Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
openldap
OpenLDAP
Compare Revisions
afcb343ceae349ff4cbe5c469518a6f0839995ee...b48afc2e1bbd42ceb94686d9af01abe7ad843dd9
Hide whitespace changes
Inline
Side-by-side
contrib/slapd-modules/smbk5pwd/smbk5pwd.c
View file @
b48afc2e
...
...
@@ -1052,6 +1052,7 @@ smbk5pwd_initialize(void)
smbk5pwd
.
on_bi
.
bi_type
=
"smbk5pwd"
;
smbk5pwd
.
on_bi
.
bi_flags
=
SLAPO_BFLAG_SINGLE
;
smbk5pwd
.
on_bi
.
bi_db_init
=
smbk5pwd_db_init
;
smbk5pwd
.
on_bi
.
bi_db_open
=
smbk5pwd_db_open
;
smbk5pwd
.
on_bi
.
bi_db_destroy
=
smbk5pwd_db_destroy
;
...
...
contrib/slapd-modules/trace/trace.c
View file @
b48afc2e
...
...
@@ -222,6 +222,7 @@ trace_initialize()
{
trace
.
on_bi
.
bi_type
=
"trace"
;
trace
.
on_bi
.
bi_flags
=
SLAPO_BFLAG_SINGLE
;
trace
.
on_bi
.
bi_db_init
=
trace_db_init
;
trace
.
on_bi
.
bi_db_open
=
trace_db_open
;
trace
.
on_bi
.
bi_db_config
=
trace_db_config
;
...
...
contrib/slapd-modules/usn/usn.c
View file @
b48afc2e
...
...
@@ -296,6 +296,7 @@ usn_init( void )
memset
(
&
usn
,
0
,
sizeof
(
slap_overinst
)
);
usn
.
on_bi
.
bi_type
=
"usn"
;
usn
.
on_bi
.
bi_flags
=
SLAPO_BFLAG_SINGLE
;
usn
.
on_bi
.
bi_db_init
=
usn_db_init
;
usn
.
on_bi
.
bi_db_destroy
=
usn_db_destroy
;
usn
.
on_bi
.
bi_db_open
=
usn_db_open
;
...
...
doc/man/man3/ldap_get_option.3
View file @
b48afc2e
...
...
@@ -740,7 +740,7 @@ and its contents need to be freed by the caller using
.BR ldap_memfree (3).
.TP
.B LDAP_OPT_X_TLS_ECNAME
Gets/sets the name of the curve used for
Gets/sets the name of the curve
(s)
used for
elliptic curve key exchanges.
.BR invalue
must be
...
...
@@ -815,6 +815,15 @@ one of
.BR LDAP_OPT_X_TLS_ALLOW ,
.BR LDAP_OPT_X_TLS_TRY .
.TP
.B LDAP_OPT_X_TLS_REQUIRE_SAN
Sets/gets the peer certificate subjectAlternativeName checking strategy,
one of
.BR LDAP_OPT_X_TLS_NEVER ,
.BR LDAP_OPT_X_TLS_HARD ,
.BR LDAP_OPT_X_TLS_DEMAND ,
.BR LDAP_OPT_X_TLS_ALLOW ,
.BR LDAP_OPT_X_TLS_TRY .
.TP
.B LDAP_OPT_X_TLS_SSL_CTX
Gets the TLS session context associated with this handle.
.BR outvalue
...
...
doc/man/man5/ldap.conf.5
View file @
b48afc2e
...
...
@@ -327,6 +327,12 @@ is always used before
Specifies the file that contains the client certificate.
.B This is a user-only option.
.TP
.B TLS_ECNAME <name>
Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification.
.TP
.B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate
stored in the
...
...
@@ -419,6 +425,37 @@ certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting.
.RE
.TP
.B TLS_REQSAN <level>
Specifies what checks to perform on the subjectAlternativeName
(SAN) extensions in a server certificate when validating the certificate
name against the specified hostname of the server. The
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B never
The client will not check any SAN in the certificate.
.TP
.B allow
The SAN is checked against the specified hostname. If a SAN is
present but none match the specified hostname, the SANs are ignored
and the usual check against the certificate DN is used.
This is the default setting.
.TP
.B try
The SAN is checked against the specified hostname. If no SAN is present
in the server certificate, the usual check against the certificate DN
is used. If a SAN is present but doesn't match the specified hostname,
the session is immediately terminated. This setting may be preferred
when a mix of certs with and without SANs are in use.
.TP
.B demand | hard
These keywords are equivalent. The SAN is checked against the specified
hostname. If no SAN is present in the server certificate, or no SANs
match, the session is immediately terminated. This setting should be
used when only certificates with SANs are in use.
.RE
.TP
.B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certificates have not been revoked. This
...
...
doc/man/man5/slapd-config.5
View file @
b48afc2e
...
...
@@ -908,9 +908,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
.TP
.B olcTLSECName: <name>
Specify the name of
a
curve to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
is required to enable ECDHE algorithms in
OpenSSL.
This option is not used with GnuTLS; the curves may be
Specify the name of
the
curve
(s)
to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification.
.TP
.B olcTLSProtocolMin: <major>[.<minor>]
...
...
doc/man/man5/slapd.conf.5
View file @
b48afc2e
...
...
@@ -1139,9 +1139,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites
are not used.
.TP
.B TLSECName <name>
Specify the name of
a
curve to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
is required to enable ECDHE algorithms in
OpenSSL.
This option is not used with GnuTLS; the curves may be
Specify the name of
the
curve
(s)
to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This
option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification.
.TP
.B TLSProtocolMin <major>[.<minor>]
...
...
include/ldap.h
View file @
b48afc2e
...
...
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_CERT 0x6017
#define LDAP_OPT_X_TLS_KEY 0x6018
#define LDAP_OPT_X_TLS_PEERKEY_HASH 0x6019
#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
...
...
include/portable.hin
View file @
b48afc2e
...
...
@@ -373,9 +373,6 @@
/* Define to 1 if you have the <openssl/bn.h> header file. */
#undef HAVE_OPENSSL_BN_H
/* define if you have OpenSSL with CRL checking capability */
#undef HAVE_OPENSSL_CRL
/* Define to 1 if you have the <openssl/crypto.h> header file. */
#undef HAVE_OPENSSL_CRYPTO_H
...
...
libraries/libldap/init.c
View file @
b48afc2e
...
...
@@ -119,12 +119,14 @@ static const struct ol_attribute {
{
0
,
ATTR_TLS
,
"TLS_CACERT"
,
NULL
,
LDAP_OPT_X_TLS_CACERTFILE
},
{
0
,
ATTR_TLS
,
"TLS_CACERTDIR"
,
NULL
,
LDAP_OPT_X_TLS_CACERTDIR
},
{
0
,
ATTR_TLS
,
"TLS_REQCERT"
,
NULL
,
LDAP_OPT_X_TLS_REQUIRE_CERT
},
{
0
,
ATTR_TLS
,
"TLS_REQSAN"
,
NULL
,
LDAP_OPT_X_TLS_REQUIRE_SAN
},
{
0
,
ATTR_TLS
,
"TLS_RANDFILE"
,
NULL
,
LDAP_OPT_X_TLS_RANDOM_FILE
},
{
0
,
ATTR_TLS
,
"TLS_CIPHER_SUITE"
,
NULL
,
LDAP_OPT_X_TLS_CIPHER_SUITE
},
{
0
,
ATTR_TLS
,
"TLS_PROTOCOL_MIN"
,
NULL
,
LDAP_OPT_X_TLS_PROTOCOL_MIN
},
{
0
,
ATTR_TLS
,
"TLS_PEERKEY_HASH"
,
NULL
,
LDAP_OPT_X_TLS_PEERKEY_HASH
},
{
0
,
ATTR_TLS
,
"TLS_ECNAME"
,
NULL
,
LDAP_OPT_X_TLS_ECNAME
},
#ifdef HAVE_OPENSSL
_CRL
#ifdef HAVE_OPENSSL
{
0
,
ATTR_TLS
,
"TLS_CRLCHECK"
,
NULL
,
LDAP_OPT_X_TLS_CRLCHECK
},
#endif
#ifdef HAVE_GNUTLS
...
...
@@ -596,6 +598,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
gopts
->
ldo_tls_connect_cb
=
NULL
;
gopts
->
ldo_tls_connect_arg
=
NULL
;
gopts
->
ldo_tls_require_cert
=
LDAP_OPT_X_TLS_DEMAND
;
gopts
->
ldo_tls_require_san
=
LDAP_OPT_X_TLS_ALLOW
;
#endif
gopts
->
ldo_keepalive_probes
=
0
;
gopts
->
ldo_keepalive_interval
=
0
;
...
...
libraries/libldap/ldap-int.h
View file @
b48afc2e
...
...
@@ -285,6 +285,7 @@ struct ldapoptions {
int
ldo_tls_require_cert
;
int
ldo_tls_impl
;
int
ldo_tls_crlcheck
;
int
ldo_tls_require_san
;
char
*
ldo_tls_pin_hashalg
;
struct
berval
ldo_tls_pin
;
#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0,0,{0,0}
...
...
libraries/libldap/result.c
View file @
b48afc2e
...
...
@@ -486,7 +486,8 @@ retry:
#ifdef LDAP_CONNECTIONLESS
if
(
LDAP_IS_UDP
(
ld
)
)
{
struct
sockaddr_storage
from
;
ber_int_sb_read
(
lc
->
lconn_sb
,
&
from
,
sizeof
(
struct
sockaddr_storage
)
);
if
(
ber_int_sb_read
(
lc
->
lconn_sb
,
&
from
,
sizeof
(
struct
sockaddr_storage
)
)
<
0
)
goto
fail
;
if
(
ld
->
ld_options
.
ldo_version
==
LDAP_VERSION2
)
isv2
=
1
;
}
nextresp3:
...
...
@@ -502,10 +503,11 @@ nextresp3:
break
;
case
LBER_DEFAULT
:
fail:
err
=
sock_errno
();
#ifdef LDAP_DEBUG
Debug
0
(
LDAP_DEBUG_CONNS
,
"ber_get_next failed
.
\n
"
);
Debug
1
(
LDAP_DEBUG_CONNS
,
"ber_get_next failed
, errno=%d.
\n
"
,
err
);
#endif
if
(
err
==
EWOULDBLOCK
)
return
LDAP_MSG_X_KEEP_LOOKING
;
if
(
err
==
EAGAIN
)
return
LDAP_MSG_X_KEEP_LOOKING
;
...
...
libraries/libldap/tls2.c
View file @
b48afc2e
...
...
@@ -342,7 +342,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
Sockbuf
*
sb
=
conn
->
lconn_sb
;
int
err
;
tls_session
*
ssl
=
NULL
;
char
*
sni
=
host
;
char
*
sni
=
(
char
*
)
host
;
if
(
HAS_TLS
(
sb
))
{
ber_sockbuf_ctrl
(
sb
,
LBER_SB_OPT_GET_SSL
,
(
void
*
)
&
ssl
);
...
...
@@ -580,10 +580,12 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
case
LDAP_OPT_X_TLS_CIPHER_SUITE
:
case
LDAP_OPT_X_TLS_DHFILE
:
case
LDAP_OPT_X_TLS_PEERKEY_HASH
:
case
LDAP_OPT_X_TLS_ECNAME
:
case
LDAP_OPT_X_TLS_CRLFILE
:
/* GnuTLS only */
return
ldap_pvt_tls_set_option
(
ld
,
option
,
(
void
*
)
arg
);
case
LDAP_OPT_X_TLS_REQUIRE_CERT
:
case
LDAP_OPT_X_TLS_REQUIRE_SAN
:
case
LDAP_OPT_X_TLS
:
i
=
-
1
;
if
(
strcasecmp
(
arg
,
"never"
)
==
0
)
{
...
...
@@ -627,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
}
return
ldap_pvt_tls_set_option
(
ld
,
option
,
&
i
);
}
#ifdef HAVE_OPENSSL
_CRL
#ifdef HAVE_OPENSSL
case
LDAP_OPT_X_TLS_CRLCHECK
:
/* OpenSSL only */
i
=
-
1
;
if
(
strcasecmp
(
arg
,
"none"
)
==
0
)
{
...
...
@@ -714,7 +716,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case
LDAP_OPT_X_TLS_REQUIRE_CERT
:
*
(
int
*
)
arg
=
lo
->
ldo_tls_require_cert
;
break
;
#ifdef HAVE_OPENSSL_CRL
case
LDAP_OPT_X_TLS_REQUIRE_SAN
:
*
(
int
*
)
arg
=
lo
->
ldo_tls_require_san
;
break
;
#ifdef HAVE_OPENSSL
case
LDAP_OPT_X_TLS_CRLCHECK
:
/* OpenSSL only */
*
(
int
*
)
arg
=
lo
->
ldo_tls_crlcheck
;
break
;
...
...
@@ -920,7 +925,19 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
return
0
;
}
return
-
1
;
#ifdef HAVE_OPENSSL_CRL
case
LDAP_OPT_X_TLS_REQUIRE_SAN
:
if
(
!
arg
)
return
-
1
;
switch
(
*
(
int
*
)
arg
)
{
case
LDAP_OPT_X_TLS_NEVER
:
case
LDAP_OPT_X_TLS_DEMAND
:
case
LDAP_OPT_X_TLS_ALLOW
:
case
LDAP_OPT_X_TLS_TRY
:
case
LDAP_OPT_X_TLS_HARD
:
lo
->
ldo_tls_require_san
=
*
(
int
*
)
arg
;
return
0
;
}
return
-
1
;
#ifdef HAVE_OPENSSL
case
LDAP_OPT_X_TLS_CRLCHECK
:
/* OpenSSL only */
if
(
!
arg
)
return
-
1
;
switch
(
*
(
int
*
)
arg
)
{
...
...
libraries/libldap/tls_g.c
View file @
b48afc2e
...
...
@@ -559,6 +559,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{
tlsg_session
*
s
=
(
tlsg_session
*
)
session
;
int
i
,
ret
;
int
chkSAN
=
ld
->
ld_options
.
ldo_tls_require_san
,
gotSAN
=
0
;
const
gnutls_datum_t
*
peer_cert_list
;
unsigned
int
list_size
;
char
altname
[
NI_MAXHOST
];
...
...
@@ -620,12 +621,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
}
}
if
(
chkSAN
)
{
for
(
i
=
0
,
ret
=
0
;
ret
>=
0
;
i
++
)
{
altnamesize
=
sizeof
(
altname
);
ret
=
gnutls_x509_crt_get_subject_alt_name
(
cert
,
i
,
altname
,
&
altnamesize
,
NULL
);
if
(
ret
<
0
)
break
;
gotSAN
=
1
;
/* ignore empty */
if
(
altnamesize
==
0
)
continue
;
...
...
@@ -661,7 +664,44 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
}
if
(
ret
>=
0
)
{
ret
=
LDAP_SUCCESS
;
}
else
{
}
}
if
(
ret
!=
LDAP_SUCCESS
&&
chkSAN
)
{
switch
(
chkSAN
)
{
case
LDAP_OPT_X_TLS_DEMAND
:
case
LDAP_OPT_X_TLS_HARD
:
if
(
!
gotSAN
)
{
Debug0
(
LDAP_DEBUG_ANY
,
"TLS: unable to get subjectAltName from peer certificate.
\n
"
);
ret
=
LDAP_CONNECT_ERROR
;
if
(
ld
->
ld_error
)
{
LDAP_FREE
(
ld
->
ld_error
);
}
ld
->
ld_error
=
LDAP_STRDUP
(
_
(
"TLS: unable to get subjectAltName from peer certificate"
));
goto
done
;
}
/* FALLTHRU */
case
LDAP_OPT_X_TLS_TRY
:
if
(
gotSAN
)
{
Debug1
(
LDAP_DEBUG_ANY
,
"TLS: hostname (%s) does not match "
"subjectAltName in certificate.
\n
"
,
name
);
ret
=
LDAP_CONNECT_ERROR
;
if
(
ld
->
ld_error
)
{
LDAP_FREE
(
ld
->
ld_error
);
}
ld
->
ld_error
=
LDAP_STRDUP
(
_
(
"TLS: hostname does not match subjectAltName in peer certificate"
));
goto
done
;
}
break
;
case
LDAP_OPT_X_TLS_ALLOW
:
break
;
}
}
if
(
ret
!=
LDAP_SUCCESS
){
/* find the last CN */
i
=
0
;
do
{
...
...
@@ -715,9 +755,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
LDAP_FREE
(
ld
->
ld_error
);
}
ld
->
ld_error
=
LDAP_STRDUP
(
_
(
"TLS: hostname does not match
CN
in peer certificate"
));
_
(
"TLS: hostname does not match
name
in peer certificate"
));
}
}
done:
gnutls_x509_crt_deinit
(
cert
);
return
ret
;
}
...
...
libraries/libldap/tls_o.c
View file @
b48afc2e
...
...
@@ -46,8 +46,6 @@
#include
<openssl/bn.h>
#include
<openssl/rsa.h>
#include
<openssl/dh.h>
#elif defined( HAVE_SSL_H )
#include
<ssl.h>
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000
...
...
@@ -244,11 +242,7 @@ tlso_destroy( void )
#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_cleanup
();
#if OPENSSL_VERSION_NUMBER < 0x10000000
ERR_remove_state
(
0
);
#else
ERR_remove_thread_state
(
NULL
);
#endif
ERR_free_strings
();
#endif
...
...
@@ -453,34 +447,30 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free
(
dh
);
}
if
(
is_server
&&
lo
->
ldo_tls_ecname
)
{
if
(
lo
->
ldo_tls_ecname
)
{
#ifdef OPENSSL_NO_EC
Debug0
(
LDAP_DEBUG_ANY
,
"TLS: Elliptic Curves not supported.
\n
"
);
return
-
1
;
#else
EC_KEY
*
ecdh
;
int
nid
=
OBJ_sn2nid
(
lt
->
lt_ecname
);
if
(
nid
==
NID_undef
)
{
if
(
SSL_CTX_set1_curves_list
(
ctx
,
lt
->
lt_ecname
))
{
Debug1
(
LDAP_DEBUG_ANY
,
"TLS: could not
u
se EC name `%s'.
\n
"
,
"TLS: could not se
t
EC name `%s'.
\n
"
,
lo
->
ldo_tls_ecname
);
tlso_report_error
();
return
-
1
;
}
ecdh
=
EC_KEY_new_by_curve_name
(
nid
);
if
(
ecdh
==
NULL
)
{
Debug1
(
LDAP_DEBUG_ANY
,
"TLS: could not generate key for EC name `%s'.
\n
"
,
lo
->
ldo_tls_ecname
);
tlso_report_error
();
return
-
1
;
/*
* This is a NOP in OpenSSL 1.1.0 and later, where curves are always
* auto-negotiated.
*/
#if OPENSSL_VERSION_NUMBER < 0x10100000UL
if
(
SSL_CTX_set_ecdh_auto
(
ctx
,
1
)
<=
0
)
{
Debug0
(
LDAP_DEBUG_ANY
,
"TLS: could not enable automatic EC negotiation.
\n
"
);
}
SSL_CTX_set_tmp_ecdh
(
ctx
,
ecdh
);
SSL_CTX_set_options
(
ctx
,
SSL_OP_SINGLE_ECDH_USE
);
EC_KEY_free
(
ecdh
);
#endif
#endif
/* OPENSSL_NO_EC */
}
if
(
tlso_opt_trace
)
{
...
...
@@ -502,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_CTX_set_tmp_rsa_callback
(
ctx
,
tlso_tmp_rsa_cb
);
#endif
#ifdef HAVE_OPENSSL_CRL
if
(
lo
->
ldo_tls_crlcheck
)
{
X509_STORE
*
x509_s
=
SSL_CTX_get_cert_store
(
ctx
);
if
(
lo
->
ldo_tls_crlcheck
==
LDAP_OPT_X_TLS_CRL_PEER
)
{
...
...
@@ -512,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
X509_V_FLAG_CRL_CHECK
|
X509_V_FLAG_CRL_CHECK_ALL
);
}
}
#endif
return
0
;
}
...
...
@@ -666,6 +654,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session
*
s
=
(
tlso_session
*
)
sess
;
int
i
,
ret
=
LDAP_LOCAL_ERROR
;
int
chkSAN
=
ld
->
ld_options
.
ldo_tls_require_san
,
gotSAN
=
0
;
X509
*
x
;
const
char
*
name
;
char
*
ptr
;
...
...
@@ -703,7 +692,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
if
((
ptr
=
strrchr
(
name
,
'.'
))
&&
isdigit
((
unsigned
char
)
ptr
[
1
]))
{
if
(
inet_aton
(
name
,
(
struct
in_addr
*
)
&
addr
))
ntype
=
IS_IP4
;
}
if
(
chkSAN
)
{
i
=
X509_get_ext_by_NID
(
x
,
NID_subject_alt_name
,
-
1
);
if
(
i
>=
0
)
{
X509_EXTENSION
*
ex
;
...
...
@@ -716,6 +706,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
char
*
domain
=
NULL
;
GENERAL_NAME
*
gn
;
gotSAN
=
1
;
if
(
ntype
==
IS_DNS
)
{
domain
=
strchr
(
name
,
'.'
);
if
(
domain
)
{
...
...
@@ -774,6 +765,41 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
}
}
}
}
if
(
ret
!=
LDAP_SUCCESS
&&
chkSAN
)
{
switch
(
chkSAN
)
{
case
LDAP_OPT_X_TLS_DEMAND
:
case
LDAP_OPT_X_TLS_HARD
:
if
(
!
gotSAN
)
{
Debug0
(
LDAP_DEBUG_ANY
,
"TLS: unable to get subjectAltName from peer certificate.
\n
"
);
ret
=
LDAP_CONNECT_ERROR
;
if
(
ld
->
ld_error
)
{
LDAP_FREE
(
ld
->
ld_error
);
}
ld
->
ld_error
=
LDAP_STRDUP
(
_
(
"TLS: unable to get subjectAltName from peer certificate"
));
goto
done
;
}
/* FALLTHRU */
case
LDAP_OPT_X_TLS_TRY
:
if
(
gotSAN
)
{
Debug1
(
LDAP_DEBUG_ANY
,
"TLS: hostname (%s) does not match "
"subjectAltName in certificate.
\n
"
,
name
);
ret
=
LDAP_CONNECT_ERROR
;
if
(
ld
->
ld_error
)
{
LDAP_FREE
(
ld
->
ld_error
);
}
ld
->
ld_error
=
LDAP_STRDUP
(
_
(
"TLS: hostname does not match subjectAltName in peer certificate"
));
goto
done
;
}
break
;
case
LDAP_OPT_X_TLS_ALLOW
:
break
;
}
}
if
(
ret
!=
LDAP_SUCCESS
)
{
X509_NAME
*
xn
;
...
...
@@ -836,9 +862,10 @@ no_cn:
LDAP_FREE
(
ld
->
ld_error
);
}
ld
->
ld_error
=
LDAP_STRDUP
(
_
(
"TLS: hostname does not match
CN
in peer certificate"
));
_
(
"TLS: hostname does not match
name
in peer certificate"
));
}
}
done:
X509_free
(
x
);
return
ret
;
}
...
...
@@ -869,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
static
int
tlso_session_endpoint
(
tls_session
*
sess
,
struct
berval
*
buf
,
int
is_server
)
{
#if OPENSSL_VERSION_NUMBER >= 0x00908000
tlso_session
*
s
=
(
tlso_session
*
)
sess
;
const
EVP_MD
*
md
;
unsigned
int
md_len
;
...
...
@@ -909,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
buf
->
bv_len
=
md_len
;
return
md_len
;
#else
return
0
;
#endif
}
static
const
char
*
...
...
@@ -1435,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
RSA
*
tmp_rsa
;
/* FIXME: Pregenerate the key on startup */
/* FIXME: Who frees the key? */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
BIGNUM
*
bn
=
BN_new
();
tmp_rsa
=
NULL
;
if
(
bn
)
{
...
...
@@ -1448,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
}
BN_free
(
bn
);
}
#else
tmp_rsa
=
RSA_generate_key
(
key_length
,
RSA_F4
,
NULL
,
NULL
);
#endif
if
(
!
tmp_rsa
)
{
Debug2
(
LDAP_DEBUG_ANY
,
...
...
libraries/librewrite/subst.c
View file @
b48afc2e
...
...
@@ -32,7 +32,7 @@ rewrite_subst_compile(
{
size_t
subs_len
;
struct
berval
*
subs
=
NULL
,
*
tmps
;
struct
rewrite_submatch
*
submatch
=
NULL
;
struct
rewrite_submatch
*
submatch
=
NULL
,
*
tmpsm
;
struct
rewrite_subst
*
s
=
NULL
;
...
...
@@ -71,7 +71,16 @@ rewrite_subst_compile(
goto
cleanup
;
}
subs
=
tmps
;
subs
[
nsub
].
bv_val
=
NULL
;
tmpsm
=
(
struct
rewrite_submatch
*
)
realloc
(
submatch
,
sizeof
(
struct
rewrite_submatch
)
*
(
nsub
+
1
)
);
if
(
tmpsm
==
NULL
)
{
goto
cleanup
;
}
submatch
=
tmpsm
;
submatch
[
nsub
].
ls_map
=
NULL
;
/*
* I think an `if l > 0' at runtime is better outside than
* inside a function call ...
...
...
@@ -95,19 +104,12 @@ rewrite_subst_compile(
* Substitution pattern
*/
if
(
isdigit
(
(
unsigned
char
)
p
[
1
]
)
)
{
struct
rewrite_submatch
*
tmpsm
;
int
d
=
p
[
1
]
-
'0'
;
/*
* Add a new value substitution scheme
*/
tmpsm
=
(
struct
rewrite_submatch
*
)
realloc
(
submatch
,
sizeof
(
struct
rewrite_submatch
)
*
(
nsub
+
1
)
);
if
(
tmpsm
==
NULL
)
{
goto
cleanup
;
}
submatch
=
tmpsm
;
submatch
[
nsub
].
ls_submatch
=
d
;
/*
...
...
@@ -140,7 +142,6 @@ rewrite_subst_compile(
*/
}
else
if
(
p
[
1
]
==
'{'
)
{
struct
rewrite_map
*
map
;
struct
rewrite_submatch
*
tmpsm
;
map
=
rewrite_map_parse
(
info
,
p
+
2
,
(
const
char
**
)
&
begin
);
...
...
@@ -152,13 +153,6 @@ rewrite_subst_compile(
/*
* Add a new value substitution scheme
*/
tmpsm
=
(
struct
rewrite_submatch
*
)
realloc
(
submatch
,
sizeof
(
struct
rewrite_submatch
)
*
(
nsub
+
1
)
);
if
(
tmpsm
==
NULL
)
{
rewrite_map_destroy
(
&
map
);
goto
cleanup
;
}
submatch
=
tmpsm
;
submatch
[
nsub
].
ls_type
=
REWRITE_SUBMATCH_MAP_W_ARG
;
submatch
[
nsub
].
ls_map
=
map
;
...
...
servers/slapd/Makefile.in
View file @
b48afc2e
...
...
@@ -372,7 +372,7 @@ install-local-srv: install-slapd install-tools \
install-slapd
:
FORCE
-
$(MKDIR)
$(DESTDIR)$(libexecdir)
-
$(MKDIR)
$(DESTDIR)$(localstatedir)
/run
$(LTINSTALL)
$(INSTALLFLAGS)
$(STRIP)
-m
755
\
$(LTINSTALL)
$(INSTALLFLAGS)
$(STRIP
_OPTS
)
-m
755
\
slapd
$(EXEEXT)
$(DESTDIR)$(libexecdir)
@
for
i
in
$(SUBDIRS)
;
do
\
if
test
-d
$$
i
&&
test
-f
$$
i/Makefile
;
then
\
...
...
servers/slapd/bconfig.c
View file @
b48afc2e
...
...
@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = {
"EQUALITY caseExactMatch "
"SYNTAX OMsDirectoryString SINGLE-VALUE )"
,
NULL
,
NULL
},
{
"TLSCRLCheck"
,
NULL
,
2
,
2
,
0
,
#if defined(HAVE_TLS) && defined(HAVE_OPENSSL
_CRL
)
#if defined(HAVE_TLS) && defined(HAVE_OPENSSL)
CFG_TLS_CRLCHECK
|
ARG_STRING
|
ARG_MAGIC
,
&
config_tls_config
,
#else
ARG_IGNORED
,
NULL
,
...
...
servers/slapd/config.c
View file @
b48afc2e
...
...
@@ -1488,9 +1488,11 @@ static slap_cf_aux_table bindkey[] = {
{
BER_BVC
(
"tls_cacert="
),
offsetof
(
slap_bindconf
,
sb_tls_cacert
),
's'
,
1
,
NULL
},
{
BER_BVC
(
"tls_cacertdir="
),
offsetof
(
slap_bindconf
,
sb_tls_cacertdir
),
's'
,
1
,
NULL
},
{
BER_BVC
(
"tls_reqcert="
),
offsetof
(
slap_bindconf
,
sb_tls_reqcert
),
's'
,
0
,
NULL
},
{
BER_BVC
(
"tls_reqsan="
),
offsetof
(
slap_bindconf
,
sb_tls_reqsan
),
's'
,
0
,
NULL
},
{
BER_BVC
(
"tls_cipher_suite="
),
offsetof
(
slap_bindconf
,
sb_tls_cipher_suite
),
's'
,
0
,
NULL
},
{
BER_BVC
(
"tls_protocol_min="
),
offsetof
(
slap_bindconf
,
sb_tls_protocol_min
),
's'
,
0
,
NULL
},
#ifdef HAVE_OPENSSL_CRL
{
BER_BVC
(
"tls_ecname="
),
offsetof
(
slap_bindconf
,
sb_tls_ecname
),
's'
,
0
,
NULL
},
#ifdef HAVE_OPENSSL
{
BER_BVC
(
"tls_crlcheck="
),
offsetof
(
slap_bindconf
,
sb_tls_crlcheck
),
's'
,
0
,
NULL
},
#endif
#endif
...
...
@@ -1855,6 +1857,10 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free
(
bc
->
sb_tls_reqcert
);
bc
->
sb_tls_reqcert
=
NULL
;
}
if
(
bc
->
sb_tls_reqsan
)
{
ch_free
(
bc
->
sb_tls_reqsan
);
bc
->
sb_tls_reqsan
=
NULL
;
}
if
(
bc
->
sb_tls_cipher_suite
)
{
ch_free
(
bc
->
sb_tls_cipher_suite
);
bc
->
sb_tls_cipher_suite
=
NULL
;
...
...
@@ -1863,7 +1869,11 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free
(
bc
->
sb_tls_protocol_min
);
bc
->
sb_tls_protocol_min
=
NULL
;
}
#ifdef HAVE_OPENSSL_CRL
if
(
bc
->
sb_tls_ecname
)
{
ch_free
(
bc
->
sb_tls_ecname
);
bc
->
sb_tls_ecname
=
NULL
;
}
#ifdef HAVE_OPENSSL
if
(
bc
->
sb_tls_crlcheck
)
{
ch_free
(
bc
->
sb_tls_crlcheck
);
bc
->
sb_tls_crlcheck
=
NULL
;
...
...
@@ -1898,7 +1908,12 @@ bindconf_tls_defaults( slap_bindconf *bc )
&
bc
->
sb_tls_cipher_suite
);
if
(
!
bc
->
sb_tls_reqcert
)
bc
->
sb_tls_reqcert
=
ch_strdup
(
"demand"
);
#ifdef HAVE_OPENSSL_CRL
if
(
!
bc
->
sb_tls_reqsan
)
bc
->
sb_tls_reqsan
=
ch_strdup
(
"allow"
);
if
(
!
bc
->
sb_tls_ecname
)
slap_tls_get_config
(
slap_tls_ld
,
LDAP_OPT_X_TLS_ECNAME
,
&
bc
->
sb_tls_ecname
);
#ifdef HAVE_OPENSSL
if
(
!
bc
->
sb_tls_crlcheck
)
slap_tls_get_config
(
slap_tls_ld
,
LDAP_OPT_X_TLS_CRLCHECK
,
&
bc
->
sb_tls_crlcheck
);
...
...
@@ -1918,7 +1933,7 @@ static struct {
{
"tls_cacert"
,
offsetof
(
slap_bindconf
,
sb_tls_cacert
),
LDAP_OPT_X_TLS_CACERTFILE
},
{
"tls_cacertdir"
,
offsetof
(
slap_bindconf
,
sb_tls_cacertdir
),
LDAP_OPT_X_TLS_CACERTDIR
},
{
"tls_cipher_suite"
,
offsetof
(
slap_bindconf
,
sb_tls_cipher_suite
),
LDAP_OPT_X_TLS_CIPHER_SUITE
},
{
"tls_
protocol_min
"
,
offsetof
(
slap_bindconf
,
sb_tls_
protocol_min
),
LDAP_OPT_X_TLS_
PROTOCOL_MIN
},
{
"tls_
ecname
"
,
offsetof
(
slap_bindconf
,
sb_tls_
ecname
),
LDAP_OPT_X_TLS_
ECNAME
},
{
0
,
0
}
};
...
...
@@ -1951,6 +1966,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
res
=
-
1
;
}
}
if
(
bc
->
sb_tls_reqsan
)
{
rc
=
ldap_pvt_tls_config
(
ld
,
LDAP_OPT_X_TLS_REQUIRE_SAN
,
bc
->
sb_tls_reqsan
);
if
(
rc
)
{
Debug
(
LDAP_DEBUG_ANY
,
"bindconf_tls_set: failed to set tls_reqsan to %s
\n
"
,
bc
->
sb_tls_reqsan
);
res
=
-
1
;
}
}
if
(
bc
->
sb_tls_protocol_min
)
{
rc
=
ldap_pvt_tls_config
(
ld
,
LDAP_OPT_X_TLS_PROTOCOL_MIN
,
bc
->
sb_tls_protocol_min
);
...
...
@@ -1961,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
res
=
-
1
;
}
}
#ifdef HAVE_OPENSSL
_CRL
#ifdef HAVE_OPENSSL
if
(
bc
->
sb_tls_crlcheck
)
{
rc
=
ldap_pvt_tls_config
(
ld
,
LDAP_OPT_X_TLS_CRLCHECK
,
bc
->
sb_tls_crlcheck
);
...
...
servers/slapd/overlays/auditlog.c
View file @
b48afc2e
...
...
@@ -219,6 +219,7 @@ int auditlog_initialize() {
int
rc
;
auditlog
.
on_bi
.
bi_type
=
"auditlog"
;
auditlog
.
on_bi
.
bi_flags
=
SLAPO_BFLAG_SINGLE
;
auditlog
.
on_bi
.
bi_db_init
=
auditlog_db_init
;
auditlog
.
on_bi
.
bi_db_destroy
=
auditlog_db_destroy
;
auditlog
.
on_response
=
auditlog_response
;
...
...
Prev
1
2
3
Next