mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-21 03:10:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
17,737 Commits 38 Branches 307 Tags 74 MiB
79e489619a
Commit Graph

160 Commits

Author SHA1 Message Date
Howard Chu
36124c715a ITS#5789 GNUtls - allow CN matches against IP addresses 2008-11-04 11:21:52 +00:00
Howard Chu
7e4ba700f1 ITS#5585 GnuTLS key strength is in bytes, we expected bits 2008-06-30 23:32:35 +00:00
Howard Chu
9ef6cc3cd4 ITS#5577 GnuTLS CRL result >0 is success 2008-06-24 20:14:30 +00:00
Howard Chu
68316527c4 ITS#5341 GnuTLS ciphersuite parsing 2008-02-10 11:58:16 +00:00
Kurt Zeilenga
c890c96d13 Happy New Year (belated) 2008-01-08 00:19:56 +00:00
Hallvard Furuseth
90fe4bd927 ITS#4983: Partly revert tls_thread_self() paranoia from rev 1.154: Only 
require that ldap_pvt_thread_t can be cast to u.long and is not wider.
ITS#5010: In ldap_X509dn2bv(), catch error return from ber_decode_oid().
 2007-06-12 23:57:08 +00:00
Hallvard Furuseth
101b6b9363 Fix --without-tls (ITS#4975). Enable certificate matching. 2007-05-20 22:48:21 +00:00
Hallvard Furuseth
c47e444698 libldap/tls.c calls CRYPTO_set_id_callback(ldap_pvt_thread_self), which 
causes ldap_pvt_thread_self to be called with the wrong prototype.

That can cause OpenSSL to use a garbage value, e.g. if the unsigned
long it expects takes two words but ldap_pvt_thread_t is an int.

I'm fixing it in HEAD now and also provoking an error if unsigned
long cannot hold a ldap_pvt_thread_t.  Otherwise it can silently
compile to broken code.  Maybe the latter should go in configure,
but since OpenSSL presumably breaks anyway if that fails I don't
see much point at this time.
 2007-05-20 20:02:52 +00:00
Hallvard Furuseth
f906a99eec Only define x509_cert_get_dn() when HAVE_GNUTLS. Remove unused variable. 2007-05-18 15:10:15 +00:00
Howard Chu
d9a43aee44 Fix GNUtls acknowledgement, initial work by Matt Backes. Sponsored by 
The Written Word and Stanford University.
 2007-05-14 23:35:36 +00:00
Ralf Haferkamp
6ee5d7d3da make openssl builds working again 2007-05-14 12:19:32 +00:00
Howard Chu
423f20c915 GNUtls - ignore free of NULL ctx 2007-05-13 09:43:41 +00:00
Howard Chu
5f36d32596 Don't NUL-terminate bervals during DN parsing 2007-05-13 09:37:37 +00:00
Howard Chu
47a8f3213b Merged GNUtls support into main tls.c 2007-05-13 00:15:27 +00:00
Howard Chu
49d708fae3 Preliminary GNUtls support. gnutls.c will merge back into tls.c later. 2007-03-23 23:47:07 +00:00
Howard Chu
52a7af8230 ITS#4815 get_option for TLS Cipher Suite was not implemented 2007-01-24 23:38:26 +00:00
Kurt Zeilenga
da6d9eb046 happy new year 2007-01-02 20:00:42 +00:00
Howard Chu
7540751392 ITS#4723 add CRYPTO_set_id_callback 2006-11-30 06:37:12 +00:00
Howard Chu
8e48a3c317 ITS#4726 call ldap_pvt_tls_init() in init_ctx() to make sure initialization 
is done
 2006-11-09 23:00:38 +00:00
Howard Chu
57c329a3af ITS#4606 errno is not per-thread on WIN32, always use WSAGet/SetLastError 
(with notable exceptions: ignore tests for EINTR which winsock never sets)
 2006-09-14 06:35:34 +00:00
Howard Chu
a7870943f7 Fix TLS CTX ref counting 2006-07-02 22:38:01 +00:00
Howard Chu
15853f1e74 ITS#4583 use mutex around SSL_accept() 2006-06-08 19:35:42 +00:00
Howard Chu
25f81a48e6 Add SSL failure reason to TLS: can't connect message. 2006-05-13 00:29:28 +00:00
Howard Chu
eb0c92c7df Return rc for tls_init_def_ctx 2006-04-11 20:35:37 +00:00
Howard Chu
571ac24b33 Fix destruct sequencing 2006-04-07 02:41:58 +00:00
Howard Chu
9693c800bf Free/decrement SSL_CTX refcount when (re)setting it 2006-04-07 01:15:56 +00:00
Howard Chu
7709d4d89e Bump SSL_CTX refcount whenever it gets retrieved 2006-04-07 01:13:31 +00:00
Howard Chu
d18277eac9 ITS#4422, #4475 
Move TLS options into struct ldapoptions.
  Added ldap_int_tls_destroy()
  Added LDAP_OPT_X_TLS_NEWCTX to generate new SSL_CTX
 2006-04-07 00:52:38 +00:00
Howard Chu
fb4cba514d ITS#4354 only set DH callback if OPT_DHFILE has been set. 2006-01-19 18:12:15 +00:00
Kurt Zeilenga
acbb5cf689 Happy new year! 2006-01-03 23:11:52 +00:00
Howard Chu
146b2c5389 ITS#4082 tls ctx requirements are only applicable to servers, or clients 
with tls_opt_require_cert = TRY or DEMAND. Ignore requirements for clients.
 2005-11-08 13:42:10 +00:00
Pierangelo Masarati
a6453f28f8 silence warnings 2005-11-06 23:27:09 +00:00
Howard Chu
d67a2f2044 Move lconn_tls_ctx to ldo_tls_ctx. Otherwise clients cannot set it after 
ldap_initializ'ing an LD and before connecting on it. Really all of the
global TLS options belong in the ldapoptions struct, instead of static vars.
 2005-11-05 12:49:43 +00:00
Howard Chu
6fcfaedf90 ITS#4137 was returning with tls_def_ctx_mutex locked. 2005-11-02 23:43:19 +00:00
Howard Chu
4ebed09d81 ITS#4017, additional revisions for DH parameters 2005-10-28 05:35:19 +00:00
Kurt Zeilenga
0ea43c9d7d Assume TLS is properly configured if any one of 
keyfile, certfile, cacertfile, or cacertdir is
provided.  Note that TLS can be properly configured
without any of these when non-X.509 cipher suites
are used, so this might have be rethought.
 2005-10-12 20:31:04 +00:00
Howard Chu
f54bc26357 ITS#4072 ldap_pvt_tls_init_def_ctx() returns LDAP_NO_SUPPORT if not 
sufficiently configured. Update slapd/slurpd to act appropriately.
 2005-10-09 19:55:39 +00:00
Howard Chu
9095af5928 ITS#4017 support Diffie-Hellman parameters for multiple key lengths 2005-10-05 20:01:52 +00:00
Pierangelo Masarati
385aebc806 plug potential ld_error leak (ITS#4064) 2005-10-04 21:30:30 +00:00
Pierangelo Masarati
b3f366e0ba essentially address 3791 with a reworked patch 2005-08-11 15:13:29 +00:00
Pierangelo Masarati
ad62d9da1b expose ldap_tls_inplace() 2005-08-11 12:14:24 +00:00
Kurt Zeilenga
542f3634aa Add ldap_start_tls() and ldap_install_tls() to provide async version 
of ldap_start_tls_s().
 2005-02-01 23:53:17 +00:00
Kurt Zeilenga
dc0eacd40b Happy New Year! 2005-01-01 20:49:32 +00:00
Howard Chu
ae592801aa Add callbacks for client TLS connection establishment: 
LDAP_OPT_X_TLS_CONNECT_CB and LDAP_OPT_X_TLS_CONNECT_ARG
with int (LDAP_TLS_CONNECT_CB) (LDAP *ld, SSL *ssl, SSL_CTX *ctx, void *arg)
To be called whenever the client library allocates a new SSL* handle.
 2004-11-23 03:48:09 +00:00
Ralf Haferkamp
93cec8b694 - Added autoconf test for CRL capable OpenSSL Version 
- #ifdef'd CRL checking code.
 2004-11-03 12:02:38 +00:00
Ralf Haferkamp
5704a2ef6e CRL checking options for ldap.conf and slapd.conf 2004-10-28 18:50:38 +00:00
Kurt Zeilenga
5f5d50aeb0 Add TLS cipher suite directive to ldap.conf(5) 2004-09-05 07:21:20 +00:00
Kurt Zeilenga
d611a4b49a unifdef -UNEW_LOGGING 2004-09-04 04:54:28 +00:00
Kurt Zeilenga
3484ddff18 cleanup 2004-06-22 20:20:47 +00:00
Kurt Zeilenga
5deea2b617 ITS#3134: support DNSname style wildcards in common name 
(This is not consistent with RFC 3280 or RFC 2830, but consistent
with current practices.)
Based upon patch submitted by Quanah Gibson-Mount <quanah@stanford.edu>.
 2004-05-19 02:47:30 +00:00