From: Howard Chu <hyc@openldap.org>
Date: Fri, 31 Jul 2009 01:51:34 +0000 (+0000)
Subject: Fix, reqcert == ALLOW should ignore cert verification failures
X-Git-Tag: ACLCHECK_0~375
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=403ee0b62e72a691ae0b2da14b0e39f93a6bf5bb;p=openldap

Fix, reqcert == ALLOW should ignore cert verification failures
---

diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 62ba3cf813..05e8648739 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1371,7 +1371,8 @@ tlsm_deferred_ctx_init( void *arg )
 		     ctx->tc_require_cert == LDAP_OPT_X_TLS_HARD ) {
 			require_cert = SSL_REQUIRE_ALWAYS;
 		}
-		ctx->tc_verify_cert = PR_TRUE;
+		if ( ctx->tc_require_cert != LDAP_OPT_X_TLS_ALLOW )
+			ctx->tc_verify_cert = PR_TRUE;
 	} else {
 		ctx->tc_verify_cert = PR_FALSE;
 	}
@@ -1888,22 +1889,22 @@ altfail:
 			}
 		}
 		if ( lastava ) {
-			SECItem *avaValue = CERT_DecodeAVAValue( &lastava->value );
-			if ( avaValue ) {
-				char *val = avaValue->data;
-				int len = avaValue->len;;
-				if ( len == nlen && !strncasecmp( name, val, nlen )) {
+			SECItem *av = CERT_DecodeAVAValue( &lastava->value );
+			if ( av ) {
+				if ( av->len == nlen && !strncasecmp( name, av->data, nlen )) {
 					ret = LDAP_SUCCESS;
-				} else if ( val[0] == '*' && val[1] == '.' && domain && 
-					dlen == len - 1 && !strncasecmp( name,
-						val+1, dlen )) {
+				} else if ( av->data[0] == '*' && av->data[1] == '.' &&
+					domain && dlen == av->len - 1 && !strncasecmp( name,
+						av->data+1, dlen )) {
 					ret = LDAP_SUCCESS;
+				} else {
+					int len = av->len;
+					if ( len >= sizeof(buf) )
+						len = sizeof(buf)-1;
+					memcpy( buf, av->data, len );
+					buf[len] = '\0';
 				}
-				if ( len >= sizeof(buf) )
-					len = sizeof(buf)-1;
-				memcpy( buf, val, len );
-				buf[len] = '\0';
-				SECITEM_FreeItem( avaValue, PR_TRUE );
+				SECITEM_FreeItem( av, PR_TRUE );
 			}
 		}
 		if ( ret != LDAP_SUCCESS ) {