mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-21 03:10:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
13,339 Commits 38 Branches 307 Tags 74 MiB
f8d49b01be
Commit Graph

121 Commits

Author SHA1 Message Date
Kurt Zeilenga
b0b8546f05 Patch: More format bugs (ITS#1702) 
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
 2002-04-02 18:56:26 +00:00
Julius Enarusai
e86782aab9 Added LDAP_LOG messages 2002-04-01 23:39:36 +00:00
Kurt Zeilenga
fcf9f451a5 Copyright 2001, Adrian Thurston, All rights reserved. 
This software is not subject to any license of
Xandros Corporation.

This is free software; you can redistribute and use it under the same
terms as OpenLDAP itself.

 -------------------------------------------------------------------
This patch adds an option to ldap_get_option which can be called after
ldap_start_tls in order to obtain the pointer to the SSL object used
 2002-03-11 03:39:08 +00:00
Howard Chu
63a4a19732 Send a warning to the client if we try to use a bad cert. 2002-01-27 03:48:08 +00:00
Howard Chu
c3c85b4062 Extended TLS_REQCERT/TLSVerifyClient syntax to 4 states: never,allow,try, 
and hard/demand.
 2002-01-27 02:56:18 +00:00
Howard Chu
c81d2bb855 Fix, errno was incorrect after SSL_read returned 0 bytes, caused slapd to 
close the connection prematurely.
 2002-01-26 13:43:22 +00:00
Howard Chu
923e64156d More cleanup in ldap_pvt_tls_destroy() 2002-01-12 02:31:41 +00:00
Howard Chu
07119f7342 Fix ldap_start_tls_s, don't check for TLS present on a non-existent sockbuf 2002-01-12 02:25:22 +00:00
Kurt Zeilenga
0e2af54a3f Update copyright statements 2002-01-04 21:17:25 +00:00
Howard Chu
fca5613e98 Hide (make static) sb_bio_method and tls_sbio structures. They're 
already completely hidden by accessor functions.
 2002-01-02 22:29:11 +00:00
Kurt Zeilenga
943800a534 We "understand" localhost to be same as the local hostname as 
returned by gethostname().
 2001-12-17 23:56:16 +00:00
Howard Chu
88e3454654 Add #include <openssl/safestack.h> to fix ITS#1412 2001-11-30 02:37:39 +00:00
Howard Chu
33ace5610c Added ldap_pvt_tls_destroy() to cleanup TLS library on shutdown 2001-11-06 20:52:59 +00:00
Pierangelo Masarati
192f83540c missing leading quote 2001-10-25 18:56:06 +00:00
Kurt Zeilenga
187f190fb6 Don't pass NULL string pointers to Debug 2001-10-25 18:32:59 +00:00
Kurt Zeilenga
7a4b9e3c32 Minor cleanup 2001-09-18 17:35:47 +00:00
Howard Chu
e4d8a87ddc Silence some typecast warnings 2001-09-18 05:22:53 +00:00
Howard Chu
966616b274 Don't pass NULL hostname to ldap_pvt_tls_check_hostname, use "localhost" 2001-09-18 05:19:55 +00:00
Kurt Zeilenga
241d6a558e Remove dead code 2001-09-09 04:47:03 +00:00
Kurt Zeilenga
553d80cedd Blindly fix TLS/SASL external interaction. 2001-09-09 03:42:26 +00:00
Kurt Zeilenga
05c9d4bfda Fix TLS ldap.conf issues 2001-09-05 21:22:41 +00:00
Howard Chu
f3501cbf50 Fix ldap_int_tls_start to set its error codes in ld->ld_errno. 2001-09-02 12:06:41 +00:00
Howard Chu
b10e0029a5 Full implementation of server identity checking per RFC2830 section 3.6 2001-09-02 11:23:28 +00:00
Howard Chu
44a3160fec Remove redundant call of SSL_set_info_callback, to allow users 
to override it in the SSL_CTX.
 2001-08-29 20:28:08 +00:00
Kurt Zeilenga
05960887bb Fix -H ldaps:// crashes due to rework of TLS code 2001-08-27 20:22:28 +00:00
Kurt Zeilenga
16fa8c4a21 Fix bug introduced during TLS rework 2001-08-02 04:20:11 +00:00
Kurt Zeilenga
77f776dfd1 Another round of TLS updates to support secure referral chasing 2001-06-25 19:17:42 +00:00
Kurt Zeilenga
350ffe6d15 Rework tls check 
Needs to be connection specific
 2001-06-25 18:20:14 +00:00
Kurt Zeilenga
c4f5497ac6 move TLS ctx to lconn struct in prep for supporting TLS with referrals 
need to rework cert check to use per lconn host name
 2001-06-25 07:33:42 +00:00
Kurt Zeilenga
4a23c08678 Fix up error handling 2001-06-22 21:01:04 +00:00
Kurt Zeilenga
deb9644a8a Should not be using reverse lookup names to check certificates. 2001-05-19 23:07:46 +00:00
Kurt Zeilenga
c0a06f25c2 Add ldap_pvt_tls_get_peer_dn() routine. Returns peer as an LDAP DN. 2001-01-18 00:40:58 +00:00
Kurt Zeilenga
1d1c1edf44 update rand file after use 2001-01-10 21:14:13 +00:00
Kurt Zeilenga
6053ed1058 ITS#903: validate hostname in server cert from Norbert Klasen 
adapted as needed.
 2000-11-22 20:23:38 +00:00
Kurt Zeilenga
511a84bc31 First cut of SASL/EXTERNAL 2000-10-31 23:00:35 +00:00
Kurt Zeilenga
edef4b2970 ITS#821: TLS data ready fix from <mattc@chartist.com> 2000-10-16 20:26:56 +00:00
Kurt Zeilenga
2cdbfd069b Add missing newlines 2000-10-05 18:30:06 +00:00
Kurt Zeilenga
778b665242 Fix up some free'ing. 2000-10-02 17:43:39 +00:00
Kurt Zeilenga
90d557402b Should modify code to bail on initialization errors... 
For now, just (void) the return
 2000-09-21 19:56:04 +00:00
Randy Kunkee
ab3be5d76d Include <ac/param.h> to pick up MAXPATHLEN. 2000-09-13 07:26:55 +00:00
Kurt Zeilenga
92c55c4454 Clean up 2000-09-13 01:12:47 +00:00
Kurt Zeilenga
d554a31b58 Move ldap_pvt_tls_init call to ldap_pvt_tls_start 
Relax user-only options on TLS_RANDFILE and TLS_REQCERT
 2000-09-13 00:54:45 +00:00
Kurt Zeilenga
2c30c90876 Rework TLS code (only supports default connection) 2000-09-12 00:30:05 +00:00
Kurt Zeilenga
5518aefda0 Change default to SSL_PEER_NONE (don't require peer certificate). 2000-09-01 23:24:17 +00:00
Kurt Zeilenga
a2afb207be Move ldap_start_tls_s() to tls.c 2000-08-25 02:16:15 +00:00
Howard Chu
0f8047b95e Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL. 
Added ldap_pvt_tls_get_strength() - return encryption strength, for
use as a SASL session security factor.
 2000-08-16 23:27:41 +00:00
Kurt Zeilenga
5fc22599e2 Update SASL code to reuse context through life of session. 
Replace 'negotiated' with 'interactive' bind
Add hooks for SASL/EXTERNAL
Disable SASL security layers
Rework SASL command line and config file parameters
 2000-07-13 22:54:38 +00:00
Kurt Zeilenga
fe23628faa ITS#619: TLS PRNG initialization code 
based upon patch provided by Ted C. Cheng <cheng@ix.netcom.com>
 2000-07-08 22:17:50 +00:00
Kurt Zeilenga
0eb19657fa Add missing -DNO_THREADS trylock and make minor change to TLS 
in attempt to get it work with GNU PTH.
 2000-06-07 23:58:16 +00:00
Kurt Zeilenga
6ad1c45bd3 Use LDAP_VFREE and friends. Other misc code cleanup. 2000-06-07 05:17:29 +00:00
Kurt Zeilenga
2e0912622b ITS#537: lber io rewrite from Gambor Gombas. 
Copyright 2000 Gábor Gombás. All rights reserved.
This is free software. You may redistribute and use it under the same
terms as OpenLDAP itself.
 2000-06-01 20:59:21 +00:00
Kurt Zeilenga
29d9fa20a2 Y2k copyright update 2000-05-13 02:36:07 +00:00
Howard Chu
f0c4f83ea2 libldap/tls.c: change tls_verify_cb to no longer ignore verification errors. 
This means a ldaps connection may drop before any LDAP protocol exchange
occurs (due to expired cert, unrecognized CAs, etc.).
  Change ldap_pvt_tls_connect to copy any TLS error string to ld_error upon
connection failure, otherwise client just sees "can't contact LDAP server."

slapd/connection.c: add flush/delay when SSL_accept fails, to allow any
TLS alerts we generated to propagate back to the client. (Which will then
be picked up by ldap_pvt_tls_connect on the client...)
 2000-05-10 17:07:09 +00:00
Kurt Zeilenga
1a348f9fbe Return okay after setting LDAP_OPT_X_TLS_CERT (ITS#447) 2000-03-18 23:55:51 +00:00
Howard Chu
80f85e972d In ldap_pvt_tls_init() treat subsequent invocations as no-ops, not error. 
In tls_verify_cb() use CRYPTO_free instead of free (necessary on NT due to
use of different heaps).
Changed update_flags to use SSL_get_error() to check success/status. This
fixes the problem of sb->sb_trans_needs_read getting set on dead sockets.
 2000-01-15 19:03:16 +00:00
Mark Valence
a76c9f18a9 Start TLS extension: check that TLS was inited successfully, return default referral on failure as appropriate. 1999-12-10 19:18:33 +00:00
Mark Valence
454284f1ea Adds for Start TLS functionality on slapd and LDAP C API. 1999-12-09 22:33:22 +00:00
Mark Valence
15c83bef9d Changed ldap_pvt_tls_init_def_ctx() to not fail if there is no cacertfile/dir specified. This lets LDAP_OPT_X_TLS_REQUIRE_CERT=0 work. If LDAP_OPT_X_TLS_REQUIRE_CERT=1, connection will fail as appropriate since there is no CA list. 1999-12-06 04:44:22 +00:00
Mark Valence
a50cd075db Changes to make TLS work on Windows 1999-10-27 22:40:05 +00:00
Mark Valence
9e7243015c fixed LDAP_OPT_X_TLS case of ldap_pvt_tls_config(). 
ldap_pvt_tls_set_option() expects int* as third param.
 1999-09-25 03:53:17 +00:00
Kurt Zeilenga
403f4479bc Add OpenLDAP RCSid to *.[ch] in clients, libraries, and servers. 
Replace old Id as needed (back-tcl).
Leave updating of contribWare to contributors (for now).
 1999-09-08 19:06:24 +00:00
Kurt Zeilenga
5c63fd55b5 Implement ldap_dn_normalize and friends. Should be used by clients 
to validate input dn's BEFORE sending dn's to server.
Also fixed getfilter to use REG_EXTENDED|REG_NOSUB.  (and fixed one
case where REG_BASIC was still used).
s/strdup/LDAP_STRDUP/
Added ldap_pvt_str2lower/upper
 1999-08-25 06:44:08 +00:00
Hallvard Furuseth
67ff28bf52 Include <ac/stdlib.h> instead of <stdlib.h> 1999-08-01 22:42:34 +00:00
Julio Sánchez Fernández
5f53b747a5 Partial support for a new option to help debug TLS connections, 
not yet user-settable.  Defaults "on" for now.
Partial support for temporary RSA keys, skeleton for DH.
Add call to X509V3_add_standard_extensions() on init, mod_ssl
does this too, but I am unsure about what it does.
Move management of client CA certificates to a new routine, since
it is going to get more complex than the current code.
 1999-07-21 19:18:08 +00:00
Julio Sánchez Fernández
e892ebfc5e Some content for tls_verify_cb where parts of our policy should 
be implemented.

The rest of this change mostly contains random ideas taken from
mod_ssl.  The purpose is to get the repository in sync with the
code I am testing.  I still can't manage to make Netscape send
its certificate to slapd, though it works with Apache/mod_ssl
(with the same certificates).  Trying s_client against both
does not shed any light.  If anyone manages to make it work,
please let us know.
 1999-07-20 18:31:53 +00:00
Julio Sánchez Fernández
85acec922f We were not remembering the allocated SSL thing in the Sockbuf. 
Set flags without relying on errno (this change may be gratuitous
or wrong).
 1999-07-16 15:46:15 +00:00
Julio Sánchez Fernández
7a64fcf7b3 Set ciphers from slapd.conf. 
More error checking and reporting.
Slowly getting there, SSL_accept succeeds now, but connection breaks
immediately after that (my glue logic with slapd is broken).
 1999-07-15 21:03:47 +00:00
Kurt Zeilenga
c7425738bb Add missing arg to Debug macro call 1999-07-15 20:00:05 +00:00
Julio Sánchez Fernández
41de66a0b2 New routine tls_report_error to analyze errors from OpenSSL 
Change temporarily the default protocol from TLSv1 to SSLv3 with
fallback to SSLv2.  This seems necessary for slapd to accept connections
from Netscape.
Try to set the cipher list in the default context.  Does not semm to
work yet.
 1999-07-15 14:59:09 +00:00
Kurt Zeilenga
cbb5553b03 Newer versions of OpenSSL install headers in $prefix/include/openssl... 1999-07-14 00:03:52 +00:00
Julio Sánchez Fernández
8f4f94d415 First version of TLS glue for SSLeay/OpenSSL originally written by 
Bart Hartgers.  Untested.
 1999-07-13 19:11:53 +00:00