ITS#5655 for new structure

author Howard Chu <hyc@openldap.org>

Mon, 26 Jan 2009 02:16:46 +0000 (02:16 +0000)

committer Howard Chu <hyc@openldap.org>

Mon, 26 Jan 2009 02:16:46 +0000 (02:16 +0000)
author Howard Chu <hyc@openldap.org>
Mon, 26 Jan 2009 02:16:46 +0000 (02:16 +0000)
committer Howard Chu <hyc@openldap.org>
Mon, 26 Jan 2009 02:16:46 +0000 (02:16 +0000)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c

index 937dc221c274e6140a13102b41354e7ecccdcb50..37e012aed7ded3ee7e997511a52e73b341b3d561 100644 (file)
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -542,6 +542,23 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
                         return ldap_pvt_tls_set_option( ld, option, &i );
                 }
                 return -1;
+       case LDAP_OPT_X_TLS_PROTOCOL_MIN: {
+               char *next;
+               long l;
+               l = strtol( arg, &next, 10 );
+               if ( l < 0 || l > 0xff || next == arg ||
+                       ( *next != '\0' && *next != '.' ) )
+                       return -1;
+               i = l << 8;
+               if (*next == '.') {
+                       arg = next + 1;
+                       l = strtol( arg, &next, 10 );
+                       if ( l < 0 || l > 0xff || next == arg || *next != '\0' )
+                               return -1;
+                       i += l;
+               }
+               return ldap_pvt_tls_set_option( ld, option, &i );
+               }
         case LDAP_OPT_X_TLS_CRLCHECK:   /* OpenSSL only */
                 i = -1;
                 if ( strcasecmp( arg, "none" ) == 0 ) {
@@ -625,6 +642,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
                 *(char **)arg = lo->ldo_tls_ciphersuite ?
                         LDAP_STRDUP( lo->ldo_tls_ciphersuite ) : NULL;
                 break;
+       case LDAP_OPT_X_TLS_PROTOCOL_MIN:
+               *(int *)arg = lo->ldo_tls_protocol_min;
+               break;
         case LDAP_OPT_X_TLS_RANDOM_FILE:        /* OpenSSL only */
                 *(char **)arg = lo->ldo_tls_randfile ?
                         LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL;
@@ -756,6 +776,11 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
                 lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
                 return 0;
  
+       case LDAP_OPT_X_TLS_PROTOCOL_MIN:
+               if ( !arg ) return -1;
+               lo->ldo_tls_protocol_min = *(int *)arg;
+               return 0;
+
         case LDAP_OPT_X_TLS_RANDOM_FILE:        /* OpenSSL only */
                 if ( ld != NULL )
                         return -1;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c

index 4bb500cae3b61efd390a67ac3b85daa3a0f631bc..fc4f9bc3d6d44113aab80b831b2ae2a53ae28fdb 100644 (file)
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -222,6 +222,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                         (const unsigned char *) "OpenLDAP", sizeof("OpenLDAP")-1 );
         }
  
+       if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
+               SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
+       else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
+               SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
+
         if ( lo->ldo_tls_ciphersuite &&
                 !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
         {
author	Howard Chu <hyc@openldap.org>
	Mon, 26 Jan 2009 02:16:46 +0000 (02:16 +0000)
committer	Howard Chu <hyc@openldap.org>
	Mon, 26 Jan 2009 02:16:46 +0000 (02:16 +0000)
libraries/libldap/tls2.c		patch \| blob \| history
libraries/libldap/tls_o.c		patch \| blob \| history