mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-27 03:20:22 +08:00
Code Issues Packages Projects Releases Wiki Activity
23,569 Commits 38 Branches 307 Tags 74 MiB
b72bce2400
Commit Graph

58 Commits

Author SHA1 Message Date
Quanah Gibson-Mount
ce2c5173bd ITS#9161 - Fix various typos 
Fix a number of different typos across the code base
 2021-02-17 18:42:46 +00:00
Quanah Gibson-Mount
efaf9a4a17 Happy New Year! 2021-01-11 19:25:53 +00:00
Howard Chu
608a822349 ITS#9318 add TLS_REQSAN option 
Add an option to specify how subjectAlternativeNames should be
handled when validating the names in a server certificate.
 2020-08-21 18:05:08 +00:00
Ryan Tandy
9282e6edea ITS#8155 Support cacertdir with GnuTLS 2020-05-14 07:56:28 -07:00
Ryan Tandy
e96f90e212 ITS#9176 Implement SNI for GnuTLS 2020-04-27 11:01:01 -07:00
Howard Chu
5c0efb9ce8 ITS#9176 Add TLS SNI support to libldap 
Implemented for OpenSSL, GnuTLS just stubbed
 2020-04-27 03:41:12 +01:00
Isaac Boukris
3cd50fa8b3 ITS#9189 rework sasl-cbinding support 
Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
defaults to "none".

Add "tls-endpoint" binding type implementing "tls-server-end-point" from
RCF 5929, which is compatible with Windows.

Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
 2020-04-23 21:00:39 +02:00
Ryan Tandy
7732cb2794 ITS#9086 Add debug logging for more GnuTLS errors 2020-04-02 15:52:31 +00:00
Quanah Gibson-Mount
f6ad222e41 Happy New Year! 2020-01-09 16:50:21 +00:00
Ryan Tandy
63c82c0ed7 ITS#9069 Do not call gnutls_global_set_mutex() 
Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.

When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.

Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code may
be unmapped and the application could crash when GnuTLS calls the mutex
functions.

On typical systems, GnuTLS system mutexes are probably the same as what
libldap uses anyway.
 2019-09-12 13:16:30 -07:00
Ondřej Kuzník
09cec1f1b4 ITS#8731 Apply doc/devel/variadic_debug/03-libldap_Debug.cocci 2019-02-15 16:51:53 +00:00
Quanah Gibson-Mount
b45a6a7dc7 Happy New Year! 2019-01-14 18:46:16 +00:00
Ryan Tandy
4c1ab16ade Revert "ITS#8650 retry gnutls_handshake after GNUTLS_E_AGAIN" 
This reverts commit 7b5181da8c.
 2018-09-18 19:16:31 -07:00
Quanah Gibson-Mount
59e9ff6243 Happy New Year 2018-03-22 15:35:24 +00:00
Ondřej Kuzník
8e34ed8c78 ITS#8753 Public key pinning support in libldap 2017-11-13 17:24:49 +00:00
Ryan Tandy
7b5181da8c ITS#8650 retry gnutls_handshake after GNUTLS_E_AGAIN 2017-05-06 22:50:13 +00:00
Howard Chu
9e051001d4 Add GnuTLS support for direct DER config of cacert/cert/key 
Followon to b402a2805f
 2017-04-10 00:21:08 +01:00
Quanah Gibson-Mount
1df85d3427 Happy New Year! 2017-01-03 12:36:47 -08:00
Howard Chu
283f3ae171 ITS#8385 Fix use-after-free with GnuTLS 2016-03-12 11:03:29 +00:00
Quanah Gibson-Mount
6c4d6c880b Happy New Year! 2016-01-29 13:32:05 -06:00
Quanah Gibson-Mount
1705fa7e55 Happy New Year 2015-02-11 15:36:57 -06:00
Ryan Tandy
7d2f9c6277 ITS#7877 assume gnutls is at least 2.12.0 2014-06-30 20:08:38 -07:00
Ryan Tandy
0fd0f24f03 ITS#7877 assume gnutls provides cipher suites 2014-06-30 20:08:17 -07:00
Ryan Tandy
829027945f ITS#7877 use nettle instead of gcrypt 2014-06-30 20:07:41 -07:00
Kurt Zeilenga
5c878c1bf2 Happy new year (belated) 2014-01-25 05:21:25 -08:00
Howard Chu
16f8b0902c ITS#7398 add LDAP_OPT_X_TLS_PEERCERT 
retrieve peer cert for an active TLS session
 2013-09-10 04:31:39 -07:00
Howard Chu
7d6d6944c5 ITS#7683 log tls prot/cipher info 
Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.
 2013-09-07 12:22:09 -07:00
Howard Chu
0205e83f46 ITS#7430 GnuTLS: Avoid use of deprecated function 2013-09-07 09:41:46 -07:00
Howard Chu
3e100bb54d Add GnuTLS channel binding support 2013-09-07 09:38:47 -07:00
Howard Chu
cb00bb0218 Fix double-free on ciphersuite parse failure 
GnuTLS does an implicit free on failure.
 2013-09-07 08:58:25 -07:00
Howard Chu
a72d1ffe0f ITS#7506 cleanup prev commit 2013-09-07 06:31:58 -07:00
Ben Jencks
622d13a32e ITS#7506 tls_g.c: Properly support DHParamFile. 
If a DHParamFile or olcDHParamFile is specified then it will be loaded. This
allows use of DHE/EDH cipher suites which was previously impossible with
GnuTLS.
 2013-09-07 06:29:14 -07:00
Howard Chu
ca310ebff4 Add channel binding support 
Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.
 2013-08-26 23:31:48 -07:00
Kurt Zeilenga
0fd1bf30b8 Happy New Year 2013-01-02 10:22:57 -08:00
Emily Backes
c453a236fc Update name information 2012-07-22 07:08:35 -07:00
Howard Chu
bb921063e0 ITS#7194 fix IPv6 URL detection 2012-03-08 19:35:44 -08:00
Kurt Zeilenga
2bbf9804b9 Happy New Year! 2012-01-01 07:10:53 -08:00
Howard Chu
9b082bf716 ITS#7051 fix GNUtls cert dn parse 2011-09-30 00:41:13 -07:00
Kurt Zeilenga
966cef8c9a Happy New Year 2011-01-05 00:42:37 +00:00
Hallvard Furuseth
16b7df8397 ITS#6625 Remove some LDAP_R_COMPILEs 2010-12-06 11:31:58 +00:00
Howard Chu
abe4a5f83b ITS#6673 GnuTLS hangs if you tell it to shut the read direction. Just 
shut the write direction; it will all be irrelevant since the socket
will be closed immediately after.
 2010-10-16 12:11:11 +00:00
Pierangelo Masarati
ee156cfd7a serial can be longer than ber_int_t (ITS#6460) 2010-04-14 20:26:24 +00:00
Kurt Zeilenga
3dadeb3efe happy belated New Year 2010-04-13 22:17:29 +00:00
Ralf Haferkamp
8fcdc29405 In case of certificate verification failures include failure reason 
into the error message (openssl only)
 2009-09-30 16:25:23 +00:00
Howard Chu
e229b7c398 In session_chkhost get the last CN, not the first. 2009-08-07 11:59:42 +00:00
Howard Chu
e223d0b124 ITS#6053 must use gnutls_x509_privkey_init() 2009-04-11 03:53:26 +00:00
Howard Chu
0ba084d8b0 More cleanup 2009-03-05 09:15:02 +00:00
Howard Chu
c3f8e67615 Tweak prev commit 2009-03-05 09:13:26 +00:00
Howard Chu
9bc829dbef ITS#5991 build cert chain, GnuTLS doesn't do it for us 2009-03-05 08:04:49 +00:00
Howard Chu
54ed3779d6 ITS#5992 trust X509v1 CA certs 2009-03-05 04:35:49 +00:00