mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-01-06 10:46:21 +08:00
Code Issues Packages Projects Releases Wiki Activity
22,644 Commits 38 Branches 307 Tags 74 MiB
4bc333c5e7
Commit Graph

49 Commits

Author SHA1 Message Date
Ryan Tandy
63c82c0ed7 ITS#9069 Do not call gnutls_global_set_mutex() 
Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.

When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.

Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code may
be unmapped and the application could crash when GnuTLS calls the mutex
functions.

On typical systems, GnuTLS system mutexes are probably the same as what
libldap uses anyway.
 2019-09-12 13:16:30 -07:00
Ondřej Kuzník
09cec1f1b4 ITS#8731 Apply doc/devel/variadic_debug/03-libldap_Debug.cocci 2019-02-15 16:51:53 +00:00
Quanah Gibson-Mount
b45a6a7dc7 Happy New Year! 2019-01-14 18:46:16 +00:00
Ryan Tandy
4c1ab16ade Revert "ITS#8650 retry gnutls_handshake after GNUTLS_E_AGAIN" 
This reverts commit 7b5181da8c.
 2018-09-18 19:16:31 -07:00
Quanah Gibson-Mount
59e9ff6243 Happy New Year 2018-03-22 15:35:24 +00:00
Ondřej Kuzník
8e34ed8c78 ITS#8753 Public key pinning support in libldap 2017-11-13 17:24:49 +00:00
Ryan Tandy
7b5181da8c ITS#8650 retry gnutls_handshake after GNUTLS_E_AGAIN 2017-05-06 22:50:13 +00:00
Howard Chu
9e051001d4 Add GnuTLS support for direct DER config of cacert/cert/key 
Followon to b402a2805f
 2017-04-10 00:21:08 +01:00
Quanah Gibson-Mount
1df85d3427 Happy New Year! 2017-01-03 12:36:47 -08:00
Howard Chu
283f3ae171 ITS#8385 Fix use-after-free with GnuTLS 2016-03-12 11:03:29 +00:00
Quanah Gibson-Mount
6c4d6c880b Happy New Year! 2016-01-29 13:32:05 -06:00
Quanah Gibson-Mount
1705fa7e55 Happy New Year 2015-02-11 15:36:57 -06:00
Ryan Tandy
7d2f9c6277 ITS#7877 assume gnutls is at least 2.12.0 2014-06-30 20:08:38 -07:00
Ryan Tandy
0fd0f24f03 ITS#7877 assume gnutls provides cipher suites 2014-06-30 20:08:17 -07:00
Ryan Tandy
829027945f ITS#7877 use nettle instead of gcrypt 2014-06-30 20:07:41 -07:00
Kurt Zeilenga
5c878c1bf2 Happy new year (belated) 2014-01-25 05:21:25 -08:00
Howard Chu
16f8b0902c ITS#7398 add LDAP_OPT_X_TLS_PEERCERT 
retrieve peer cert for an active TLS session
 2013-09-10 04:31:39 -07:00
Howard Chu
7d6d6944c5 ITS#7683 log tls prot/cipher info 
Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.
 2013-09-07 12:22:09 -07:00
Howard Chu
0205e83f46 ITS#7430 GnuTLS: Avoid use of deprecated function 2013-09-07 09:41:46 -07:00
Howard Chu
3e100bb54d Add GnuTLS channel binding support 2013-09-07 09:38:47 -07:00
Howard Chu
cb00bb0218 Fix double-free on ciphersuite parse failure 
GnuTLS does an implicit free on failure.
 2013-09-07 08:58:25 -07:00
Howard Chu
a72d1ffe0f ITS#7506 cleanup prev commit 2013-09-07 06:31:58 -07:00
Ben Jencks
622d13a32e ITS#7506 tls_g.c: Properly support DHParamFile. 
If a DHParamFile or olcDHParamFile is specified then it will be loaded. This
allows use of DHE/EDH cipher suites which was previously impossible with
GnuTLS.
 2013-09-07 06:29:14 -07:00
Howard Chu
ca310ebff4 Add channel binding support 
Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.
 2013-08-26 23:31:48 -07:00
Kurt Zeilenga
0fd1bf30b8 Happy New Year 2013-01-02 10:22:57 -08:00
Emily Backes
c453a236fc Update name information 2012-07-22 07:08:35 -07:00
Howard Chu
bb921063e0 ITS#7194 fix IPv6 URL detection 2012-03-08 19:35:44 -08:00
Kurt Zeilenga
2bbf9804b9 Happy New Year! 2012-01-01 07:10:53 -08:00
Howard Chu
9b082bf716 ITS#7051 fix GNUtls cert dn parse 2011-09-30 00:41:13 -07:00
Kurt Zeilenga
966cef8c9a Happy New Year 2011-01-05 00:42:37 +00:00
Hallvard Furuseth
16b7df8397 ITS#6625 Remove some LDAP_R_COMPILEs 2010-12-06 11:31:58 +00:00
Howard Chu
abe4a5f83b ITS#6673 GnuTLS hangs if you tell it to shut the read direction. Just 
shut the write direction; it will all be irrelevant since the socket
will be closed immediately after.
 2010-10-16 12:11:11 +00:00
Pierangelo Masarati
ee156cfd7a serial can be longer than ber_int_t (ITS#6460) 2010-04-14 20:26:24 +00:00
Kurt Zeilenga
3dadeb3efe happy belated New Year 2010-04-13 22:17:29 +00:00
Ralf Haferkamp
8fcdc29405 In case of certificate verification failures include failure reason 
into the error message (openssl only)
 2009-09-30 16:25:23 +00:00
Howard Chu
e229b7c398 In session_chkhost get the last CN, not the first. 2009-08-07 11:59:42 +00:00
Howard Chu
e223d0b124 ITS#6053 must use gnutls_x509_privkey_init() 2009-04-11 03:53:26 +00:00
Howard Chu
0ba084d8b0 More cleanup 2009-03-05 09:15:02 +00:00
Howard Chu
c3f8e67615 Tweak prev commit 2009-03-05 09:13:26 +00:00
Howard Chu
9bc829dbef ITS#5991 build cert chain, GnuTLS doesn't do it for us 2009-03-05 08:04:49 +00:00
Howard Chu
54ed3779d6 ITS#5992 trust X509v1 CA certs 2009-03-05 04:35:49 +00:00
Howard Chu
c3cff40c1c ITS#5981 fix GnuTLS TLSVerifyClient try 2009-03-02 03:01:41 +00:00
Howard Chu
b886c2ad8a ITS#5937 fix ancient IPv6 typo 2009-02-10 13:27:22 +00:00
Howard Chu
08905d6792 ITS#5789 again 2009-01-26 21:08:55 +00:00
Howard Chu
f59ce2b9a1 ITS#5462 add randfile support for gcrypt 1.4 2009-01-26 03:41:27 +00:00
Howard Chu
2558951251 ITS#5887 add native support for cipher suites for GnuTLS >= 2.2.0 2009-01-26 03:21:16 +00:00
Howard Chu
4dff3e6807 Switch to using modular TLS code, single-implementation version 2009-01-26 02:06:45 +00:00
Kurt Zeilenga
4af9eb9715 Update copyright notices 2009-01-22 00:40:04 +00:00
Howard Chu
a225b02f17 Modular TLS support, proof of concept. tls2.c would replace tls.c, 
but I'm leaving tls.c intact for now.
 2008-08-13 16:18:51 +00:00