK ) {
                 BIO_set_retry_write( b );
+       }
  
         return ret;
  }
@@ -680,20 +692,24 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
  #ifdef HAVE_WINSOCK
         errno = WSAGetLastError();
  #endif
+
         if ( err <= 0 ) {
                 if ( update_flags( sb, ssl, err )) {
                         return 1;
                 }
+
                 if ((err = ERR_peek_error())) {
                         char buf[256];
                         ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
                 }
+
  #ifdef NEW_LOGGING
                 LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_int_tls_connect: "
                         "TLS can't connect.\n" ));
  #else
                 Debug( LDAP_DEBUG_ANY,"TLS: can't connect.\n",0,0,0);
  #endif
+
                 ber_sockbuf_remove_io( sb, &sb_tls_sbio,
                         LBER_SBIOD_LEVEL_TRANSPORT );
  #ifdef LDAP_DEBUG
@@ -718,10 +734,11 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
  
         if ( HAS_TLS( sb ) ) {
                 ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
+
         } else {
                 ssl = alloc_handle( ctx_arg );
-               if ( ssl == NULL )
-                       return -1;
+               if ( ssl == NULL ) return -1;
+
  #ifdef LDAP_DEBUG
                 ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
                         LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
@@ -736,14 +753,15 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
         errno = WSAGetLastError();
  #endif
         if ( err <= 0 ) {
-               if ( update_flags( sb, ssl, err ))
-                       return 1;
+               if ( update_flags( sb, ssl, err )) return 1;
+
  #ifdef NEW_LOGGING
                 LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_accept: "
                         "TLS can't accept.\n" ));
  #else
                 Debug( LDAP_DEBUG_ANY,"TLS: can't accept.\n",0,0,0 );
  #endif
+
                 tls_report_error();
                 ber_sockbuf_remove_io( sb, &sb_tls_sbio,
                         LBER_SBIOD_LEVEL_TRANSPORT );
@@ -760,9 +778,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
  int
  ldap_pvt_tls_inplace ( Sockbuf *sb )
  {
-       if ( HAS_TLS( sb ) )
-               return(1);
-       return(0);
+       return HAS_TLS( sb ) ? 1 : 0;
  }
  
  void *
@@ -781,10 +797,10 @@ ldap_pvt_tls_sb_ctx( Sockbuf *sb )
  int
  ldap_pvt_tls_get_strength( void *s )
  {
-    SSL_CIPHER *c;
+       SSL_CIPHER *c;
  
-    c = SSL_get_current_cipher((SSL *)s);
-    return SSL_CIPHER_get_bits(c, NULL);
+       c = SSL_get_current_cipher((SSL *)s);
+       return SSL_CIPHER_get_bits(c, NULL);
  }
  
  
@@ -798,7 +814,7 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
         x = SSL_get_certificate((SSL *)s);
  
         if (!x) return LDAP_INVALID_CREDENTIALS;
-    
+       
         xn = X509_get_subject_name(x);
         rc = ldap_X509dn2bv(xn, dn, (LDAPDN_rewrite_func *)func, flags );
         X509_free(x);
@@ -808,15 +824,15 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
  static X509 *
  tls_get_cert( SSL *s )
  {
-    /* If peer cert was bad, treat as if no cert was given */
-    if (SSL_get_verify_result(s)) {
-       /* If we can send an alert, do so */
-       if (SSL_version(s) != SSL2_VERSION) {
-               ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE);
+       /* If peer cert was bad, treat as if no cert was given */
+       if (SSL_get_verify_result(s)) {
+               /* If we can send an alert, do so */
+               if (SSL_version(s) != SSL2_VERSION) {
+                       ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE);
+               }
+               return NULL;
         }
-       return NULL;
-    }
-    return SSL_get_peer_certificate(s);
+       return SSL_get_peer_certificate(s);
  }
  
  int
@@ -829,7 +845,7 @@ ldap_pvt_tls_get_peer_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func
         x = tls_get_cert((SSL *)s);
  
         if (!x) return LDAP_INVALID_CREDENTIALS;
-    
+       
         xn = X509_get_subject_name(x);
         rc = ldap_X509dn2bv(xn, dn, (LDAPDN_rewrite_func *)func, flags);
         X509_free(x);
@@ -845,9 +861,7 @@ ldap_pvt_tls_get_peer_hostname( void *s )
         int ret;
  
         x = tls_get_cert((SSL *)s);
-
-       if (!x)
-               return NULL;
+       if (!x) return NULL;
         
         xn = X509_get_subject_name(x);
  
@@ -865,8 +879,8 @@ ldap_pvt_tls_get_peer_hostname( void *s )
  int
  ldap_pvt_tls_check_hostname( void *s, const char *name_in )
  {
-    int i, ret = LDAP_LOCAL_ERROR;
-    X509 *x;
+       int i, ret = LDAP_LOCAL_ERROR;
+       X509 *x;
         const char *name;
  
         if( ldap_int_hostname &&
@@ -877,123 +891,122 @@ ldap_pvt_tls_check_hostname( void *s, const char *name_in )
                 name = name_in;
         }
  
-    x = tls_get_cert((SSL *)s);
-    if (!x)
-    {
+       x = tls_get_cert((SSL *)s);
+       if (!x) {
  #ifdef NEW_LOGGING
-       LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
-               "TLS unable to get peer certificate.\n" ));
+               LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
+                       "TLS unable to get peer certificate.\n" ));
  #else
-       Debug( LDAP_DEBUG_ANY,
-               "TLS: unable to get peer certificate.\n",
-               0, 0, 0 );
+               Debug( LDAP_DEBUG_ANY,
+                       "TLS: unable to get peer certificate.\n",
+                       0, 0, 0 );
  #endif
-       return ret;
-    }
-
-    i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
-    if (i >= 0)
-    {
-       X509_EXTENSION *ex;
-       STACK_OF(GENERAL_NAME) *alt;
-
-       ex = X509_get_ext(x, i);
-       alt = X509V3_EXT_d2i(ex);
-       if (alt)
-       {
-           int n, len1, len2 = 0;
-           char *domain;
-           GENERAL_NAME *gn;
-           X509V3_EXT_METHOD *method;
-
-           len1 = strlen(name);
-           n = sk_GENERAL_NAME_num(alt);
-           domain = strchr(name, '.');
-           if (domain)
-               len2 = len1 - (domain-name);
-           for (i=0; i<n; i++)
-           {
-               gn = sk_GENERAL_NAME_value(alt, i);
-               if (gn->type == GEN_DNS)
-               {
-                   char *sn = ASN1_STRING_data(gn->d.ia5);
-                   int sl = ASN1_STRING_length(gn->d.ia5);
+               return ret;
+       }
  
-                   /* Is this an exact match? */
-                   if ((len1 == sl) && !strncasecmp(name, sn, len1))
-                       break;
+       i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
+       if (i >= 0) {
+               X509_EXTENSION *ex;
+               STACK_OF(GENERAL_NAME) *alt;
+
+               ex = X509_get_ext(x, i);
+               alt = X509V3_EXT_d2i(ex);
+               if (alt) {
+                       int n, len1, len2 = 0;
+                       char *domain;
+                       GENERAL_NAME *gn;
+                       X509V3_EXT_METHOD *method;
+
+                       len1 = strlen(name);
+                       n = sk_GENERAL_NAME_num(alt);
+                       domain = strchr(name, '.');
+                       if (domain) {
+                               len2 = len1 - (domain-name);
+                       }
+                       for (i=0; i<n; i++) {
+                               gn = sk_GENERAL_NAME_value(alt, i);
+                               if (gn->type == GEN_DNS) {
+                                       char *sn = ASN1_STRING_data(gn->d.ia5);
+                                       int sl = ASN1_STRING_length(gn->d.ia5);
+
+                                       /* Is this an exact match? */
+                                       if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
+                                               break;
+                                       }
+
+                                       /* Is this a wildcard match? */
+                                       if ((*sn == '*') && domain && (len2 == sl-1) &&
+                                               !strncasecmp(domain, sn+1, len2))
+                                       {
+                                               break;
+                                       }
+                               }
+                       }
  
-                   /* Is this a wildcard match? */
-                   if ((*sn == '*') && domain && (len2 == sl-1) &&
-                       !strncasecmp(domain, sn+1, len2))
-                       break;
+                       method = X509V3_EXT_get(ex);
+                       method->ext_free(alt);
+                       if (i < n) {    /* Found a match */
+                               ret = LDAP_SUCCESS;
+                       }
                 }
-           }
-           method = X509V3_EXT_get(ex);
-           method->ext_free(alt);
-           if (i < n)  /* Found a match */
-               ret = LDAP_SUCCESS;
         }
-    }
  
-    if (ret != LDAP_SUCCESS)
-    {
-       X509_NAME *xn;
-       char buf[2048];
+       if (ret != LDAP_SUCCESS) {
+               X509_NAME *xn;
+               char buf[2048];
  
-       xn = X509_get_subject_name(x);
+               xn = X509_get_subject_name(x);
  
-       if (X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf))
-           == -1)
-       {
+               if( X509_NAME_get_text_by_NID( xn, NID_commonName,
+                       buf, sizeof(buf)) == -1)
+               {
  #ifdef NEW_LOGGING
-               LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
-                       "TLS unable to get common name from peer certificate.\n" ));
+                       LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
+                               "TLS unable to get common name from peer certificate.\n" ));
  #else
-           Debug( LDAP_DEBUG_ANY,
-                   "TLS: unable to get common name from peer certificate.\n",
-                   0, 0, 0 );
+                       Debug( LDAP_DEBUG_ANY,
+                               "TLS: unable to get common name from peer certificate.\n",
+                               0, 0, 0 );
  #endif
-       } else if (strcasecmp(name, buf))
-       {
+
+               } else if (strcasecmp(name, buf)) {
  #ifdef NEW_LOGGING
-               LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
-                       "TLS hostname (%s) does not match "
-                       "common name in certificate (%s).\n", name, buf ));
+                       LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
+                               "TLS hostname (%s) does not match "
+                               "common name in certificate (%s).\n", name, buf ));
  #else
-           Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
-                   "common name in certificate (%s).\n", 
-                   name, buf, 0 );
+                       Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+                               "common name in certificate (%s).\n", 
+                               name, buf, 0 );
  #endif
-           ret =  LDAP_CONNECT_ERROR;
-       } else
-       {
-           ret = LDAP_SUCCESS;
+                       ret = LDAP_CONNECT_ERROR;
+
+               } else {
+                       ret = LDAP_SUCCESS;
+               }
         }
-    }
-    X509_free(x);
-    return ret;
+       X509_free(x);
+       return ret;
  }
  
  const char *
  ldap_pvt_tls_get_peer_issuer( void *s )
  {
  #if 0  /* currently unused; see ldap_pvt_tls_get_peer_dn() if needed */
-    X509 *x;
-    X509_NAME *xn;
-    char buf[2048], *p;
-
-    x = SSL_get_peer_certificate((SSL *)s);
-
-    if (!x)
-       return NULL;
-    
-    xn = X509_get_issuer_name(x);
-    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
-    X509_free(x);
-    return p;
+       X509 *x;
+       X509_NAME *xn;
+       char buf[2048], *p;
+
+       x = SSL_get_peer_certificate((SSL *)s);
+
+       if (!x) return NULL;
+       
+       xn = X509_get_issuer_name(x);
+       p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+       X509_free(x);
+       return p;
  #else
-    return NULL;
+       return NULL;
  #endif
  }
  
@@ -1013,19 +1026,25 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
         case LDAP_OPT_X_TLS_REQUIRE_CERT:
         case LDAP_OPT_X_TLS:
                 i = -1;
-               if ( strcasecmp( arg, "never" ) == 0 )
+               if ( strcasecmp( arg, "never" ) == 0 ) {
                         i = LDAP_OPT_X_TLS_NEVER ;
-               if ( strcasecmp( arg, "demand" ) == 0 )
+
+               } else if ( strcasecmp( arg, "demand" ) == 0 ) {
                         i = LDAP_OPT_X_TLS_DEMAND ;
-               if ( strcasecmp( arg, "allow" ) == 0 )
+
+               } else if ( strcasecmp( arg, "allow" ) == 0 ) {
                         i = LDAP_OPT_X_TLS_ALLOW ;
-               if ( strcasecmp( arg, "try" ) == 0 )
+
+               } else if ( strcasecmp( arg, "try" ) == 0 ) {
                         i = LDAP_OPT_X_TLS_TRY ;
-               if ( ( strcasecmp( arg, "hard" ) == 0 ) ||
-                     ( strcasecmp( arg, "on" ) == 0 ) ||
-                     ( strcasecmp( arg, "yes" ) == 0) ||
-                     ( strcasecmp( arg, "true" ) == 0 ) )
+
+               } else if ( ( strcasecmp( arg, "hard" ) == 0 ) ||
+                       ( strcasecmp( arg, "on" ) == 0 ) ||
+                       ( strcasecmp( arg, "yes" ) == 0) ||
+                       ( strcasecmp( arg, "true" ) == 0 ) )
+               {
                         i = LDAP_OPT_X_TLS_HARD ;
+               }
  
                 if (i >= 0) {
                         return ldap_pvt_tls_set_option( ld, option, &i );
@@ -1063,10 +1082,11 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
                 *(int *)arg = lo->ldo_tls_mode;
                 break;
         case LDAP_OPT_X_TLS_CTX:
-               if ( ld == NULL )
+               if ( ld == NULL ) {
                         *(void **)arg = (void *) tls_def_ctx;
-               else
+               } else {
                         *(void **)arg = ld->ld_defconn->lconn_tls_ctx;
+               }
                 break;
         case LDAP_OPT_X_TLS_CACERTFILE:
                 *(char **)arg = tls_opt_cacertfile ?
@@ -1277,47 +1297,49 @@ tls_info_cb( SSL *ssl, int where, int ret )
                 op = "undefined";
         }
  
-        if ( where & SSL_CB_LOOP ) {
+       if ( where & SSL_CB_LOOP ) {
  #ifdef NEW_LOGGING
                 LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1, "tls_info_cb: "
                         "TLS trace: %s:%s\n", op, SSL_state_string_long( ssl ) ));
  #else
                 Debug( LDAP_DEBUG_TRACE,
-                      "TLS trace: %s:%s\n",
-                      op, SSL_state_string_long( ssl ), 0 );
+                          "TLS trace: %s:%s\n",
+                          op, SSL_state_string_long( ssl ), 0 );
  #endif
+
         } else if ( where & SSL_CB_ALERT ) {
-                op = ( where & SSL_CB_READ ) ? "read" : "write";
+               op = ( where & SSL_CB_READ ) ? "read" : "write";
  #ifdef NEW_LOGGING
                 LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1, "tls_info_cb: "
                         "TLS trace: SSL3 alert %s:%s:%s\n", op,
-                      SSL_alert_type_string_long( ret ),
-                      SSL_alert_desc_string_long( ret) ));
+                          SSL_alert_type_string_long( ret ),
+                          SSL_alert_desc_string_long( ret) ));
  #else
                 Debug( LDAP_DEBUG_TRACE,
-                      "TLS trace: SSL3 alert %s:%s:%s\n",
-                      op,
-                      SSL_alert_type_string_long( ret ),
-                      SSL_alert_desc_string_long( ret) );
+                          "TLS trace: SSL3 alert %s:%s:%s\n",
+                          op,
+                          SSL_alert_type_string_long( ret ),
+                          SSL_alert_desc_string_long( ret) );
  #endif
+
         } else if ( where & SSL_CB_EXIT ) {
-                if ( ret == 0 ) {
+               if ( ret == 0 ) {
  #ifdef NEW_LOGGING
                         LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "tls_info_cb: "
                         "TLS trace: %s:failed in %s\n", op, SSL_state_string_long( ssl ) ));
  #else
                         Debug( LDAP_DEBUG_TRACE,
-                              "TLS trace: %s:failed in %s\n",
-                              op, SSL_state_string_long( ssl ), 0 );
+                                  "TLS trace: %s:failed in %s\n",
+                                  op, SSL_state_string_long( ssl ), 0 );
  #endif
-                } else if ( ret < 0 ) {
+               } else if ( ret < 0 ) {
  #ifdef NEW_LOGGING
                         LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "tls_info_cb: "
                         "TLS trace: %s:error in %s\n", op, SSL_state_string_long( ssl ) ));
  #else
                         Debug( LDAP_DEBUG_TRACE,
-                              "TLS trace: %s:error in %s\n",
-                              op, SSL_state_string_long( ssl ), 0 );
+                                  "TLS trace: %s:error in %s\n",
+                                  op, SSL_state_string_long( ssl ), 0 );
  #endif
                 }
         }
@@ -1354,9 +1376,9 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
                 sname ? sname : "-unknown-", iname ? iname : "-unknown-" ));
  #else
         Debug( LDAP_DEBUG_TRACE,
-              "TLS certificate verification: depth: %d, err: %d, subject: %s,",
-              errdepth, errnum,
-              sname ? sname : "-unknown-" );
+                  "TLS certificate verification: depth: %d, err: %d, subject: %s,",
+                  errdepth, errnum,
+                  sname ? sname : "-unknown-" );
         Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 );
  #endif
         if ( sname )
@@ -1378,21 +1400,21 @@ tls_verify_ok( int ok, X509_STORE_CTX *ctx )
  static void
  tls_report_error( void )
  {
-        unsigned long l;
-        char buf[200];
-        const char *file;
-        int line;
+       unsigned long l;
+       char buf[200];
+       const char *file;
+       int line;
  
-        while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
+       while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
  #ifdef NEW_LOGGING
-                       LDAP_LOG (( "tls", LDAP_LEVEL_ERR, 
-                               "tls_report_error: TLS %s %s:%d\n", 
-                               ERR_error_string( l, buf ), file, line ));
+               LDAP_LOG (( "tls", LDAP_LEVEL_ERR, 
+                       "tls_report_error: TLS %s %s:%d\n", 
+                       ERR_error_string( l, buf ), file, line ));
  #else
-                       Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
-                              ERR_error_string( l, buf ), file, line );
+               Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
+                  ERR_error_string( l, buf ), file, line );
  #endif
-        }
+       }
  }
  
  static RSA *
@@ -1430,7 +1452,7 @@ tls_seed_PRNG( const char *randfile )
         if (randfile == NULL) {
                 /* The seed file is $RANDFILE if defined, otherwise $HOME/.rnd.
                  * If $HOME is not set or buffer too small to hold the pathname,
-                * an error occurs.    - From RAND_file_name() man page.
+                * an error occurs.     - From RAND_file_name() man page.
                  * The fact is that when $HOME is NULL, .rnd is used.
                  */
                 randfile = RAND_file_name( buffer, sizeof( buffer ) );
author	Kurt Zeilenga <kurt@openldap.org>
	Wed, 1 May 2002 04:23:59 +0000 (04:23 +0000)
committer	Kurt Zeilenga <kurt@openldap.org>
	Wed, 1 May 2002 04:23:59 +0000 (04:23 +0000)