Commit Graph

60 Commits

Author SHA1 Message Date
Howard Chu
88e3454654 Add #include <openssl/safestack.h> to fix ITS#1412 2001-11-30 02:37:39 +00:00
Howard Chu
33ace5610c Added ldap_pvt_tls_destroy() to cleanup TLS library on shutdown 2001-11-06 20:52:59 +00:00
Pierangelo Masarati
192f83540c missing leading quote 2001-10-25 18:56:06 +00:00
Kurt Zeilenga
187f190fb6 Don't pass NULL string pointers to Debug 2001-10-25 18:32:59 +00:00
Kurt Zeilenga
7a4b9e3c32 Minor cleanup 2001-09-18 17:35:47 +00:00
Howard Chu
e4d8a87ddc Silence some typecast warnings 2001-09-18 05:22:53 +00:00
Howard Chu
966616b274 Don't pass NULL hostname to ldap_pvt_tls_check_hostname, use "localhost" 2001-09-18 05:19:55 +00:00
Kurt Zeilenga
241d6a558e Remove dead code 2001-09-09 04:47:03 +00:00
Kurt Zeilenga
553d80cedd Blindly fix TLS/SASL external interaction. 2001-09-09 03:42:26 +00:00
Kurt Zeilenga
05c9d4bfda Fix TLS ldap.conf issues 2001-09-05 21:22:41 +00:00
Howard Chu
f3501cbf50 Fix ldap_int_tls_start to set its error codes in ld->ld_errno. 2001-09-02 12:06:41 +00:00
Howard Chu
b10e0029a5 Full implementation of server identity checking per RFC2830 section 3.6 2001-09-02 11:23:28 +00:00
Howard Chu
44a3160fec Remove redundant call of SSL_set_info_callback, to allow users
to override it in the SSL_CTX.
2001-08-29 20:28:08 +00:00
Kurt Zeilenga
05960887bb Fix -H ldaps:// crashes due to rework of TLS code 2001-08-27 20:22:28 +00:00
Kurt Zeilenga
16fa8c4a21 Fix bug introduced during TLS rework 2001-08-02 04:20:11 +00:00
Kurt Zeilenga
77f776dfd1 Another round of TLS updates to support secure referral chasing 2001-06-25 19:17:42 +00:00
Kurt Zeilenga
350ffe6d15 Rework tls check
Needs to be connection specific
2001-06-25 18:20:14 +00:00
Kurt Zeilenga
c4f5497ac6 move TLS ctx to lconn struct in prep for supporting TLS with referrals
need to rework cert check to use per lconn host name
2001-06-25 07:33:42 +00:00
Kurt Zeilenga
4a23c08678 Fix up error handling 2001-06-22 21:01:04 +00:00
Kurt Zeilenga
deb9644a8a Should not be using reverse lookup names to check certificates. 2001-05-19 23:07:46 +00:00
Kurt Zeilenga
c0a06f25c2 Add ldap_pvt_tls_get_peer_dn() routine. Returns peer as an LDAP DN. 2001-01-18 00:40:58 +00:00
Kurt Zeilenga
1d1c1edf44 update rand file after use 2001-01-10 21:14:13 +00:00
Kurt Zeilenga
6053ed1058 ITS#903: validate hostname in server cert from Norbert Klasen
adapted as needed.
2000-11-22 20:23:38 +00:00
Kurt Zeilenga
511a84bc31 First cut of SASL/EXTERNAL 2000-10-31 23:00:35 +00:00
Kurt Zeilenga
edef4b2970 ITS#821: TLS data ready fix from <mattc@chartist.com> 2000-10-16 20:26:56 +00:00
Kurt Zeilenga
2cdbfd069b Add missing newlines 2000-10-05 18:30:06 +00:00
Kurt Zeilenga
778b665242 Fix up some free'ing. 2000-10-02 17:43:39 +00:00
Kurt Zeilenga
90d557402b Should modify code to bail on initialization errors...
For now, just (void) the return
2000-09-21 19:56:04 +00:00
Randy Kunkee
ab3be5d76d Include <ac/param.h> to pick up MAXPATHLEN. 2000-09-13 07:26:55 +00:00
Kurt Zeilenga
92c55c4454 Clean up 2000-09-13 01:12:47 +00:00
Kurt Zeilenga
d554a31b58 Move ldap_pvt_tls_init call to ldap_pvt_tls_start
Relax user-only options on TLS_RANDFILE and TLS_REQCERT
2000-09-13 00:54:45 +00:00
Kurt Zeilenga
2c30c90876 Rework TLS code (only supports default connection) 2000-09-12 00:30:05 +00:00
Kurt Zeilenga
5518aefda0 Change default to SSL_PEER_NONE (don't require peer certificate). 2000-09-01 23:24:17 +00:00
Kurt Zeilenga
a2afb207be Move ldap_start_tls_s() to tls.c 2000-08-25 02:16:15 +00:00
Howard Chu
0f8047b95e Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL.
Added ldap_pvt_tls_get_strength() - return encryption strength, for
use as a SASL session security factor.
2000-08-16 23:27:41 +00:00
Kurt Zeilenga
5fc22599e2 Update SASL code to reuse context through life of session.
Replace 'negotiated' with 'interactive' bind
Add hooks for SASL/EXTERNAL
Disable SASL security layers
Rework SASL command line and config file parameters
2000-07-13 22:54:38 +00:00
Kurt Zeilenga
fe23628faa ITS#619: TLS PRNG initialization code
based upon patch provided by Ted C. Cheng <cheng@ix.netcom.com>
2000-07-08 22:17:50 +00:00
Kurt Zeilenga
0eb19657fa Add missing -DNO_THREADS trylock and make minor change to TLS
in attempt to get it work with GNU PTH.
2000-06-07 23:58:16 +00:00
Kurt Zeilenga
6ad1c45bd3 Use LDAP_VFREE and friends. Other misc code cleanup. 2000-06-07 05:17:29 +00:00
Kurt Zeilenga
2e0912622b ITS#537: lber io rewrite from Gambor Gombas.
Copyright 2000 Gábor Gombás. All rights reserved.
This is free software. You may redistribute and use it under the same
terms as OpenLDAP itself.
2000-06-01 20:59:21 +00:00
Kurt Zeilenga
29d9fa20a2 Y2k copyright update 2000-05-13 02:36:07 +00:00
Howard Chu
f0c4f83ea2 libldap/tls.c: change tls_verify_cb to no longer ignore verification errors.
This means a ldaps connection may drop before any LDAP protocol exchange
occurs (due to expired cert, unrecognized CAs, etc.).
  Change ldap_pvt_tls_connect to copy any TLS error string to ld_error upon
connection failure, otherwise client just sees "can't contact LDAP server."

slapd/connection.c: add flush/delay when SSL_accept fails, to allow any
TLS alerts we generated to propagate back to the client. (Which will then
be picked up by ldap_pvt_tls_connect on the client...)
2000-05-10 17:07:09 +00:00
Kurt Zeilenga
1a348f9fbe Return okay after setting LDAP_OPT_X_TLS_CERT (ITS#447) 2000-03-18 23:55:51 +00:00
Howard Chu
80f85e972d In ldap_pvt_tls_init() treat subsequent invocations as no-ops, not error.
In tls_verify_cb() use CRYPTO_free instead of free (necessary on NT due to
use of different heaps).
Changed update_flags to use SSL_get_error() to check success/status. This
fixes the problem of sb->sb_trans_needs_read getting set on dead sockets.
2000-01-15 19:03:16 +00:00
Mark Valence
a76c9f18a9 Start TLS extension: check that TLS was inited successfully, return default referral on failure as appropriate. 1999-12-10 19:18:33 +00:00
Mark Valence
454284f1ea Adds for Start TLS functionality on slapd and LDAP C API. 1999-12-09 22:33:22 +00:00
Mark Valence
15c83bef9d Changed ldap_pvt_tls_init_def_ctx() to not fail if there is no cacertfile/dir specified. This lets LDAP_OPT_X_TLS_REQUIRE_CERT=0 work. If LDAP_OPT_X_TLS_REQUIRE_CERT=1, connection will fail as appropriate since there is no CA list. 1999-12-06 04:44:22 +00:00
Mark Valence
a50cd075db Changes to make TLS work on Windows 1999-10-27 22:40:05 +00:00
Mark Valence
9e7243015c fixed LDAP_OPT_X_TLS case of ldap_pvt_tls_config().
ldap_pvt_tls_set_option() expects int* as third param.
1999-09-25 03:53:17 +00:00
Kurt Zeilenga
403f4479bc Add OpenLDAP RCSid to *.[ch] in clients, libraries, and servers.
Replace old Id as needed (back-tcl).
Leave updating of contribWare to contributors (for now).
1999-09-08 19:06:24 +00:00