contrib/slapd-modules/smbk5pwd/smbk5pwd.c

@@ -1052,6 +1052,7 @@ smbk5pwd_initialize(void)
 
 	smbk5pwd.on_bi.bi_type = "smbk5pwd";
 
+	smbk5pwd.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
 	smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init;
 	smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open;
 	smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy;

contrib/slapd-modules/trace/trace.c

@@ -222,6 +222,7 @@ trace_initialize()
 {
 	trace.on_bi.bi_type = "trace";
 
+	trace.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
 	trace.on_bi.bi_db_init = trace_db_init;
 	trace.on_bi.bi_db_open = trace_db_open;
 	trace.on_bi.bi_db_config = trace_db_config;

contrib/slapd-modules/usn/usn.c

@@ -296,6 +296,7 @@ usn_init( void )
 
 	memset( &usn, 0, sizeof( slap_overinst ) );
 	usn.on_bi.bi_type = "usn";
+	usn.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
 	usn.on_bi.bi_db_init = usn_db_init;
 	usn.on_bi.bi_db_destroy = usn_db_destroy;
 	usn.on_bi.bi_db_open = usn_db_open;

doc/man/man3/ldap_get_option.3

@@ -740,7 +740,7 @@ and its contents need to be freed by the caller using
 .BR ldap_memfree (3).
 .TP
 .B LDAP_OPT_X_TLS_ECNAME
-Gets/sets the name of the curve used for 
+Gets/sets the name of the curve(s) used for
 elliptic curve key exchanges.
 .BR invalue
 must be
@@ -815,6 +815,15 @@ one of
 .BR LDAP_OPT_X_TLS_ALLOW ,
 .BR LDAP_OPT_X_TLS_TRY .
 .TP
+.B LDAP_OPT_X_TLS_REQUIRE_SAN
+Sets/gets the peer certificate subjectAlternativeName checking strategy,
+one of
+.BR LDAP_OPT_X_TLS_NEVER ,
+.BR LDAP_OPT_X_TLS_HARD ,
+.BR LDAP_OPT_X_TLS_DEMAND ,
+.BR LDAP_OPT_X_TLS_ALLOW ,
+.BR LDAP_OPT_X_TLS_TRY .
+.TP
 .B LDAP_OPT_X_TLS_SSL_CTX
 Gets the TLS session context associated with this handle.
 .BR outvalue

doc/man/man5/ldap.conf.5

@@ -327,6 +327,12 @@ is always used before
 Specifies the file that contains the client certificate.
 .B This is a user-only option.
 .TP
+.B TLS_ECNAME <name>
+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange.  This option is only used for OpenSSL.
+This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification.
+.TP
 .B TLS_KEY <filename>
 Specifies the file that contains the private key that matches the certificate
 stored in the
@@ -419,6 +425,37 @@ certificate is provided, or a bad certificate is provided, the session
 is immediately terminated. This is the default setting.
 .RE
 .TP
+.B TLS_REQSAN <level>
+Specifies what checks to perform on the subjectAlternativeName
+(SAN) extensions in a server certificate when validating the certificate
+name against the specified hostname of the server. The
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B never
+The client will not check any SAN in the certificate.
+.TP
+.B allow
+The SAN is checked against the specified hostname. If a SAN is
+present but none match the specified hostname, the SANs are ignored
+and the usual check against the certificate DN is used.
+This is the default setting.
+.TP
+.B try
+The SAN is checked against the specified hostname. If no SAN is present
+in the server certificate, the usual check against the certificate DN
+is used. If a SAN is present but doesn't match the specified hostname,
+the session is immediately terminated. This setting may be preferred
+when a mix of certs with and without SANs are in use.
+.TP
+.B demand | hard
+These keywords are equivalent. The SAN is checked against the specified
+hostname. If no SAN is present in the server certificate, or no SANs
+match, the session is immediately terminated. This setting should be
+used when only certificates with SANs are in use.
+.RE
+.TP
 .B TLS_CRLCHECK <level>
 Specifies if the Certificate Revocation List (CRL) of the CA should be 
 used to verify if the server certificates have not been revoked. This

doc/man/man5/slapd-config.5

@@ -908,9 +908,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites
 are not used.
 .TP
 .B olcTLSECName: <name>
-Specify the name of a curve to use for Elliptic curve Diffie-Hellman
-ephemeral key exchange.  This is required to enable ECDHE algorithms in
-OpenSSL.  This option is not used with GnuTLS; the curves may be
+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange.  This option is only used for OpenSSL.
+This option is not used with GnuTLS; the curves may be
 chosen in the GnuTLS ciphersuite specification.
 .TP
 .B olcTLSProtocolMin: <major>[.<minor>]

doc/man/man5/slapd.conf.5

@@ -1139,9 +1139,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites
 are not used.
 .TP
 .B TLSECName <name>
-Specify the name of a curve to use for Elliptic curve Diffie-Hellman
-ephemeral key exchange.  This is required to enable ECDHE algorithms in
-OpenSSL.  This option is not used with GnuTLS; the curves may be
+Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange.  This option is only used for OpenSSL.
+This option is not used with GnuTLS; the curves may be
 chosen in the GnuTLS ciphersuite specification.
 .TP
 .B TLSProtocolMin <major>[.<minor>]

include/ldap.h

@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_CERT			0x6017
 #define LDAP_OPT_X_TLS_KEY			0x6018
 #define LDAP_OPT_X_TLS_PEERKEY_HASH	0x6019
+#define LDAP_OPT_X_TLS_REQUIRE_SAN	0x601a
 
 #define LDAP_OPT_X_TLS_NEVER	0
 #define LDAP_OPT_X_TLS_HARD		1

include/portable.hin

@@ -373,9 +373,6 @@
 /* Define to 1 if you have the <openssl/bn.h> header file. */
 #undef HAVE_OPENSSL_BN_H
 
-/* define if you have OpenSSL with CRL checking capability */
-#undef HAVE_OPENSSL_CRL
-
 /* Define to 1 if you have the <openssl/crypto.h> header file. */
 #undef HAVE_OPENSSL_CRYPTO_H
 

libraries/libldap/init.c

@@ -119,12 +119,14 @@ static const struct ol_attribute {
   	{0, ATTR_TLS,	"TLS_CACERT",		NULL,	LDAP_OPT_X_TLS_CACERTFILE},
   	{0, ATTR_TLS,	"TLS_CACERTDIR",	NULL,	LDAP_OPT_X_TLS_CACERTDIR},
   	{0, ATTR_TLS,	"TLS_REQCERT",		NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT},
+	{0, ATTR_TLS,	"TLS_REQSAN",		NULL,	LDAP_OPT_X_TLS_REQUIRE_SAN},
 	{0, ATTR_TLS,	"TLS_RANDFILE",		NULL,	LDAP_OPT_X_TLS_RANDOM_FILE},
 	{0, ATTR_TLS,	"TLS_CIPHER_SUITE",	NULL,	LDAP_OPT_X_TLS_CIPHER_SUITE},
 	{0, ATTR_TLS,	"TLS_PROTOCOL_MIN",	NULL,	LDAP_OPT_X_TLS_PROTOCOL_MIN},
 	{0, ATTR_TLS,	"TLS_PEERKEY_HASH",	NULL,	LDAP_OPT_X_TLS_PEERKEY_HASH},
+	{0, ATTR_TLS,	"TLS_ECNAME",		NULL,	LDAP_OPT_X_TLS_ECNAME},
 
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	{0, ATTR_TLS,	"TLS_CRLCHECK",		NULL,	LDAP_OPT_X_TLS_CRLCHECK},
 #endif
 #ifdef HAVE_GNUTLS
@@ -596,6 +598,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
 	gopts->ldo_tls_connect_cb = NULL;
 	gopts->ldo_tls_connect_arg = NULL;
 	gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
 #endif
 	gopts->ldo_keepalive_probes = 0;
 	gopts->ldo_keepalive_interval = 0;

libraries/libldap/ldap-int.h

@@ -285,6 +285,7 @@ struct ldapoptions {
    	int			ldo_tls_require_cert;
 	int			ldo_tls_impl;
    	int			ldo_tls_crlcheck;
+	int			ldo_tls_require_san;
 	char		*ldo_tls_pin_hashalg;
 	struct berval	ldo_tls_pin;
 #define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0,0,{0,0}

libraries/libldap/result.c

@@ -486,7 +486,8 @@ retry:
 #ifdef LDAP_CONNECTIONLESS
 	if ( LDAP_IS_UDP(ld) ) {
 		struct sockaddr_storage from;
-		ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
+		if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 )
+			goto fail;
 		if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
 	}
 nextresp3:
@@ -502,10 +503,11 @@ nextresp3:
 		break;
 
 	case LBER_DEFAULT:
+fail:
 		err = sock_errno();
 #ifdef LDAP_DEBUG		   
-		Debug0( LDAP_DEBUG_CONNS,
-			"ber_get_next failed.\n" );
+		Debug1( LDAP_DEBUG_CONNS,
+			"ber_get_next failed, errno=%d.\n", err );
 #endif		   
 		if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
 		if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;

libraries/libldap/tls2.c

@@ -342,7 +342,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 	Sockbuf *sb = conn->lconn_sb;
 	int	err;
 	tls_session	*ssl = NULL;
-	char *sni = host;
+	char *sni = (char *)host;
 
 	if ( HAS_TLS( sb )) {
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
@@ -580,10 +580,12 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
 	case LDAP_OPT_X_TLS_CIPHER_SUITE:
 	case LDAP_OPT_X_TLS_DHFILE:
 	case LDAP_OPT_X_TLS_PEERKEY_HASH:
+	case LDAP_OPT_X_TLS_ECNAME:
 	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
 		return ldap_pvt_tls_set_option( ld, option, (void *) arg );
 
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
+	case LDAP_OPT_X_TLS_REQUIRE_SAN:
 	case LDAP_OPT_X_TLS:
 		i = -1;
 		if ( strcasecmp( arg, "never" ) == 0 ) {
@@ -627,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
 		}
 		return ldap_pvt_tls_set_option( ld, option, &i );
 		}
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
 		i = -1;
 		if ( strcasecmp( arg, "none" ) == 0 ) {
@@ -714,7 +716,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		*(int *)arg = lo->ldo_tls_require_cert;
 		break;
-#ifdef HAVE_OPENSSL_CRL
+	case LDAP_OPT_X_TLS_REQUIRE_SAN:
+		*(int *)arg = lo->ldo_tls_require_san;
+		break;
+#ifdef HAVE_OPENSSL
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
 		*(int *)arg = lo->ldo_tls_crlcheck;
 		break;
@@ -920,7 +925,19 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 			return 0;
 		}
 		return -1;
-#ifdef HAVE_OPENSSL_CRL
+	case LDAP_OPT_X_TLS_REQUIRE_SAN:
+		if ( !arg ) return -1;
+		switch( *(int *) arg ) {
+		case LDAP_OPT_X_TLS_NEVER:
+		case LDAP_OPT_X_TLS_DEMAND:
+		case LDAP_OPT_X_TLS_ALLOW:
+		case LDAP_OPT_X_TLS_TRY:
+		case LDAP_OPT_X_TLS_HARD:
+			lo->ldo_tls_require_san = * (int *) arg;
+			return 0;
+		}
+		return -1;
+#ifdef HAVE_OPENSSL
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
 		if ( !arg ) return -1;
 		switch( *(int *) arg ) {

libraries/libldap/tls_g.c

@@ -559,6 +559,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 {
 	tlsg_session *s = (tlsg_session *)session;
 	int i, ret;
+	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
 	const gnutls_datum_t *peer_cert_list;
 	unsigned int list_size;
 	char altname[NI_MAXHOST];
@@ -620,12 +621,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 		}
 	}
 
+	if (chkSAN) {
 	for ( i=0, ret=0; ret >= 0; i++ ) {
 		altnamesize = sizeof(altname);
 		ret = gnutls_x509_crt_get_subject_alt_name( cert, i, 
 			altname, &altnamesize, NULL );
 		if ( ret < 0 ) break;
 
+		gotSAN = 1;
 		/* ignore empty */
 		if ( altnamesize == 0 ) continue;
 
@@ -661,7 +664,44 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 	}
 	if ( ret >= 0 ) {
 		ret = LDAP_SUCCESS;
-	} else {
+	}
+	}
+	if (ret != LDAP_SUCCESS && chkSAN) {
+		switch(chkSAN) {
+		case LDAP_OPT_X_TLS_DEMAND:
+		case LDAP_OPT_X_TLS_HARD:
+			if (!gotSAN) {
+				Debug0( LDAP_DEBUG_ANY,
+					"TLS: unable to get subjectAltName from peer certificate.\n" );
+				ret = LDAP_CONNECT_ERROR;
+				if ( ld->ld_error ) {
+					LDAP_FREE( ld->ld_error );
+				}
+				ld->ld_error = LDAP_STRDUP(
+					_("TLS: unable to get subjectAltName from peer certificate"));
+				goto done;
+			}
+			/* FALLTHRU */
+		case LDAP_OPT_X_TLS_TRY:
+			if (gotSAN) {
+				Debug1( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+					"subjectAltName in certificate.\n",
+					name );
+				ret = LDAP_CONNECT_ERROR;
+				if ( ld->ld_error ) {
+					LDAP_FREE( ld->ld_error );
+				}
+				ld->ld_error = LDAP_STRDUP(
+					_("TLS: hostname does not match subjectAltName in peer certificate"));
+				goto done;
+			}
+			break;
+		case LDAP_OPT_X_TLS_ALLOW:
+			break;
+		}
+	}
+
+	if ( ret != LDAP_SUCCESS ){
 		/* find the last CN */
 		i=0;
 		do {
@@ -715,9 +755,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
 				LDAP_FREE( ld->ld_error );
 			}
 			ld->ld_error = LDAP_STRDUP(
-				_("TLS: hostname does not match CN in peer certificate"));
+				_("TLS: hostname does not match name in peer certificate"));
 		}
 	}
+done:
 	gnutls_x509_crt_deinit( cert );
 	return ret;
 }

libraries/libldap/tls_o.c

@@ -46,8 +46,6 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/dh.h>
-#elif defined( HAVE_SSL_H )
-#include <ssl.h>
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
@@ -244,11 +242,7 @@ tlso_destroy( void )
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	EVP_cleanup();
-#if OPENSSL_VERSION_NUMBER < 0x10000000
-	ERR_remove_state(0);
-#else
 	ERR_remove_thread_state(NULL);
-#endif
 	ERR_free_strings();
 #endif
 
@@ -453,34 +447,30 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		DH_free( dh );
 	}
 
-	if ( is_server && lo->ldo_tls_ecname ) {
+	if ( lo->ldo_tls_ecname ) {
 #ifdef OPENSSL_NO_EC
 		Debug0( LDAP_DEBUG_ANY,
 			"TLS: Elliptic Curves not supported.\n" );
 		return -1;
 #else
-		EC_KEY *ecdh;
-
-		int nid = OBJ_sn2nid( lt->lt_ecname );
-		if ( nid == NID_undef ) {
+		if ( SSL_CTX_set1_curves_list( ctx, lt->lt_ecname )) {
 			Debug1( LDAP_DEBUG_ANY,
-				"TLS: could not use EC name `%s'.\n",
+				"TLS: could not set EC name `%s'.\n",
 				lo->ldo_tls_ecname );
 			tlso_report_error();
 			return -1;
 		}
-		ecdh = EC_KEY_new_by_curve_name( nid );
-		if ( ecdh == NULL ) {
-			Debug1( LDAP_DEBUG_ANY,
-				"TLS: could not generate key for EC name `%s'.\n",
-				lo->ldo_tls_ecname );
-			tlso_report_error();
-			return -1;
+	/*
+	 * This is a NOP in OpenSSL 1.1.0 and later, where curves are always
+	 * auto-negotiated.
+	 */
+#if OPENSSL_VERSION_NUMBER < 0x10100000UL
+		if ( SSL_CTX_set_ecdh_auto( ctx, 1 ) <= 0 ) {
+			Debug0( LDAP_DEBUG_ANY,
+				"TLS: could not enable automatic EC negotiation.\n" );
 		}
-		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
-		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
-		EC_KEY_free( ecdh );
 #endif
+#endif	/* OPENSSL_NO_EC */
 	}
 
 	if ( tlso_opt_trace ) {
@@ -502,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 #if OPENSSL_VERSION_NUMBER < 0x10100000
 	SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
 #endif
-#ifdef HAVE_OPENSSL_CRL
 	if ( lo->ldo_tls_crlcheck ) {
 		X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
 		if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
@@ -512,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 					X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL  );
 		}
 	}
-#endif
 	return 0;
 }
 
@@ -666,6 +654,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 {
 	tlso_session *s = (tlso_session *)sess;
 	int i, ret = LDAP_LOCAL_ERROR;
+	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
 	X509 *x;
 	const char *name;
 	char *ptr;
@@ -703,7 +692,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 	if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
 		if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
 	}
-	
+
+	if (chkSAN) {
 	i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
 	if (i >= 0) {
 		X509_EXTENSION *ex;
@@ -716,6 +706,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 			char *domain = NULL;
 			GENERAL_NAME *gn;
 
+			gotSAN = 1;
 			if (ntype == IS_DNS) {
 				domain = strchr(name, '.');
 				if (domain) {
@@ -774,6 +765,41 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 			}
 		}
 	}
+	}
+	if (ret != LDAP_SUCCESS && chkSAN) {
+		switch(chkSAN) {
+		case LDAP_OPT_X_TLS_DEMAND:
+		case LDAP_OPT_X_TLS_HARD:
+			if (!gotSAN) {
+				Debug0( LDAP_DEBUG_ANY,
+					"TLS: unable to get subjectAltName from peer certificate.\n" );
+				ret = LDAP_CONNECT_ERROR;
+				if ( ld->ld_error ) {
+					LDAP_FREE( ld->ld_error );
+				}
+				ld->ld_error = LDAP_STRDUP(
+					_("TLS: unable to get subjectAltName from peer certificate"));
+				goto done;
+			}
+			/* FALLTHRU */
+		case LDAP_OPT_X_TLS_TRY:
+			if (gotSAN) {
+				Debug1( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+					"subjectAltName in certificate.\n",
+					name );
+				ret = LDAP_CONNECT_ERROR;
+				if ( ld->ld_error ) {
+					LDAP_FREE( ld->ld_error );
+				}
+				ld->ld_error = LDAP_STRDUP(
+					_("TLS: hostname does not match subjectAltName in peer certificate"));
+				goto done;
+			}
+			break;
+		case LDAP_OPT_X_TLS_ALLOW:
+			break;
+		}
+	}
 
 	if (ret != LDAP_SUCCESS) {
 		X509_NAME *xn;
@@ -836,9 +862,10 @@ no_cn:
 				LDAP_FREE( ld->ld_error );
 			}
 			ld->ld_error = LDAP_STRDUP(
-				_("TLS: hostname does not match CN in peer certificate"));
+				_("TLS: hostname does not match name in peer certificate"));
 		}
 	}
+done:
 	X509_free(x);
 	return ret;
 }
@@ -869,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
 static int
 tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 {
-#if OPENSSL_VERSION_NUMBER >= 0x00908000
 	tlso_session *s = (tlso_session *)sess;
 	const EVP_MD *md;
 	unsigned int md_len;
@@ -909,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
 	buf->bv_len = md_len;
 
 	return md_len;
-#else
-	return 0;
-#endif
 }
 
 static const char *
@@ -1435,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 	RSA *tmp_rsa;
 	/* FIXME:  Pregenerate the key on startup */
 	/* FIXME:  Who frees the key? */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000
 	BIGNUM *bn = BN_new();
 	tmp_rsa = NULL;
 	if ( bn ) {
@@ -1448,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 		}
 		BN_free( bn );
 	}
-#else
-	tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
-#endif
 
 	if ( !tmp_rsa ) {
 		Debug2( LDAP_DEBUG_ANY,

libraries/librewrite/subst.c

@@ -32,7 +32,7 @@ rewrite_subst_compile(
 {
 	size_t subs_len;
 	struct berval *subs = NULL, *tmps;
-	struct rewrite_submatch *submatch = NULL;
+	struct rewrite_submatch *submatch = NULL, *tmpsm;
 
 	struct rewrite_subst *s = NULL;
 
@@ -71,7 +71,16 @@ rewrite_subst_compile(
 			goto cleanup;
 		}
 		subs = tmps;
-		
+		subs[ nsub ].bv_val = NULL;
+
+		tmpsm = ( struct rewrite_submatch * )realloc( submatch,
+				sizeof( struct rewrite_submatch )*( nsub + 1 ) );
+		if ( tmpsm == NULL ) {
+			goto cleanup;
+		}
+		submatch = tmpsm;
+		submatch[ nsub ].ls_map = NULL;
+
 		/*
 		 * I think an `if l > 0' at runtime is better outside than
 		 * inside a function call ...
@@ -95,19 +104,12 @@ rewrite_subst_compile(
 		 * Substitution pattern
 		 */
 		if ( isdigit( (unsigned char) p[ 1 ] ) ) {
-			struct rewrite_submatch *tmpsm;
 			int d = p[ 1 ] - '0';
 
 			/*
 			 * Add a new value substitution scheme
 			 */
 
-			tmpsm = ( struct rewrite_submatch * )realloc( submatch,
-					sizeof( struct rewrite_submatch )*( nsub + 1 ) );
-			if ( tmpsm == NULL ) {
-				goto cleanup;
-			}
-			submatch = tmpsm;
 			submatch[ nsub ].ls_submatch = d;
 
 			/*
@@ -140,7 +142,6 @@ rewrite_subst_compile(
 		 */
 		} else if ( p[ 1 ] == '{' ) {
 			struct rewrite_map *map;
-			struct rewrite_submatch *tmpsm;
 
 			map = rewrite_map_parse( info, p + 2,
 					(const char **)&begin );
@@ -152,13 +153,6 @@ rewrite_subst_compile(
 			/*
 			 * Add a new value substitution scheme
 			 */
-			tmpsm = ( struct rewrite_submatch * )realloc( submatch,
-					sizeof( struct rewrite_submatch )*( nsub + 1 ) );
-			if ( tmpsm == NULL ) {
-				rewrite_map_destroy( &map );
-				goto cleanup;
-			}
-			submatch = tmpsm;
 			submatch[ nsub ].ls_type =
 				REWRITE_SUBMATCH_MAP_W_ARG;
 			submatch[ nsub ].ls_map = map;

servers/slapd/Makefile.in

@@ -372,7 +372,7 @@ install-local-srv: install-slapd install-tools \
 install-slapd: FORCE
 	-$(MKDIR) $(DESTDIR)$(libexecdir)
 	-$(MKDIR) $(DESTDIR)$(localstatedir)/run
-	$(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \
+	$(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \
 		slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
 	@for i in $(SUBDIRS); do \
 	    if test -d $$i && test -f $$i/Makefile ; then \

servers/slapd/bconfig.c

@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = {
 			"EQUALITY caseExactMatch "
 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
 	{ "TLSCRLCheck", NULL, 2, 2, 0,
-#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL)
+#if defined(HAVE_TLS) && defined(HAVE_OPENSSL)
 		CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config,
 #else
 		ARG_IGNORED, NULL,

servers/slapd/config.c

@@ -1488,9 +1488,11 @@ static slap_cf_aux_table bindkey[] = {
 	{ BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
 	{ BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL },
 	{ BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL },
+	{ BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL },
 	{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
 	{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
-#ifdef HAVE_OPENSSL_CRL
+	{ BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
+#ifdef HAVE_OPENSSL
 	{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
 #endif
 #endif
@@ -1855,6 +1857,10 @@ void bindconf_free( slap_bindconf *bc ) {
 		ch_free( bc->sb_tls_reqcert );
 		bc->sb_tls_reqcert = NULL;
 	}
+	if ( bc->sb_tls_reqsan ) {
+		ch_free( bc->sb_tls_reqsan );
+		bc->sb_tls_reqsan = NULL;
+	}
 	if ( bc->sb_tls_cipher_suite ) {
 		ch_free( bc->sb_tls_cipher_suite );
 		bc->sb_tls_cipher_suite = NULL;
@@ -1863,7 +1869,11 @@ void bindconf_free( slap_bindconf *bc ) {
 		ch_free( bc->sb_tls_protocol_min );
 		bc->sb_tls_protocol_min = NULL;
 	}
-#ifdef HAVE_OPENSSL_CRL
+	if ( bc->sb_tls_ecname ) {
+		ch_free( bc->sb_tls_ecname );
+		bc->sb_tls_ecname = NULL;
+	}
+#ifdef HAVE_OPENSSL
 	if ( bc->sb_tls_crlcheck ) {
 		ch_free( bc->sb_tls_crlcheck );
 		bc->sb_tls_crlcheck = NULL;
@@ -1898,7 +1908,12 @@ bindconf_tls_defaults( slap_bindconf *bc )
 				&bc->sb_tls_cipher_suite );
 		if ( !bc->sb_tls_reqcert )
 			bc->sb_tls_reqcert = ch_strdup("demand");
-#ifdef HAVE_OPENSSL_CRL
+		if ( !bc->sb_tls_reqsan )
+			bc->sb_tls_reqsan = ch_strdup("allow");
+		if ( !bc->sb_tls_ecname )
+			slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
+				&bc->sb_tls_ecname );
+#ifdef HAVE_OPENSSL
 		if ( !bc->sb_tls_crlcheck )
 			slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
 				&bc->sb_tls_crlcheck );
@@ -1918,7 +1933,7 @@ static struct {
 	{ "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
 	{ "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
 	{ "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
-	{ "tls_protocol_min", offsetof(slap_bindconf, sb_tls_protocol_min), LDAP_OPT_X_TLS_PROTOCOL_MIN },
+	{ "tls_ecname", offsetof(slap_bindconf, sb_tls_ecname), LDAP_OPT_X_TLS_ECNAME },
 	{0, 0}
 };
 
@@ -1951,6 +1966,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 			res = -1;
 		}
 	}
+	if ( bc->sb_tls_reqsan ) {
+		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
+			bc->sb_tls_reqsan );
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"bindconf_tls_set: failed to set tls_reqsan to %s\n",
+					bc->sb_tls_reqsan );
+			res = -1;
+		}
+	}
 	if ( bc->sb_tls_protocol_min ) {
 		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
 			bc->sb_tls_protocol_min );
@@ -1961,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 			res = -1;
 		}
 	}
-#ifdef HAVE_OPENSSL_CRL
+#ifdef HAVE_OPENSSL
 	if ( bc->sb_tls_crlcheck ) {
 		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
 			bc->sb_tls_crlcheck );

servers/slapd/overlays/auditlog.c

@@ -219,6 +219,7 @@ int auditlog_initialize() {
 	int rc;
 
 	auditlog.on_bi.bi_type = "auditlog";
+	auditlog.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
 	auditlog.on_bi.bi_db_init = auditlog_db_init;
 	auditlog.on_bi.bi_db_destroy = auditlog_db_destroy;
 	auditlog.on_response = auditlog_response;