OS/390 EBCDIC support

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index d6d1465249c8cd1068b008a30d53745f4eea749a..458d4e2d5aff38d3f42f530e6f75d9f98c07b78a 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -150,7 +150,16 @@ ldap_pvt_tls_init( void )
        if ( tls_initialized ) return 0;
        tls_initialized = 1;
 
+#ifdef HAVE_EBCDIC
+       {
+               char *file = LDAP_STRDUP( tls_opt_randfile );
+               if ( file ) __atoe( file );
+               (void) tls_seed_PRNG( file );
+               LDAP_FREE( file );
+       }
+#else
        (void) tls_seed_PRNG( tls_opt_randfile );
+#endif
 
 #ifdef LDAP_R_COMPILE
        tls_init_threads();
@@ -171,6 +180,36 @@ int
 ldap_pvt_tls_init_def_ctx( void )
 {
        STACK_OF(X509_NAME) *calist;
+       int rc = 0;
+       char *ciphersuite = tls_opt_ciphersuite;
+       char *cacertfile = tls_opt_cacertfile;
+       char *cacertdir = tls_opt_cacertdir;
+       char *certfile = tls_opt_certfile;
+       char *keyfile = tls_opt_keyfile;
+
+#ifdef HAVE_EBCDIC
+       /* This ASCII/EBCDIC handling is a real pain! */
+       if ( ciphersuite ) {
+               ciphersuite = LDAP_STRDUP( ciphersuite );
+               __atoe( ciphersuite );
+       }
+       if ( cacertfile ) {
+               cacertfile = LDAP_STRDUP( cacertfile );
+               __atoe( cacertfile );
+       }
+       if ( cacertdir ) {
+               cacertdir = LDAP_STRDUP( cacertdir );
+               __atoe( cacertdir );
+       }
+       if ( certfile ) {
+               certfile = LDAP_STRDUP( certfile );
+               __atoe( certfile );
+       }
+       if ( keyfile ) {
+               keyfile = LDAP_STRDUP( keyfile );
+               __atoe( keyfile );
+       }
+#endif
 
 #ifdef LDAP_R_COMPILE
        ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
@@ -188,11 +227,12 @@ ldap_pvt_tls_init_def_ctx( void )
                           "TLS: could not allocate default ctx (%lu).\n",
                                ERR_peek_error(),0,0);
 #endif
+                       rc = -1;
                        goto error_exit;
                }
 
                if ( tls_opt_ciphersuite &&
-                       !SSL_CTX_set_cipher_list( tls_def_ctx, tls_opt_ciphersuite ) )
+                       !SSL_CTX_set_cipher_list( tls_def_ctx, ciphersuite ) )
                {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
@@ -204,12 +244,13 @@ ldap_pvt_tls_init_def_ctx( void )
                                   tls_opt_ciphersuite, 0, 0 );
 #endif
                        tls_report_error();
+                       rc = -1;
                        goto error_exit;
                }
 
                if (tls_opt_cacertfile != NULL || tls_opt_cacertdir != NULL) {
                        if ( !SSL_CTX_load_verify_locations( tls_def_ctx,
-                                       tls_opt_cacertfile, tls_opt_cacertdir ) ||
+                                       cacertfile, cacertdir ) ||
                                !SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
                        {
 #ifdef NEW_LOGGING
@@ -227,10 +268,11 @@ ldap_pvt_tls_init_def_ctx( void )
                                        0 );
 #endif
                                tls_report_error();
+                               rc = -1;
                                goto error_exit;
                        }
 
-                       calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
+                       calist = get_ca_list( cacertfile, cacertdir );
                        if ( !calist ) {
 #ifdef NEW_LOGGING
                                LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
@@ -245,6 +287,7 @@ ldap_pvt_tls_init_def_ctx( void )
                                        0 );
 #endif
                                tls_report_error();
+                               rc = -1;
                                goto error_exit;
                        }
 
@@ -253,7 +296,7 @@ ldap_pvt_tls_init_def_ctx( void )
 
                if ( tls_opt_keyfile &&
                        !SSL_CTX_use_PrivateKey_file( tls_def_ctx,
-                               tls_opt_keyfile, SSL_FILETYPE_PEM ) )
+                               keyfile, SSL_FILETYPE_PEM ) )
                {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
@@ -264,12 +307,13 @@ ldap_pvt_tls_init_def_ctx( void )
                                tls_opt_keyfile,0,0);
 #endif
                        tls_report_error();
+                       rc = -1;
                        goto error_exit;
                }
 
                if ( tls_opt_certfile &&
                        !SSL_CTX_use_certificate_file( tls_def_ctx,
-                               tls_opt_certfile, SSL_FILETYPE_PEM ) )
+                               certfile, SSL_FILETYPE_PEM ) )
                {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR, "ldap_pvt_tls_init_def_ctx: "
@@ -281,6 +325,7 @@ ldap_pvt_tls_init_def_ctx( void )
                                tls_opt_certfile,0,0);
 #endif
                        tls_report_error();
+                       rc = -1;
                        goto error_exit;
                }
 
@@ -297,6 +342,7 @@ ldap_pvt_tls_init_def_ctx( void )
                                0,0,0);
 #endif
                        tls_report_error();
+                       rc = -1;
                        goto error_exit;
                }
 
@@ -319,20 +365,22 @@ ldap_pvt_tls_init_def_ctx( void )
                SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb );
                /* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */
        }
-#ifdef LDAP_R_COMPILE
-       ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
-#endif
-       return 0;
-
 error_exit:
-       if ( tls_def_ctx != NULL ) {
+       if ( rc == -1 && tls_def_ctx != NULL ) {
                SSL_CTX_free( tls_def_ctx );
                tls_def_ctx = NULL;
        }
+#ifdef HAVE_EBCDIC
+       LDAP_FREE( ciphersuite );
+       LDAP_FREE( cacertfile );
+       LDAP_FREE( cacertdir );
+       LDAP_FREE( certfile );
+       LDAP_FREE( keyfile );
+#endif
 #ifdef LDAP_R_COMPILE
        ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
 #endif
-       return -1;
+       return rc;
 }
 
 static STACK_OF(X509_NAME) *
@@ -345,37 +393,14 @@ get_ca_list( char * bundle, char * dir )
        }
 #if defined(HAVE_DIRENT_H) || defined(dirent)
        if ( dir ) {
-               DIR *dirp;
-               struct dirent *d;
-               char buf[MAXPATHLEN];
-               int l = strlen(dir), freeit = 0;
-
-               if (l > sizeof(buf))
-                       goto done;
-
-               dirp = opendir( dir );
+               int freeit = 0;
 
                if ( !ca_list ) {
                        ca_list = sk_X509_NAME_new_null();
                        freeit = 1;
                }
-
-               strcpy(buf, dir);
-
-               while ( dirp ) {
-                       if ( ( d = readdir( dirp )) == NULL) {
-                               closedir( dirp );
-                               break;
-                       }
-                       if (l + sizeof(LDAP_DIRSEP) + NAMLEN(d) > sizeof(buf))
-                               continue;
-
-                       sprintf( buf+l, LDAP_DIRSEP "%s", d->d_name );
-                       if ( SSL_add_file_cert_subjects_to_stack(ca_list, buf)) {
-                               freeit = 0;
-                       }
-               }
-               if ( freeit ) {
+               if ( !SSL_add_dir_cert_subjects_to_stack( ca_list, dir ) &&
+                       freeit ) {
                        sk_X509_NAME_free( ca_list );
                        ca_list = NULL;
                }
@@ -740,6 +765,9 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
                if ((err = ERR_peek_error())) {
                        char buf[256];
                        ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
+#ifdef HAVE_EBCDIC
+                       if ( ld->ld_error ) __etoa(ld->ld_error);
+#endif
                }
 
 #ifdef NEW_LOGGING
@@ -916,7 +944,7 @@ ldap_pvt_tls_get_peer_hostname( void *s )
 }
 
 int
-ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
+ldap_pvt_tls_check_hostname( void *s, const char *name_in )
 {
        int i, ret = LDAP_LOCAL_ERROR;
        X509 *x;
@@ -1019,7 +1047,6 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
                                "TLS: unable to get common name from peer certificate.\n",
                                0, 0, 0 );
 #endif
-                       ld->ld_error = LDAP_STRDUP("TLS: unable to get CN from peer certificate");
 
                } else if (strcasecmp(name, buf)) {
 #ifdef NEW_LOGGING
@@ -1032,7 +1059,6 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
                                name, buf, 0 );
 #endif
                        ret = LDAP_CONNECT_ERROR;
-                       ld->ld_error = LDAP_STRDUP("TLS: hostname does not match CN in peer certificate");
 
                } else {
                        ret = LDAP_SUCCESS;
@@ -1310,7 +1336,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
        /* 
         * compare host with name(s) in certificate
         */
-       ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
+       ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host );
        if (ld->ld_errno != LDAP_SUCCESS) {
                return ld->ld_errno;
        }
@@ -1340,6 +1366,7 @@ tls_info_cb( SSL *ssl, int where, int ret )
 {
        int w;
        char *op;
+       char *state = SSL_state_string_long( ssl );
 
        w = where & ~SSL_ST_MASK;
        if ( w & SSL_ST_CONNECT ) {
@@ -1350,54 +1377,75 @@ tls_info_cb( SSL *ssl, int where, int ret )
                op = "undefined";
        }
 
+#ifdef HAVE_EBCDIC
+       if ( state ) {
+               state = LDAP_STRDUP( state );
+               __etoa( state );
+       }
+#endif
        if ( where & SSL_CB_LOOP ) {
 #ifdef NEW_LOGGING
                LDAP_LOG ( TRANSPORT, DETAIL1, "tls_info_cb: "
-                       "TLS trace: %s:%s\n", op, SSL_state_string_long( ssl ), 0 );
+                       "TLS trace: %s:%s\n", op, state, 0 );
 #else
                Debug( LDAP_DEBUG_TRACE,
                           "TLS trace: %s:%s\n",
-                          op, SSL_state_string_long( ssl ), 0 );
+                          op, state, 0 );
 #endif
 
        } else if ( where & SSL_CB_ALERT ) {
+               char *atype = SSL_alert_type_string_long( ret );
+               char *adesc = SSL_alert_desc_string_long( ret );
                op = ( where & SSL_CB_READ ) ? "read" : "write";
+#ifdef HAVE_EBCDIC
+               if ( atype ) {
+                       atype = LDAP_STRDUP( atype );
+                       __etoa( atype );
+               }
+               if ( adesc ) {
+                       adesc = LDAP_STRDUP( adesc );
+                       __etoa( adesc );
+               }
+#endif
 #ifdef NEW_LOGGING
                LDAP_LOG ( TRANSPORT, DETAIL1, 
                        "tls_info_cb: TLS trace: SSL3 alert %s:%s:%s\n", 
-                       op, SSL_alert_type_string_long( ret ), 
-                       SSL_alert_desc_string_long( ret) );
+                       op, atype, adesc );
 #else
                Debug( LDAP_DEBUG_TRACE,
                           "TLS trace: SSL3 alert %s:%s:%s\n",
-                          op,
-                          SSL_alert_type_string_long( ret ),
-                          SSL_alert_desc_string_long( ret) );
+                          op, atype, adesc );
+#endif
+#ifdef HAVE_EBCDIC
+               if ( atype ) LDAP_FREE( atype );
+               if ( adesc ) LDAP_FREE( adesc );
 #endif
-
        } else if ( where & SSL_CB_EXIT ) {
                if ( ret == 0 ) {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR, 
                                "tls_info_cb: TLS trace: %s:failed in %s\n", 
-                               op, SSL_state_string_long( ssl ), 0 );
+                               op, state, 0 );
 #else
                        Debug( LDAP_DEBUG_TRACE,
                                   "TLS trace: %s:failed in %s\n",
-                                  op, SSL_state_string_long( ssl ), 0 );
+                                  op, state, 0 );
 #endif
                } else if ( ret < 0 ) {
 #ifdef NEW_LOGGING
                        LDAP_LOG ( TRANSPORT, ERR, 
                                "tls_info_cb: TLS trace: %s:error in %s\n", 
-                               op, SSL_state_string_long( ssl ), 0 );
+                               op, state, 0 );
 #else
                        Debug( LDAP_DEBUG_TRACE,
                                   "TLS trace: %s:error in %s\n",
-                                  op, SSL_state_string_long( ssl ), 0 );
+                                  op, state, 0 );
 #endif
                }
        }
+#ifdef HAVE_EBCDIC
+       if ( state ) LDAP_FREE( state );
+#endif
 }
 
 static int
@@ -1410,6 +1458,7 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
        X509_NAME *issuer;
        char *sname;
        char *iname;
+       char *certerr = NULL;
 
        cert = X509_STORE_CTX_get_current_cert( ctx );
        errnum = X509_STORE_CTX_get_error( ctx );
@@ -1424,6 +1473,15 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
        /* X509_NAME_oneline, if passed a NULL buf, allocate memomry */
        sname = X509_NAME_oneline( subject, NULL, 0 );
        iname = X509_NAME_oneline( issuer, NULL, 0 );
+       if ( !ok ) certerr = (char *)X509_verify_cert_error_string( errnum );
+#ifdef HAVE_EBCDIC
+       if ( sname ) __etoa( sname );
+       if ( iname ) __etoa( iname );
+       if ( certerr ) {
+               certerr = LDAP_STRDUP( certerr );
+               __etoa( certerr );
+       }
+#endif
 #ifdef NEW_LOGGING
        LDAP_LOG( TRANSPORT, ERR,
                   "TLS certificate verification: depth: %d, err: %d, subject: %s,",
@@ -1433,7 +1491,7 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
        if ( !ok ) {
                LDAP_LOG ( TRANSPORT, ERR, 
                        "TLS certificate verification: Error, %s\n",
-                       X509_verify_cert_error_string(errnum), 0, 0 );
+                       certerr, 0, 0 );
        }
 #else
        Debug( LDAP_DEBUG_TRACE,
@@ -1444,14 +1502,16 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
        if ( !ok ) {
                Debug( LDAP_DEBUG_ANY,
                        "TLS certificate verification: Error, %s\n",
-                       X509_verify_cert_error_string(errnum), 0, 0 );
+                       certerr, 0, 0 );
        }
 #endif
        if ( sname )
                CRYPTO_free ( sname );
        if ( iname )
                CRYPTO_free ( iname );
-
+#ifdef HAVE_EBCDIC
+       if ( certerr ) LDAP_FREE( certerr );
+#endif
        return ok;
 }
 
@@ -1472,13 +1532,24 @@ tls_report_error( void )
        int line;
 
        while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
+               ERR_error_string_n( l, buf, sizeof( buf ) );
+#ifdef HAVE_EBCDIC
+               if ( file ) {
+                       file = LDAP_STRDUP( file );
+                       __etoa( (char *)file );
+               }
+               __etoa( buf );
+#endif
 #ifdef NEW_LOGGING
                LDAP_LOG ( TRANSPORT, ERR, 
                        "tls_report_error: TLS %s %s:%d\n", 
-                       ERR_error_string( l, buf ), file, line );
+                       buf, file, line );
 #else
                Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
-                  ERR_error_string( l, buf ), file, line );
+                       buf, file, line );
+#endif
+#ifdef HAVE_EBCDIC
+               if ( file ) LDAP_FREE( (void *)file );
 #endif
        }
 }