From e892ebfc5e689064c4213c9b0cba940d225a4674 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Julio=20S=C3=A1nchez=20Fern=C3=A1ndez?= Date: Tue, 20 Jul 1999 18:31:53 +0000 Subject: [PATCH] Some content for tls_verify_cb where parts of our policy should be implemented. The rest of this change mostly contains random ideas taken from mod_ssl. The purpose is to get the repository in sync with the code I am testing. I still can't manage to make Netscape send its certificate to slapd, though it works with Apache/mod_ssl (with the same certificates). Trying s_client against both does not shed any light. If anyone manages to make it work, please let us know. --- libraries/libldap/tls.c | 45 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 5ee0d0cf6a..ce1cd9149d 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -118,6 +118,8 @@ ldap_pvt_tls_init( void ) int ldap_pvt_tls_init_def_ctx( void ) { + STACK_OF(X509_NAME) *cacert; + #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex ); #endif @@ -147,6 +149,16 @@ ldap_pvt_tls_init_def_ctx( void ) tls_report_error(); goto error_exit; } + /* FIXME: Load from tls_opt_cacertdir too */ + cacert = SSL_load_client_CA_file( tls_opt_cacertfile ); + if ( !cacert ) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not load CA certificate file `%s'.\n", + tls_opt_cacertfile,0,0); + tls_report_error(); + goto error_exit; + } + SSL_CTX_set_client_CA_list( tls_def_ctx, cacert ); if ( tls_opt_keyfile && !SSL_CTX_use_PrivateKey_file( tls_def_ctx, tls_opt_keyfile, @@ -202,7 +214,7 @@ alloc_handle( Sockbuf *sb, void *ctx_arg ) } else { if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL; - ctx=tls_def_ctx; + ctx = tls_def_ctx; } ssl = SSL_new( ctx ); @@ -494,6 +506,37 @@ tls_close( Sockbuf *sb ) static int tls_verify_cb( int ok, X509_STORE_CTX *ctx ) { + X509 *cert; + int errnum; + int errdepth; + X509_NAME *subject; + X509_NAME *issuer; + char *sname; + char *iname; + + cert = X509_STORE_CTX_get_current_cert( ctx ); + errnum = X509_STORE_CTX_get_error( ctx ); + errdepth = X509_STORE_CTX_get_error_depth( ctx ); + + /* + * X509_get_*_name return pointers to the internal copies of + * those things requested. So do not free them. + */ + subject = X509_get_subject_name( cert ); + issuer = X509_get_issuer_name( cert ); + /* X509_NAME_oneline, if passed a NULL buf, allocate memomry */ + sname = X509_NAME_oneline( subject, NULL, 0 ); + iname = X509_NAME_oneline( issuer, NULL, 0 ); + Debug( LDAP_DEBUG_TRACE, + "TLS certificate verification: depth: %d, subject: %s, issuer: %s\n", + errdepth, + sname ? sname : "-unknown-", + iname ? iname : "-unknown-" ); + if ( sname ) + free ( sname ); + if ( iname ) + free ( iname ); + return 1; } -- 2.39.5