From: Kurt Zeilenga <kurt@openldap.org>
Date: Wed, 1 May 2002 04:23:59 +0000 (+0000)
Subject: cleanup before working on changes
X-Git-Tag: OPENLDAP_REL_ENG_2_MP~133
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=96483c8dcd426dcdc85c77f1597c8a3d03faa621;p=openldap

cleanup before working on changes
---

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index c9e161f6b1..3795402426 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -183,14 +183,14 @@ ldap_pvt_tls_init_def_ctx( void )
 				ERR_peek_error() ));
 #else
 			Debug( LDAP_DEBUG_ANY,
-		       "TLS: could not allocate default ctx (%lu).\n",
+			   "TLS: could not allocate default ctx (%lu).\n",
 				ERR_peek_error(),0,0);
 #endif
 			goto error_exit;
 		}
+
 		if ( tls_opt_ciphersuite &&
-		     !SSL_CTX_set_cipher_list( tls_def_ctx,
-			tls_opt_ciphersuite ) )
+			!SSL_CTX_set_cipher_list( tls_def_ctx, tls_opt_ciphersuite ) )
 		{
 #ifdef NEW_LOGGING
 			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
@@ -198,21 +198,23 @@ ldap_pvt_tls_init_def_ctx( void )
 				tls_opt_ciphersuite ));
 #else
 			Debug( LDAP_DEBUG_ANY,
-			       "TLS: could not set cipher list %s.\n",
-			       tls_opt_ciphersuite, 0, 0 );
+				   "TLS: could not set cipher list %s.\n",
+				   tls_opt_ciphersuite, 0, 0 );
 #endif
 			tls_report_error();
 			goto error_exit;
 		}
+
 		if (tls_opt_cacertfile != NULL || tls_opt_cacertdir != NULL) {
 			if ( !SSL_CTX_load_verify_locations( tls_def_ctx,
-							     tls_opt_cacertfile,
-							     tls_opt_cacertdir )
-			     || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
+					tls_opt_cacertfile, tls_opt_cacertdir ) ||
+				!SSL_CTX_set_default_verify_paths( tls_def_ctx ) )
 			{
 #ifdef NEW_LOGGING
-				LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
-				"TLS could not load verify locations (file:`%s',dir:`%s').\n",
+				LDAP_LOG (( "tls", LDAP_LEVEL_ERR,
+					"ldap_pvt_tls_init_def_ctx: "
+					"TLS could not load verify locations "
+					"(file:`%s',dir:`%s').\n",
 					tls_opt_cacertfile ? tls_opt_cacertfile : "",
 					tls_opt_cacertdir ? tls_opt_cacertdir : "" ));
 #else
@@ -225,6 +227,7 @@ ldap_pvt_tls_init_def_ctx( void )
 				tls_report_error();
 				goto error_exit;
 			}
+
 			calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir );
 			if ( !calist ) {
 #ifdef NEW_LOGGING
@@ -242,65 +245,70 @@ ldap_pvt_tls_init_def_ctx( void )
 				tls_report_error();
 				goto error_exit;
 			}
+
 			SSL_CTX_set_client_CA_list( tls_def_ctx, calist );
 		}
+
 		if ( tls_opt_keyfile &&
-		     !SSL_CTX_use_PrivateKey_file( tls_def_ctx,
-						   tls_opt_keyfile,
-						   SSL_FILETYPE_PEM ) )
+			!SSL_CTX_use_PrivateKey_file( tls_def_ctx,
+				tls_opt_keyfile, SSL_FILETYPE_PEM ) )
 		{
 #ifdef NEW_LOGGING
 			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
 				"TLS could not use key file `%s'.\n", tls_opt_keyfile ));
 #else
 			Debug( LDAP_DEBUG_ANY,
-			       "TLS: could not use key file `%s'.\n",
-			       tls_opt_keyfile,0,0);
+				"TLS: could not use key file `%s'.\n",
+				tls_opt_keyfile,0,0);
 #endif
 			tls_report_error();
 			goto error_exit;
 		}
+
 		if ( tls_opt_certfile &&
-		     !SSL_CTX_use_certificate_file( tls_def_ctx,
-						    tls_opt_certfile,
-						    SSL_FILETYPE_PEM ) )
+			!SSL_CTX_use_certificate_file( tls_def_ctx,
+				tls_opt_certfile, SSL_FILETYPE_PEM ) )
 		{
 #ifdef NEW_LOGGING
 			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
 				"TLS could not use certificate `%s'.\n", tls_opt_certfile ));
 #else
 			Debug( LDAP_DEBUG_ANY,
-			       "TLS: could not use certificate `%s'.\n",
-			       tls_opt_certfile,0,0);
+				"TLS: could not use certificate `%s'.\n",
+				tls_opt_certfile,0,0);
 #endif
 			tls_report_error();
 			goto error_exit;
 		}
+
 		if ( ( tls_opt_certfile || tls_opt_keyfile ) &&
-		     !SSL_CTX_check_private_key( tls_def_ctx ) )
+			!SSL_CTX_check_private_key( tls_def_ctx ) )
 		{
 #ifdef NEW_LOGGING
 			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_init_def_ctx: "
 				"TLS private key mismatch.\n" ));
 #else
 			Debug( LDAP_DEBUG_ANY,
-			       "TLS: private key mismatch.\n",
-			       0,0,0);
+				"TLS: private key mismatch.\n",
+				0,0,0);
 #endif
 			tls_report_error();
 			goto error_exit;
 		}
+
 		if ( tls_opt_trace ) {
 			SSL_CTX_set_info_callback( tls_def_ctx, tls_info_cb );
 		}
+
 		i = SSL_VERIFY_NONE;
 		if ( tls_opt_require_cert ) {
 			i = SSL_VERIFY_PEER;
 			if ( tls_opt_require_cert == LDAP_OPT_X_TLS_DEMAND ||
-			     tls_opt_require_cert == LDAP_OPT_X_TLS_HARD ) {
+				 tls_opt_require_cert == LDAP_OPT_X_TLS_HARD ) {
 				i |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 			}
 		}
+
 		SSL_CTX_set_verify( tls_def_ctx, i,
 			tls_opt_require_cert == LDAP_OPT_X_TLS_ALLOW ?
 			tls_verify_ok : tls_verify_cb );
@@ -311,6 +319,7 @@ ldap_pvt_tls_init_def_ctx( void )
 	ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
 #endif
 	return 0;
+
 error_exit:
 	if ( tls_def_ctx != NULL ) {
 		SSL_CTX_free( tls_def_ctx );
@@ -370,17 +379,17 @@ update_flags( Sockbuf *sb, SSL * ssl, int rc )
 
 	sb->sb_trans_needs_read  = 0;
 	sb->sb_trans_needs_write = 0;
-	if (err == SSL_ERROR_WANT_READ)
-	{
-	    sb->sb_trans_needs_read  = 1;
-	    return 1;
-	} else if (err == SSL_ERROR_WANT_WRITE)
-	{
-	    sb->sb_trans_needs_write = 1;
-	    return 1;
-	} else if (err == SSL_ERROR_WANT_CONNECT)
-	{
-	    return 1;
+
+	if (err == SSL_ERROR_WANT_READ) {
+		sb->sb_trans_needs_read  = 1;
+		return 1;
+
+	} else if (err == SSL_ERROR_WANT_WRITE) {
+		sb->sb_trans_needs_write = 1;
+		return 1;
+
+	} else if (err == SSL_ERROR_WANT_CONNECT) {
+		return 1;
 	}
 	return 0;
 }
@@ -405,8 +414,9 @@ sb_tls_setup( Sockbuf_IO_Desc *sbiod, void *arg )
 	assert( sbiod != NULL );
 
 	p = LBER_MALLOC( sizeof( *p ) );
-	if ( p == NULL )
+	if ( p == NULL ) {
 		return -1;
+	}
 	
 	p->ssl = (SSL *)arg;
 	p->sbiod = sbiod;
@@ -514,9 +524,10 @@ sb_tls_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 	if (err == SSL_ERROR_WANT_WRITE ) {
 		sbiod->sbiod_sb->sb_trans_needs_write = 1;
 		errno = EWOULDBLOCK;
-	}
-	else
+
+	} else {
 		sbiod->sbiod_sb->sb_trans_needs_write = 0;
+	}
 	return ret;
 }
 
@@ -542,8 +553,7 @@ sb_tls_bio_create( BIO *b ) {
 static int
 sb_tls_bio_destroy( BIO *b )
 {
-	if ( b == NULL )
-		return 0;
+	if ( b == NULL ) return 0;
 
 	b->ptr = NULL;		/* sb_tls_remove() will free it */
 	b->init = 0;
@@ -557,19 +567,20 @@ sb_tls_bio_read( BIO *b, char *buf, int len )
 	struct tls_data		*p;
 	int			ret;
 		
-	if ( buf == NULL || len <= 0 )
-		return 0;
+	if ( buf == NULL || len <= 0 ) return 0;
 
 	p = (struct tls_data *)b->ptr;
 
-	if ( p == NULL || p->sbiod == NULL )
+	if ( p == NULL || p->sbiod == NULL ) {
 		return 0;
+	}
 
 	ret = LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
 
 	BIO_clear_retry_flags( b );
-	if ( ret < 0 && errno == EWOULDBLOCK )
+	if ( ret < 0 && errno == EWOULDBLOCK ) {
 		BIO_set_retry_read( b );
+	}
 
 	return ret;
 }
@@ -580,19 +591,20 @@ sb_tls_bio_write( BIO *b, const char *buf, int len )
 	struct tls_data		*p;
 	int			ret;
 	
-	if ( buf == NULL || len <= 0 )
-		return 0;
+	if ( buf == NULL || len <= 0 ) return 0;
 	
 	p = (struct tls_data *)b->ptr;
 
-	if ( p == NULL || p->sbiod == NULL )
+	if ( p == NULL || p->sbiod == NULL ) {
 		return 0;
+	}
 
 	ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
 
 	BIO_clear_retry_flags( b );
-	if ( ret < 0 && errno == EWOULDBLOCK )
+	if ( ret < 0 && errno == EWOULDBLOCK ) {
 		BIO_set_retry_write( b );
+	}
 
 	return ret;
 }
@@ -680,20 +692,24 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
 #endif
+
 	if ( err <= 0 ) {
 		if ( update_flags( sb, ssl, err )) {
 			return 1;
 		}
+
 		if ((err = ERR_peek_error())) {
 			char buf[256];
 			ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
 		}
+
 #ifdef NEW_LOGGING
 		LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_int_tls_connect: "
 			"TLS can't connect.\n" ));
 #else
 		Debug( LDAP_DEBUG_ANY,"TLS: can't connect.\n",0,0,0);
 #endif
+
 		ber_sockbuf_remove_io( sb, &sb_tls_sbio,
 			LBER_SBIOD_LEVEL_TRANSPORT );
 #ifdef LDAP_DEBUG
@@ -718,10 +734,11 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
 
 	if ( HAS_TLS( sb ) ) {
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
+
 	} else {
 		ssl = alloc_handle( ctx_arg );
-		if ( ssl == NULL )
-			return -1;
+		if ( ssl == NULL ) return -1;
+
 #ifdef LDAP_DEBUG
 		ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
@@ -736,14 +753,15 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
 	errno = WSAGetLastError();
 #endif
 	if ( err <= 0 ) {
-		if ( update_flags( sb, ssl, err ))
-			return 1;
+		if ( update_flags( sb, ssl, err )) return 1;
+
 #ifdef NEW_LOGGING
 		LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_accept: "
 			"TLS can't accept.\n" ));
 #else
 		Debug( LDAP_DEBUG_ANY,"TLS: can't accept.\n",0,0,0 );
 #endif
+
 		tls_report_error();
 		ber_sockbuf_remove_io( sb, &sb_tls_sbio,
 			LBER_SBIOD_LEVEL_TRANSPORT );
@@ -760,9 +778,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
 int
 ldap_pvt_tls_inplace ( Sockbuf *sb )
 {
-	if ( HAS_TLS( sb ) )
-		return(1);
-	return(0);
+	return HAS_TLS( sb ) ? 1 : 0;
 }
 
 void *
@@ -781,10 +797,10 @@ ldap_pvt_tls_sb_ctx( Sockbuf *sb )
 int
 ldap_pvt_tls_get_strength( void *s )
 {
-    SSL_CIPHER *c;
+	SSL_CIPHER *c;
 
-    c = SSL_get_current_cipher((SSL *)s);
-    return SSL_CIPHER_get_bits(c, NULL);
+	c = SSL_get_current_cipher((SSL *)s);
+	return SSL_CIPHER_get_bits(c, NULL);
 }
 
 
@@ -798,7 +814,7 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
 	x = SSL_get_certificate((SSL *)s);
 
 	if (!x) return LDAP_INVALID_CREDENTIALS;
-    
+	
 	xn = X509_get_subject_name(x);
 	rc = ldap_X509dn2bv(xn, dn, (LDAPDN_rewrite_func *)func, flags );
 	X509_free(x);
@@ -808,15 +824,15 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
 static X509 *
 tls_get_cert( SSL *s )
 {
-    /* If peer cert was bad, treat as if no cert was given */
-    if (SSL_get_verify_result(s)) {
-    	/* If we can send an alert, do so */
-    	if (SSL_version(s) != SSL2_VERSION) {
-		ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE);
+	/* If peer cert was bad, treat as if no cert was given */
+	if (SSL_get_verify_result(s)) {
+		/* If we can send an alert, do so */
+		if (SSL_version(s) != SSL2_VERSION) {
+			ssl3_send_alert(s,SSL3_AL_WARNING,SSL3_AD_BAD_CERTIFICATE);
+		}
+		return NULL;
 	}
-    	return NULL;
-    }
-    return SSL_get_peer_certificate(s);
+	return SSL_get_peer_certificate(s);
 }
 
 int
@@ -829,7 +845,7 @@ ldap_pvt_tls_get_peer_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func
 	x = tls_get_cert((SSL *)s);
 
 	if (!x) return LDAP_INVALID_CREDENTIALS;
-    
+	
 	xn = X509_get_subject_name(x);
 	rc = ldap_X509dn2bv(xn, dn, (LDAPDN_rewrite_func *)func, flags);
 	X509_free(x);
@@ -845,9 +861,7 @@ ldap_pvt_tls_get_peer_hostname( void *s )
 	int ret;
 
 	x = tls_get_cert((SSL *)s);
-
-	if (!x)
-		return NULL;
+	if (!x) return NULL;
 	
 	xn = X509_get_subject_name(x);
 
@@ -865,8 +879,8 @@ ldap_pvt_tls_get_peer_hostname( void *s )
 int
 ldap_pvt_tls_check_hostname( void *s, const char *name_in )
 {
-    int i, ret = LDAP_LOCAL_ERROR;
-    X509 *x;
+	int i, ret = LDAP_LOCAL_ERROR;
+	X509 *x;
 	const char *name;
 
 	if( ldap_int_hostname &&
@@ -877,123 +891,122 @@ ldap_pvt_tls_check_hostname( void *s, const char *name_in )
 		name = name_in;
 	}
 
-    x = tls_get_cert((SSL *)s);
-    if (!x)
-    {
+	x = tls_get_cert((SSL *)s);
+	if (!x) {
 #ifdef NEW_LOGGING
-	LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
-		"TLS unable to get peer certificate.\n" ));
+		LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
+			"TLS unable to get peer certificate.\n" ));
 #else
-	Debug( LDAP_DEBUG_ANY,
-		"TLS: unable to get peer certificate.\n",
-		0, 0, 0 );
+		Debug( LDAP_DEBUG_ANY,
+			"TLS: unable to get peer certificate.\n",
+			0, 0, 0 );
 #endif
-	return ret;
-    }
-
-    i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
-    if (i >= 0)
-    {
-	X509_EXTENSION *ex;
-	STACK_OF(GENERAL_NAME) *alt;
-
-	ex = X509_get_ext(x, i);
-	alt = X509V3_EXT_d2i(ex);
-	if (alt)
-	{
-	    int n, len1, len2 = 0;
-	    char *domain;
-	    GENERAL_NAME *gn;
-	    X509V3_EXT_METHOD *method;
-
-	    len1 = strlen(name);
-	    n = sk_GENERAL_NAME_num(alt);
-	    domain = strchr(name, '.');
-	    if (domain)
-	    	len2 = len1 - (domain-name);
-	    for (i=0; i<n; i++)
-	    {
-		gn = sk_GENERAL_NAME_value(alt, i);
-		if (gn->type == GEN_DNS)
-		{
-		    char *sn = ASN1_STRING_data(gn->d.ia5);
-		    int sl = ASN1_STRING_length(gn->d.ia5);
+		return ret;
+	}
 
-		    /* Is this an exact match? */
-		    if ((len1 == sl) && !strncasecmp(name, sn, len1))
-			break;
+	i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
+	if (i >= 0) {
+		X509_EXTENSION *ex;
+		STACK_OF(GENERAL_NAME) *alt;
+
+		ex = X509_get_ext(x, i);
+		alt = X509V3_EXT_d2i(ex);
+		if (alt) {
+			int n, len1, len2 = 0;
+			char *domain;
+			GENERAL_NAME *gn;
+			X509V3_EXT_METHOD *method;
+
+			len1 = strlen(name);
+			n = sk_GENERAL_NAME_num(alt);
+			domain = strchr(name, '.');
+			if (domain) {
+				len2 = len1 - (domain-name);
+			}
+			for (i=0; i<n; i++) {
+				gn = sk_GENERAL_NAME_value(alt, i);
+				if (gn->type == GEN_DNS) {
+					char *sn = ASN1_STRING_data(gn->d.ia5);
+					int sl = ASN1_STRING_length(gn->d.ia5);
+
+					/* Is this an exact match? */
+					if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
+						break;
+					}
+
+					/* Is this a wildcard match? */
+					if ((*sn == '*') && domain && (len2 == sl-1) &&
+						!strncasecmp(domain, sn+1, len2))
+					{
+						break;
+					}
+				}
+			}
 
-		    /* Is this a wildcard match? */
-		    if ((*sn == '*') && domain && (len2 == sl-1) &&
-		    	!strncasecmp(domain, sn+1, len2))
-			break;
+			method = X509V3_EXT_get(ex);
+			method->ext_free(alt);
+			if (i < n) {	/* Found a match */
+				ret = LDAP_SUCCESS;
+			}
 		}
-	    }
-	    method = X509V3_EXT_get(ex);
-	    method->ext_free(alt);
-	    if (i < n)	/* Found a match */
-		ret = LDAP_SUCCESS;
 	}
-    }
 
-    if (ret != LDAP_SUCCESS)
-    {
-	X509_NAME *xn;
-	char buf[2048];
+	if (ret != LDAP_SUCCESS) {
+		X509_NAME *xn;
+		char buf[2048];
 
-	xn = X509_get_subject_name(x);
+		xn = X509_get_subject_name(x);
 
-	if (X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf))
-	    == -1)
-	{
+		if( X509_NAME_get_text_by_NID( xn, NID_commonName,
+			buf, sizeof(buf)) == -1)
+		{
 #ifdef NEW_LOGGING
-		LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
-			"TLS unable to get common name from peer certificate.\n" ));
+			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
+				"TLS unable to get common name from peer certificate.\n" ));
 #else
-	    Debug( LDAP_DEBUG_ANY,
-		    "TLS: unable to get common name from peer certificate.\n",
-		    0, 0, 0 );
+			Debug( LDAP_DEBUG_ANY,
+				"TLS: unable to get common name from peer certificate.\n",
+				0, 0, 0 );
 #endif
-	} else if (strcasecmp(name, buf))
-	{
+
+		} else if (strcasecmp(name, buf)) {
 #ifdef NEW_LOGGING
-		LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
-			"TLS hostname (%s) does not match "
-			"common name in certificate (%s).\n", name, buf ));
+			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "ldap_pvt_tls_check_hostname: "
+				"TLS hostname (%s) does not match "
+				"common name in certificate (%s).\n", name, buf ));
 #else
-	    Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
-		    "common name in certificate (%s).\n", 
-		    name, buf, 0 );
+			Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+				"common name in certificate (%s).\n", 
+				name, buf, 0 );
 #endif
-	    ret =  LDAP_CONNECT_ERROR;
-	} else
-	{
-	    ret = LDAP_SUCCESS;
+			ret = LDAP_CONNECT_ERROR;
+
+		} else {
+			ret = LDAP_SUCCESS;
+		}
 	}
-    }
-    X509_free(x);
-    return ret;
+	X509_free(x);
+	return ret;
 }
 
 const char *
 ldap_pvt_tls_get_peer_issuer( void *s )
 {
 #if 0	/* currently unused; see ldap_pvt_tls_get_peer_dn() if needed */
-    X509 *x;
-    X509_NAME *xn;
-    char buf[2048], *p;
-
-    x = SSL_get_peer_certificate((SSL *)s);
-
-    if (!x)
-    	return NULL;
-    
-    xn = X509_get_issuer_name(x);
-    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
-    X509_free(x);
-    return p;
+	X509 *x;
+	X509_NAME *xn;
+	char buf[2048], *p;
+
+	x = SSL_get_peer_certificate((SSL *)s);
+
+	if (!x) return NULL;
+	
+	xn = X509_get_issuer_name(x);
+	p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+	X509_free(x);
+	return p;
 #else
-    return NULL;
+	return NULL;
 #endif
 }
 
@@ -1013,19 +1026,25 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 	case LDAP_OPT_X_TLS:
 		i = -1;
-		if ( strcasecmp( arg, "never" ) == 0 )
+		if ( strcasecmp( arg, "never" ) == 0 ) {
 			i = LDAP_OPT_X_TLS_NEVER ;
-		if ( strcasecmp( arg, "demand" ) == 0 )
+
+		} else if ( strcasecmp( arg, "demand" ) == 0 ) {
 			i = LDAP_OPT_X_TLS_DEMAND ;
-		if ( strcasecmp( arg, "allow" ) == 0 )
+
+		} else if ( strcasecmp( arg, "allow" ) == 0 ) {
 			i = LDAP_OPT_X_TLS_ALLOW ;
-		if ( strcasecmp( arg, "try" ) == 0 )
+
+		} else if ( strcasecmp( arg, "try" ) == 0 ) {
 			i = LDAP_OPT_X_TLS_TRY ;
-		if ( ( strcasecmp( arg, "hard" ) == 0 ) ||
-		      ( strcasecmp( arg, "on" ) == 0 ) ||
-		      ( strcasecmp( arg, "yes" ) == 0) ||
-		      ( strcasecmp( arg, "true" ) == 0 ) )
+
+		} else if ( ( strcasecmp( arg, "hard" ) == 0 ) ||
+			( strcasecmp( arg, "on" ) == 0 ) ||
+			( strcasecmp( arg, "yes" ) == 0) ||
+			( strcasecmp( arg, "true" ) == 0 ) )
+		{
 			i = LDAP_OPT_X_TLS_HARD ;
+		}
 
 		if (i >= 0) {
 			return ldap_pvt_tls_set_option( ld, option, &i );
@@ -1063,10 +1082,11 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 		*(int *)arg = lo->ldo_tls_mode;
 		break;
 	case LDAP_OPT_X_TLS_CTX:
-		if ( ld == NULL )
+		if ( ld == NULL ) {
 			*(void **)arg = (void *) tls_def_ctx;
-		else
+		} else {
 			*(void **)arg = ld->ld_defconn->lconn_tls_ctx;
+		}
 		break;
 	case LDAP_OPT_X_TLS_CACERTFILE:
 		*(char **)arg = tls_opt_cacertfile ?
@@ -1277,47 +1297,49 @@ tls_info_cb( SSL *ssl, int where, int ret )
 		op = "undefined";
 	}
 
-        if ( where & SSL_CB_LOOP ) {
+	if ( where & SSL_CB_LOOP ) {
 #ifdef NEW_LOGGING
 		LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1, "tls_info_cb: "
 			"TLS trace: %s:%s\n", op, SSL_state_string_long( ssl ) ));
 #else
 		Debug( LDAP_DEBUG_TRACE,
-		       "TLS trace: %s:%s\n",
-		       op, SSL_state_string_long( ssl ), 0 );
+			   "TLS trace: %s:%s\n",
+			   op, SSL_state_string_long( ssl ), 0 );
 #endif
+
 	} else if ( where & SSL_CB_ALERT ) {
-                op = ( where & SSL_CB_READ ) ? "read" : "write";
+		op = ( where & SSL_CB_READ ) ? "read" : "write";
 #ifdef NEW_LOGGING
 		LDAP_LOG (( "tls", LDAP_LEVEL_DETAIL1, "tls_info_cb: "
 			"TLS trace: SSL3 alert %s:%s:%s\n", op,
-		       SSL_alert_type_string_long( ret ),
-		       SSL_alert_desc_string_long( ret) ));
+			   SSL_alert_type_string_long( ret ),
+			   SSL_alert_desc_string_long( ret) ));
 #else
 		Debug( LDAP_DEBUG_TRACE,
-		       "TLS trace: SSL3 alert %s:%s:%s\n",
-		       op,
-		       SSL_alert_type_string_long( ret ),
-		       SSL_alert_desc_string_long( ret) );
+			   "TLS trace: SSL3 alert %s:%s:%s\n",
+			   op,
+			   SSL_alert_type_string_long( ret ),
+			   SSL_alert_desc_string_long( ret) );
 #endif
+
 	} else if ( where & SSL_CB_EXIT ) {
-                if ( ret == 0 ) {
+		if ( ret == 0 ) {
 #ifdef NEW_LOGGING
 			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "tls_info_cb: "
 			"TLS trace: %s:failed in %s\n", op, SSL_state_string_long( ssl ) ));
 #else
 			Debug( LDAP_DEBUG_TRACE,
-			       "TLS trace: %s:failed in %s\n",
-			       op, SSL_state_string_long( ssl ), 0 );
+				   "TLS trace: %s:failed in %s\n",
+				   op, SSL_state_string_long( ssl ), 0 );
 #endif
-                } else if ( ret < 0 ) {
+		} else if ( ret < 0 ) {
 #ifdef NEW_LOGGING
 			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "tls_info_cb: "
 			"TLS trace: %s:error in %s\n", op, SSL_state_string_long( ssl ) ));
 #else
 			Debug( LDAP_DEBUG_TRACE,
-			       "TLS trace: %s:error in %s\n",
-			       op, SSL_state_string_long( ssl ), 0 );
+				   "TLS trace: %s:error in %s\n",
+				   op, SSL_state_string_long( ssl ), 0 );
 #endif
 		}
 	}
@@ -1354,9 +1376,9 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
 		sname ? sname : "-unknown-", iname ? iname : "-unknown-" ));
 #else
 	Debug( LDAP_DEBUG_TRACE,
-	       "TLS certificate verification: depth: %d, err: %d, subject: %s,",
-	       errdepth, errnum,
-	       sname ? sname : "-unknown-" );
+		   "TLS certificate verification: depth: %d, err: %d, subject: %s,",
+		   errdepth, errnum,
+		   sname ? sname : "-unknown-" );
 	Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 );
 #endif
 	if ( sname )
@@ -1378,21 +1400,21 @@ tls_verify_ok( int ok, X509_STORE_CTX *ctx )
 static void
 tls_report_error( void )
 {
-        unsigned long l;
-        char buf[200];
-        const char *file;
-        int line;
+	unsigned long l;
+	char buf[200];
+	const char *file;
+	int line;
 
-        while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
+	while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
 #ifdef NEW_LOGGING
-			LDAP_LOG (( "tls", LDAP_LEVEL_ERR, 
-				"tls_report_error: TLS %s %s:%d\n", 
-				ERR_error_string( l, buf ), file, line ));
+		LDAP_LOG (( "tls", LDAP_LEVEL_ERR, 
+			"tls_report_error: TLS %s %s:%d\n", 
+			ERR_error_string( l, buf ), file, line ));
 #else
-			Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
-			       ERR_error_string( l, buf ), file, line );
+		Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
+		   ERR_error_string( l, buf ), file, line );
 #endif
-        }
+	}
 }
 
 static RSA *
@@ -1430,7 +1452,7 @@ tls_seed_PRNG( const char *randfile )
 	if (randfile == NULL) {
 		/* The seed file is $RANDFILE if defined, otherwise $HOME/.rnd.
 		 * If $HOME is not set or buffer too small to hold the pathname,
-		 * an error occurs.    - From RAND_file_name() man page.
+		 * an error occurs.	- From RAND_file_name() man page.
 		 * The fact is that when $HOME is NULL, .rnd is used.
 		 */
 		randfile = RAND_file_name( buffer, sizeof( buffer ) );