From 1ed2d0a4855c1a055de95e44dde16dcfa250cde0 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 15 Nov 2010 20:47:24 +0000 Subject: [PATCH] ITS#6706 from Rich Megginson @ Red Hat - improve diagnostic messages --- libraries/libldap/tls_m.c | 64 ++++++++++++++++++++++++++++++++------- 1 file changed, 53 insertions(+), 11 deletions(-) diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index 124b85d53e..62d0f7792d 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -714,6 +714,12 @@ tlsm_dump_security_status(PRFileDesc *fd) return ""; } +static void +tlsm_handshake_complete_cb( PRFileDesc *fd, void *client_data ) +{ + tlsm_dump_security_status( fd ); +} + #ifdef READ_PASSWORD_FROM_FILE static char * tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx) @@ -899,16 +905,22 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, { SECStatus ret = SSL_AuthCertificate(arg, fd, checksig, isServer); - tlsm_dump_security_status( fd ); - Debug( LDAP_DEBUG_TRACE, - "TLS certificate verification: %s\n", - ret == SECSuccess ? "ok" : "bad", 0, 0 ); - if ( ret != SECSuccess ) { PRErrorCode errcode = PORT_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS certificate verification: Error, %d: %s\n", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ; + /* we bypass NSS's hostname checks and do our own - tlsm_session_chkhost will handle it */ + if ( errcode == SSL_ERROR_BAD_CERT_DOMAIN ) { + Debug( LDAP_DEBUG_TRACE, + "TLS certificate verification: defer\n", + 0, 0, 0 ); + } else { + Debug( LDAP_DEBUG_ANY, + "TLS certificate verification: Error, %d: %s\n", + errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ; + } + } else { + Debug( LDAP_DEBUG_TRACE, + "TLS certificate verification: ok\n", + 0, 0, 0 ); } return ret; @@ -1186,6 +1198,11 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir PRStatus status = PR_FAILURE; PRErrorCode errcode = PR_SUCCESS; + if ( !cacertfile && !cacertdir ) { + /* no checking - not good, but allowed */ + return 0; + } + if ( cacertfile ) { int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca ); if ( rc ) { @@ -1399,9 +1416,11 @@ tlsm_deferred_init( void *arg ) if ( rc != SECSuccess ) { errcode = PORT_GetError(); - Debug( LDAP_DEBUG_TRACE, - "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n", - realcertdir, prefix, errcode ); + if ( securitydirs[ii] != lt->lt_cacertdir) { + Debug( LDAP_DEBUG_TRACE, + "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n", + realcertdir, prefix, errcode ); + } } else { /* success */ Debug( LDAP_DEBUG_TRACE, "TLS: using moznss security dir %s prefix %s.\n", @@ -1458,6 +1477,21 @@ tlsm_deferred_init( void *arg ) } if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) { + /* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode + will be a value other than 1 - print an error message so that the + user will know that failed too */ + if ( ( errcode != 1 ) && ( lt->lt_cacertdir ) ) { + char *realcertdir = NULL; + char *prefix = NULL; + tlsm_get_certdb_prefix( lt->lt_cacertdir, &realcertdir, &prefix ); + Debug( LDAP_DEBUG_TRACE, + "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n", + realcertdir, prefix ? prefix : "", errcode ); + if ( realcertdir != lt->lt_cacertdir ) { + PL_strfree( realcertdir ); + } + PL_strfree( prefix ); + } return -1; } @@ -2045,6 +2079,14 @@ tlsm_deferred_ctx_init( void *arg ) return -1; } + if ( SSL_HandshakeCallback( ctx->tc_model, tlsm_handshake_complete_cb, ctx ) ) { + PRErrorCode err = PR_GetError(); + Debug( LDAP_DEBUG_ANY, + "TLS: error: could not set handshake callback for moznss - error %d:%s\n", + err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ), NULL ); + return -1; + } + return 0; } -- 2.39.5