...@@ -1052,6 +1052,7 @@ smbk5pwd_initialize(void) ...@@ -1052,6 +1052,7 @@ smbk5pwd_initialize(void)
smbk5pwd.on_bi.bi_type = "smbk5pwd"; smbk5pwd.on_bi.bi_type = "smbk5pwd";
smbk5pwd.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init; smbk5pwd.on_bi.bi_db_init = smbk5pwd_db_init;
smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open; smbk5pwd.on_bi.bi_db_open = smbk5pwd_db_open;
smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy; smbk5pwd.on_bi.bi_db_destroy = smbk5pwd_db_destroy;
......
...@@ -222,6 +222,7 @@ trace_initialize() ...@@ -222,6 +222,7 @@ trace_initialize()
{ {
trace.on_bi.bi_type = "trace"; trace.on_bi.bi_type = "trace";
trace.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
trace.on_bi.bi_db_init = trace_db_init; trace.on_bi.bi_db_init = trace_db_init;
trace.on_bi.bi_db_open = trace_db_open; trace.on_bi.bi_db_open = trace_db_open;
trace.on_bi.bi_db_config = trace_db_config; trace.on_bi.bi_db_config = trace_db_config;
......
...@@ -296,6 +296,7 @@ usn_init( void ) ...@@ -296,6 +296,7 @@ usn_init( void )
memset( &usn, 0, sizeof( slap_overinst ) ); memset( &usn, 0, sizeof( slap_overinst ) );
usn.on_bi.bi_type = "usn"; usn.on_bi.bi_type = "usn";
usn.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
usn.on_bi.bi_db_init = usn_db_init; usn.on_bi.bi_db_init = usn_db_init;
usn.on_bi.bi_db_destroy = usn_db_destroy; usn.on_bi.bi_db_destroy = usn_db_destroy;
usn.on_bi.bi_db_open = usn_db_open; usn.on_bi.bi_db_open = usn_db_open;
......
...@@ -740,7 +740,7 @@ and its contents need to be freed by the caller using ...@@ -740,7 +740,7 @@ and its contents need to be freed by the caller using
.BR ldap_memfree (3). .BR ldap_memfree (3).
.TP .TP
.B LDAP_OPT_X_TLS_ECNAME .B LDAP_OPT_X_TLS_ECNAME
Gets/sets the name of the curve used for Gets/sets the name of the curve(s) used for
elliptic curve key exchanges. elliptic curve key exchanges.
.BR invalue .BR invalue
must be must be
...@@ -815,6 +815,15 @@ one of ...@@ -815,6 +815,15 @@ one of
.BR LDAP_OPT_X_TLS_ALLOW , .BR LDAP_OPT_X_TLS_ALLOW ,
.BR LDAP_OPT_X_TLS_TRY . .BR LDAP_OPT_X_TLS_TRY .
.TP .TP
.B LDAP_OPT_X_TLS_REQUIRE_SAN
Sets/gets the peer certificate subjectAlternativeName checking strategy,
one of
.BR LDAP_OPT_X_TLS_NEVER ,
.BR LDAP_OPT_X_TLS_HARD ,
.BR LDAP_OPT_X_TLS_DEMAND ,
.BR LDAP_OPT_X_TLS_ALLOW ,
.BR LDAP_OPT_X_TLS_TRY .
.TP
.B LDAP_OPT_X_TLS_SSL_CTX .B LDAP_OPT_X_TLS_SSL_CTX
Gets the TLS session context associated with this handle. Gets the TLS session context associated with this handle.
.BR outvalue .BR outvalue
......
...@@ -327,6 +327,12 @@ is always used before ...@@ -327,6 +327,12 @@ is always used before
Specifies the file that contains the client certificate. Specifies the file that contains the client certificate.
.B This is a user-only option. .B This is a user-only option.
.TP .TP
.B TLS_ECNAME <name>
Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This option is only used for OpenSSL.
This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification.
.TP
.B TLS_KEY <filename> .B TLS_KEY <filename>
Specifies the file that contains the private key that matches the certificate Specifies the file that contains the private key that matches the certificate
stored in the stored in the
...@@ -419,6 +425,37 @@ certificate is provided, or a bad certificate is provided, the session ...@@ -419,6 +425,37 @@ certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting. is immediately terminated. This is the default setting.
.RE .RE
.TP .TP
.B TLS_REQSAN <level>
Specifies what checks to perform on the subjectAlternativeName
(SAN) extensions in a server certificate when validating the certificate
name against the specified hostname of the server. The
.B <level>
can be specified as one of the following keywords:
.RS
.TP
.B never
The client will not check any SAN in the certificate.
.TP
.B allow
The SAN is checked against the specified hostname. If a SAN is
present but none match the specified hostname, the SANs are ignored
and the usual check against the certificate DN is used.
This is the default setting.
.TP
.B try
The SAN is checked against the specified hostname. If no SAN is present
in the server certificate, the usual check against the certificate DN
is used. If a SAN is present but doesn't match the specified hostname,
the session is immediately terminated. This setting may be preferred
when a mix of certs with and without SANs are in use.
.TP
.B demand | hard
These keywords are equivalent. The SAN is checked against the specified
hostname. If no SAN is present in the server certificate, or no SANs
match, the session is immediately terminated. This setting should be
used when only certificates with SANs are in use.
.RE
.TP
.B TLS_CRLCHECK <level> .B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certificates have not been revoked. This used to verify if the server certificates have not been revoked. This
......
...@@ -908,9 +908,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites ...@@ -908,9 +908,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites
are not used. are not used.
.TP .TP
.B olcTLSECName: <name> .B olcTLSECName: <name>
Specify the name of a curve to use for Elliptic curve Diffie-Hellman Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This is required to enable ECDHE algorithms in ephemeral key exchange. This option is only used for OpenSSL.
OpenSSL. This option is not used with GnuTLS; the curves may be This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. chosen in the GnuTLS ciphersuite specification.
.TP .TP
.B olcTLSProtocolMin: <major>[.<minor>] .B olcTLSProtocolMin: <major>[.<minor>]
......
...@@ -1139,9 +1139,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites ...@@ -1139,9 +1139,9 @@ You should append "!ADH" to your cipher suites to ensure that these suites
are not used. are not used.
.TP .TP
.B TLSECName <name> .B TLSECName <name>
Specify the name of a curve to use for Elliptic curve Diffie-Hellman Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
ephemeral key exchange. This is required to enable ECDHE algorithms in ephemeral key exchange. This option is only used for OpenSSL.
OpenSSL. This option is not used with GnuTLS; the curves may be This option is not used with GnuTLS; the curves may be
chosen in the GnuTLS ciphersuite specification. chosen in the GnuTLS ciphersuite specification.
.TP .TP
.B TLSProtocolMin <major>[.<minor>] .B TLSProtocolMin <major>[.<minor>]
......
...@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL ...@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_CERT 0x6017 #define LDAP_OPT_X_TLS_CERT 0x6017
#define LDAP_OPT_X_TLS_KEY 0x6018 #define LDAP_OPT_X_TLS_KEY 0x6018
#define LDAP_OPT_X_TLS_PEERKEY_HASH 0x6019 #define LDAP_OPT_X_TLS_PEERKEY_HASH 0x6019
#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a
#define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1 #define LDAP_OPT_X_TLS_HARD 1
......
...@@ -373,9 +373,6 @@ ...@@ -373,9 +373,6 @@
/* Define to 1 if you have the <openssl/bn.h> header file. */ /* Define to 1 if you have the <openssl/bn.h> header file. */
#undef HAVE_OPENSSL_BN_H #undef HAVE_OPENSSL_BN_H
/* define if you have OpenSSL with CRL checking capability */
#undef HAVE_OPENSSL_CRL
/* Define to 1 if you have the <openssl/crypto.h> header file. */ /* Define to 1 if you have the <openssl/crypto.h> header file. */
#undef HAVE_OPENSSL_CRYPTO_H #undef HAVE_OPENSSL_CRYPTO_H
......
...@@ -119,12 +119,14 @@ static const struct ol_attribute { ...@@ -119,12 +119,14 @@ static const struct ol_attribute {
{0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE}, {0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE},
{0, ATTR_TLS, "TLS_CACERTDIR", NULL, LDAP_OPT_X_TLS_CACERTDIR}, {0, ATTR_TLS, "TLS_CACERTDIR", NULL, LDAP_OPT_X_TLS_CACERTDIR},
{0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, {0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
{0, ATTR_TLS, "TLS_REQSAN", NULL, LDAP_OPT_X_TLS_REQUIRE_SAN},
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, {0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE}, {0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
{0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN}, {0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN},
{0, ATTR_TLS, "TLS_PEERKEY_HASH", NULL, LDAP_OPT_X_TLS_PEERKEY_HASH}, {0, ATTR_TLS, "TLS_PEERKEY_HASH", NULL, LDAP_OPT_X_TLS_PEERKEY_HASH},
{0, ATTR_TLS, "TLS_ECNAME", NULL, LDAP_OPT_X_TLS_ECNAME},
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
{0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK}, {0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK},
#endif #endif
#ifdef HAVE_GNUTLS #ifdef HAVE_GNUTLS
...@@ -596,6 +598,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl ...@@ -596,6 +598,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
gopts->ldo_tls_connect_cb = NULL; gopts->ldo_tls_connect_cb = NULL;
gopts->ldo_tls_connect_arg = NULL; gopts->ldo_tls_connect_arg = NULL;
gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
#endif #endif
gopts->ldo_keepalive_probes = 0; gopts->ldo_keepalive_probes = 0;
gopts->ldo_keepalive_interval = 0; gopts->ldo_keepalive_interval = 0;
......
...@@ -285,6 +285,7 @@ struct ldapoptions { ...@@ -285,6 +285,7 @@ struct ldapoptions {
int ldo_tls_require_cert; int ldo_tls_require_cert;
int ldo_tls_impl; int ldo_tls_impl;
int ldo_tls_crlcheck; int ldo_tls_crlcheck;
int ldo_tls_require_san;
char *ldo_tls_pin_hashalg; char *ldo_tls_pin_hashalg;
struct berval ldo_tls_pin; struct berval ldo_tls_pin;
#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0,0,{0,0} #define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0,0,{0,0}
......
...@@ -486,7 +486,8 @@ retry: ...@@ -486,7 +486,8 @@ retry:
#ifdef LDAP_CONNECTIONLESS #ifdef LDAP_CONNECTIONLESS
if ( LDAP_IS_UDP(ld) ) { if ( LDAP_IS_UDP(ld) ) {
struct sockaddr_storage from; struct sockaddr_storage from;
ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ); if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 )
goto fail;
if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1; if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
} }
nextresp3: nextresp3:
...@@ -502,10 +503,11 @@ nextresp3: ...@@ -502,10 +503,11 @@ nextresp3:
break; break;
case LBER_DEFAULT: case LBER_DEFAULT:
fail:
err = sock_errno(); err = sock_errno();
#ifdef LDAP_DEBUG #ifdef LDAP_DEBUG
Debug0( LDAP_DEBUG_CONNS, Debug1( LDAP_DEBUG_CONNS,
"ber_get_next failed.\n" ); "ber_get_next failed, errno=%d.\n", err );
#endif #endif
if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING; if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING; if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
......
...@@ -342,7 +342,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host ) ...@@ -342,7 +342,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
Sockbuf *sb = conn->lconn_sb; Sockbuf *sb = conn->lconn_sb;
int err; int err;
tls_session *ssl = NULL; tls_session *ssl = NULL;
char *sni = host; char *sni = (char *)host;
if ( HAS_TLS( sb )) { if ( HAS_TLS( sb )) {
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
...@@ -580,10 +580,12 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg ) ...@@ -580,10 +580,12 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
case LDAP_OPT_X_TLS_CIPHER_SUITE: case LDAP_OPT_X_TLS_CIPHER_SUITE:
case LDAP_OPT_X_TLS_DHFILE: case LDAP_OPT_X_TLS_DHFILE:
case LDAP_OPT_X_TLS_PEERKEY_HASH: case LDAP_OPT_X_TLS_PEERKEY_HASH:
case LDAP_OPT_X_TLS_ECNAME:
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
return ldap_pvt_tls_set_option( ld, option, (void *) arg ); return ldap_pvt_tls_set_option( ld, option, (void *) arg );
case LDAP_OPT_X_TLS_REQUIRE_CERT: case LDAP_OPT_X_TLS_REQUIRE_CERT:
case LDAP_OPT_X_TLS_REQUIRE_SAN:
case LDAP_OPT_X_TLS: case LDAP_OPT_X_TLS:
i = -1; i = -1;
if ( strcasecmp( arg, "never" ) == 0 ) { if ( strcasecmp( arg, "never" ) == 0 ) {
...@@ -627,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg ) ...@@ -627,7 +629,7 @@ ldap_pvt_tls_config( LDAP *ld, int option, const char *arg )
} }
return ldap_pvt_tls_set_option( ld, option, &i ); return ldap_pvt_tls_set_option( ld, option, &i );
} }
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
i = -1; i = -1;
if ( strcasecmp( arg, "none" ) == 0 ) { if ( strcasecmp( arg, "none" ) == 0 ) {
...@@ -714,7 +716,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) ...@@ -714,7 +716,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_REQUIRE_CERT: case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = lo->ldo_tls_require_cert; *(int *)arg = lo->ldo_tls_require_cert;
break; break;
#ifdef HAVE_OPENSSL_CRL case LDAP_OPT_X_TLS_REQUIRE_SAN:
*(int *)arg = lo->ldo_tls_require_san;
break;
#ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck; *(int *)arg = lo->ldo_tls_crlcheck;
break; break;
...@@ -920,7 +925,19 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) ...@@ -920,7 +925,19 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
return 0; return 0;
} }
return -1; return -1;
#ifdef HAVE_OPENSSL_CRL case LDAP_OPT_X_TLS_REQUIRE_SAN:
if ( !arg ) return -1;
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_NEVER:
case LDAP_OPT_X_TLS_DEMAND:
case LDAP_OPT_X_TLS_ALLOW:
case LDAP_OPT_X_TLS_TRY:
case LDAP_OPT_X_TLS_HARD:
lo->ldo_tls_require_san = * (int *) arg;
return 0;
}
return -1;
#ifdef HAVE_OPENSSL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1; if ( !arg ) return -1;
switch( *(int *) arg ) { switch( *(int *) arg ) {
......
...@@ -559,6 +559,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) ...@@ -559,6 +559,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{ {
tlsg_session *s = (tlsg_session *)session; tlsg_session *s = (tlsg_session *)session;
int i, ret; int i, ret;
int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
const gnutls_datum_t *peer_cert_list; const gnutls_datum_t *peer_cert_list;
unsigned int list_size; unsigned int list_size;
char altname[NI_MAXHOST]; char altname[NI_MAXHOST];
...@@ -620,12 +621,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) ...@@ -620,12 +621,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
} }
} }
if (chkSAN) {
for ( i=0, ret=0; ret >= 0; i++ ) { for ( i=0, ret=0; ret >= 0; i++ ) {
altnamesize = sizeof(altname); altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_subject_alt_name( cert, i, ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
altname, &altnamesize, NULL ); altname, &altnamesize, NULL );
if ( ret < 0 ) break; if ( ret < 0 ) break;
gotSAN = 1;
/* ignore empty */ /* ignore empty */
if ( altnamesize == 0 ) continue; if ( altnamesize == 0 ) continue;
...@@ -661,7 +664,44 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) ...@@ -661,7 +664,44 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
} }
if ( ret >= 0 ) { if ( ret >= 0 ) {
ret = LDAP_SUCCESS; ret = LDAP_SUCCESS;
} else { }
}
if (ret != LDAP_SUCCESS && chkSAN) {
switch(chkSAN) {
case LDAP_OPT_X_TLS_DEMAND:
case LDAP_OPT_X_TLS_HARD:
if (!gotSAN) {
Debug0( LDAP_DEBUG_ANY,
"TLS: unable to get subjectAltName from peer certificate.\n" );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get subjectAltName from peer certificate"));
goto done;
}
/* FALLTHRU */
case LDAP_OPT_X_TLS_TRY:
if (gotSAN) {
Debug1( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"subjectAltName in certificate.\n",
name );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match subjectAltName in peer certificate"));
goto done;
}
break;
case LDAP_OPT_X_TLS_ALLOW:
break;
}
}
if ( ret != LDAP_SUCCESS ){
/* find the last CN */ /* find the last CN */
i=0; i=0;
do { do {
...@@ -715,9 +755,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) ...@@ -715,9 +755,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
LDAP_FREE( ld->ld_error ); LDAP_FREE( ld->ld_error );
} }
ld->ld_error = LDAP_STRDUP( ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate")); _("TLS: hostname does not match name in peer certificate"));
} }
} }
done:
gnutls_x509_crt_deinit( cert ); gnutls_x509_crt_deinit( cert );
return ret; return ret;
} }
......
...@@ -46,8 +46,6 @@ ...@@ -46,8 +46,6 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/dh.h> #include <openssl/dh.h>
#elif defined( HAVE_SSL_H )
#include <ssl.h>
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000 #if OPENSSL_VERSION_NUMBER >= 0x10100000
...@@ -244,11 +242,7 @@ tlso_destroy( void ) ...@@ -244,11 +242,7 @@ tlso_destroy( void )
#if OPENSSL_VERSION_NUMBER < 0x10100000 #if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_cleanup(); EVP_cleanup();
#if OPENSSL_VERSION_NUMBER < 0x10000000
ERR_remove_state(0);
#else
ERR_remove_thread_state(NULL); ERR_remove_thread_state(NULL);
#endif
ERR_free_strings(); ERR_free_strings();
#endif #endif
...@@ -453,34 +447,30 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) ...@@ -453,34 +447,30 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free( dh ); DH_free( dh );
} }
if ( is_server && lo->ldo_tls_ecname ) { if ( lo->ldo_tls_ecname ) {
#ifdef OPENSSL_NO_EC #ifdef OPENSSL_NO_EC
Debug0( LDAP_DEBUG_ANY, Debug0( LDAP_DEBUG_ANY,
"TLS: Elliptic Curves not supported.\n" ); "TLS: Elliptic Curves not supported.\n" );
return -1; return -1;
#else #else
EC_KEY *ecdh; if ( SSL_CTX_set1_curves_list( ctx, lt->lt_ecname )) {
int nid = OBJ_sn2nid( lt->lt_ecname );
if ( nid == NID_undef ) {
Debug1( LDAP_DEBUG_ANY, Debug1( LDAP_DEBUG_ANY,
"TLS: could not use EC name `%s'.\n", "TLS: could not set EC name `%s'.\n",
lo->ldo_tls_ecname ); lo->ldo_tls_ecname );
tlso_report_error(); tlso_report_error();
return -1; return -1;
} }
ecdh = EC_KEY_new_by_curve_name( nid ); /*
if ( ecdh == NULL ) { * This is a NOP in OpenSSL 1.1.0 and later, where curves are always
Debug1( LDAP_DEBUG_ANY, * auto-negotiated.
"TLS: could not generate key for EC name `%s'.\n", */
lo->ldo_tls_ecname ); #if OPENSSL_VERSION_NUMBER < 0x10100000UL
tlso_report_error(); if ( SSL_CTX_set_ecdh_auto( ctx, 1 ) <= 0 ) {
return -1; Debug0( LDAP_DEBUG_ANY,
"TLS: could not enable automatic EC negotiation.\n" );
} }
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
EC_KEY_free( ecdh );
#endif #endif
#endif /* OPENSSL_NO_EC */
} }
if ( tlso_opt_trace ) { if ( tlso_opt_trace ) {
...@@ -502,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) ...@@ -502,7 +492,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
#if OPENSSL_VERSION_NUMBER < 0x10100000 #if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
#endif #endif
#ifdef HAVE_OPENSSL_CRL
if ( lo->ldo_tls_crlcheck ) { if ( lo->ldo_tls_crlcheck ) {
X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { if ( lo->ldo_tls_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
...@@ -512,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) ...@@ -512,7 +501,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL );
} }
} }
#endif
return 0; return 0;
} }
...@@ -666,6 +654,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) ...@@ -666,6 +654,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{ {
tlso_session *s = (tlso_session *)sess; tlso_session *s = (tlso_session *)sess;
int i, ret = LDAP_LOCAL_ERROR; int i, ret = LDAP_LOCAL_ERROR;
int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
X509 *x; X509 *x;
const char *name; const char *name;
char *ptr; char *ptr;
...@@ -703,7 +692,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) ...@@ -703,7 +692,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) { if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4; if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
} }
if (chkSAN) {
i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
if (i >= 0) { if (i >= 0) {
X509_EXTENSION *ex; X509_EXTENSION *ex;
...@@ -716,6 +706,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) ...@@ -716,6 +706,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
char *domain = NULL; char *domain = NULL;
GENERAL_NAME *gn; GENERAL_NAME *gn;
gotSAN = 1;
if (ntype == IS_DNS) { if (ntype == IS_DNS) {
domain = strchr(name, '.'); domain = strchr(name, '.');
if (domain) { if (domain) {
...@@ -774,6 +765,41 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) ...@@ -774,6 +765,41 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
} }
} }
} }
}
if (ret != LDAP_SUCCESS && chkSAN) {
switch(chkSAN) {
case LDAP_OPT_X_TLS_DEMAND:
case LDAP_OPT_X_TLS_HARD:
if (!gotSAN) {
Debug0( LDAP_DEBUG_ANY,
"TLS: unable to get subjectAltName from peer certificate.\n" );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get subjectAltName from peer certificate"));
goto done;
}
/* FALLTHRU */
case LDAP_OPT_X_TLS_TRY:
if (gotSAN) {
Debug1( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"subjectAltName in certificate.\n",
name );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match subjectAltName in peer certificate"));
goto done;
}
break;
case LDAP_OPT_X_TLS_ALLOW:
break;
}
}
if (ret != LDAP_SUCCESS) { if (ret != LDAP_SUCCESS) {
X509_NAME *xn; X509_NAME *xn;
...@@ -836,9 +862,10 @@ no_cn: ...@@ -836,9 +862,10 @@ no_cn:
LDAP_FREE( ld->ld_error ); LDAP_FREE( ld->ld_error );
} }
ld->ld_error = LDAP_STRDUP( ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate")); _("TLS: hostname does not match name in peer certificate"));
} }
} }
done:
X509_free(x); X509_free(x);
return ret; return ret;
} }
...@@ -869,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) ...@@ -869,7 +896,6 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
static int static int
tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
{ {
#if OPENSSL_VERSION_NUMBER >= 0x00908000
tlso_session *s = (tlso_session *)sess; tlso_session *s = (tlso_session *)sess;
const EVP_MD *md; const EVP_MD *md;
unsigned int md_len; unsigned int md_len;
...@@ -909,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) ...@@ -909,9 +935,6 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
buf->bv_len = md_len; buf->bv_len = md_len;
return md_len; return md_len;
#else
return 0;
#endif
} }
static const char * static const char *
...@@ -1435,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) ...@@ -1435,7 +1458,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
RSA *tmp_rsa; RSA *tmp_rsa;
/* FIXME: Pregenerate the key on startup */ /* FIXME: Pregenerate the key on startup */
/* FIXME: Who frees the key? */ /* FIXME: Who frees the key? */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
BIGNUM *bn = BN_new(); BIGNUM *bn = BN_new();
tmp_rsa = NULL; tmp_rsa = NULL;
if ( bn ) { if ( bn ) {
...@@ -1448,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) ...@@ -1448,9 +1470,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
} }
BN_free( bn ); BN_free( bn );
} }
#else
tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
#endif
if ( !tmp_rsa ) { if ( !tmp_rsa ) {
Debug2( LDAP_DEBUG_ANY, Debug2( LDAP_DEBUG_ANY,
......
...@@ -32,7 +32,7 @@ rewrite_subst_compile( ...@@ -32,7 +32,7 @@ rewrite_subst_compile(
{ {
size_t subs_len; size_t subs_len;
struct berval *subs = NULL, *tmps; struct berval *subs = NULL, *tmps;
struct rewrite_submatch *submatch = NULL; struct rewrite_submatch *submatch = NULL, *tmpsm;
struct rewrite_subst *s = NULL; struct rewrite_subst *s = NULL;
...@@ -71,7 +71,16 @@ rewrite_subst_compile( ...@@ -71,7 +71,16 @@ rewrite_subst_compile(
goto cleanup; goto cleanup;
} }
subs = tmps; subs = tmps;
subs[ nsub ].bv_val = NULL;
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_map = NULL;
/* /*
* I think an `if l > 0' at runtime is better outside than * I think an `if l > 0' at runtime is better outside than
* inside a function call ... * inside a function call ...
...@@ -95,19 +104,12 @@ rewrite_subst_compile( ...@@ -95,19 +104,12 @@ rewrite_subst_compile(
* Substitution pattern * Substitution pattern
*/ */
if ( isdigit( (unsigned char) p[ 1 ] ) ) { if ( isdigit( (unsigned char) p[ 1 ] ) ) {
struct rewrite_submatch *tmpsm;
int d = p[ 1 ] - '0'; int d = p[ 1 ] - '0';
/* /*
* Add a new value substitution scheme * Add a new value substitution scheme
*/ */
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_submatch = d; submatch[ nsub ].ls_submatch = d;
/* /*
...@@ -140,7 +142,6 @@ rewrite_subst_compile( ...@@ -140,7 +142,6 @@ rewrite_subst_compile(
*/ */
} else if ( p[ 1 ] == '{' ) { } else if ( p[ 1 ] == '{' ) {
struct rewrite_map *map; struct rewrite_map *map;
struct rewrite_submatch *tmpsm;
map = rewrite_map_parse( info, p + 2, map = rewrite_map_parse( info, p + 2,
(const char **)&begin ); (const char **)&begin );
...@@ -152,13 +153,6 @@ rewrite_subst_compile( ...@@ -152,13 +153,6 @@ rewrite_subst_compile(
/* /*
* Add a new value substitution scheme * Add a new value substitution scheme
*/ */
tmpsm = ( struct rewrite_submatch * )realloc( submatch,
sizeof( struct rewrite_submatch )*( nsub + 1 ) );
if ( tmpsm == NULL ) {
rewrite_map_destroy( &map );
goto cleanup;
}
submatch = tmpsm;
submatch[ nsub ].ls_type = submatch[ nsub ].ls_type =
REWRITE_SUBMATCH_MAP_W_ARG; REWRITE_SUBMATCH_MAP_W_ARG;
submatch[ nsub ].ls_map = map; submatch[ nsub ].ls_map = map;
......
...@@ -372,7 +372,7 @@ install-local-srv: install-slapd install-tools \ ...@@ -372,7 +372,7 @@ install-local-srv: install-slapd install-tools \
install-slapd: FORCE install-slapd: FORCE
-$(MKDIR) $(DESTDIR)$(libexecdir) -$(MKDIR) $(DESTDIR)$(libexecdir)
-$(MKDIR) $(DESTDIR)$(localstatedir)/run -$(MKDIR) $(DESTDIR)$(localstatedir)/run
$(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \ $(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 \
slapd$(EXEEXT) $(DESTDIR)$(libexecdir) slapd$(EXEEXT) $(DESTDIR)$(libexecdir)
@for i in $(SUBDIRS); do \ @for i in $(SUBDIRS); do \
if test -d $$i && test -f $$i/Makefile ; then \ if test -d $$i && test -f $$i/Makefile ; then \
......
...@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = { ...@@ -812,7 +812,7 @@ static ConfigTable config_back_cf_table[] = {
"EQUALITY caseExactMatch " "EQUALITY caseExactMatch "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSCRLCheck", NULL, 2, 2, 0, { "TLSCRLCheck", NULL, 2, 2, 0,
#if defined(HAVE_TLS) && defined(HAVE_OPENSSL_CRL) #if defined(HAVE_TLS) && defined(HAVE_OPENSSL)
CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config, CFG_TLS_CRLCHECK|ARG_STRING|ARG_MAGIC, &config_tls_config,
#else #else
ARG_IGNORED, NULL, ARG_IGNORED, NULL,
......
...@@ -1488,9 +1488,11 @@ static slap_cf_aux_table bindkey[] = { ...@@ -1488,9 +1488,11 @@ static slap_cf_aux_table bindkey[] = {
{ BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
{ BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL }, { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL },
{ BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL }, { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL },
{ BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL },
{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL }, { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL }, { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
#ifdef HAVE_OPENSSL_CRL { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
#ifdef HAVE_OPENSSL
{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL }, { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
#endif #endif
#endif #endif
...@@ -1855,6 +1857,10 @@ void bindconf_free( slap_bindconf *bc ) { ...@@ -1855,6 +1857,10 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free( bc->sb_tls_reqcert ); ch_free( bc->sb_tls_reqcert );
bc->sb_tls_reqcert = NULL; bc->sb_tls_reqcert = NULL;
} }
if ( bc->sb_tls_reqsan ) {
ch_free( bc->sb_tls_reqsan );
bc->sb_tls_reqsan = NULL;
}
if ( bc->sb_tls_cipher_suite ) { if ( bc->sb_tls_cipher_suite ) {
ch_free( bc->sb_tls_cipher_suite ); ch_free( bc->sb_tls_cipher_suite );
bc->sb_tls_cipher_suite = NULL; bc->sb_tls_cipher_suite = NULL;
...@@ -1863,7 +1869,11 @@ void bindconf_free( slap_bindconf *bc ) { ...@@ -1863,7 +1869,11 @@ void bindconf_free( slap_bindconf *bc ) {
ch_free( bc->sb_tls_protocol_min ); ch_free( bc->sb_tls_protocol_min );
bc->sb_tls_protocol_min = NULL; bc->sb_tls_protocol_min = NULL;
} }
#ifdef HAVE_OPENSSL_CRL if ( bc->sb_tls_ecname ) {
ch_free( bc->sb_tls_ecname );
bc->sb_tls_ecname = NULL;
}
#ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) { if ( bc->sb_tls_crlcheck ) {
ch_free( bc->sb_tls_crlcheck ); ch_free( bc->sb_tls_crlcheck );
bc->sb_tls_crlcheck = NULL; bc->sb_tls_crlcheck = NULL;
...@@ -1898,7 +1908,12 @@ bindconf_tls_defaults( slap_bindconf *bc ) ...@@ -1898,7 +1908,12 @@ bindconf_tls_defaults( slap_bindconf *bc )
&bc->sb_tls_cipher_suite ); &bc->sb_tls_cipher_suite );
if ( !bc->sb_tls_reqcert ) if ( !bc->sb_tls_reqcert )
bc->sb_tls_reqcert = ch_strdup("demand"); bc->sb_tls_reqcert = ch_strdup("demand");
#ifdef HAVE_OPENSSL_CRL if ( !bc->sb_tls_reqsan )
bc->sb_tls_reqsan = ch_strdup("allow");
if ( !bc->sb_tls_ecname )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
&bc->sb_tls_ecname );
#ifdef HAVE_OPENSSL
if ( !bc->sb_tls_crlcheck ) if ( !bc->sb_tls_crlcheck )
slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK, slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
&bc->sb_tls_crlcheck ); &bc->sb_tls_crlcheck );
...@@ -1918,7 +1933,7 @@ static struct { ...@@ -1918,7 +1933,7 @@ static struct {
{ "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE }, { "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
{ "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR }, { "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
{ "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE }, { "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
{ "tls_protocol_min", offsetof(slap_bindconf, sb_tls_protocol_min), LDAP_OPT_X_TLS_PROTOCOL_MIN }, { "tls_ecname", offsetof(slap_bindconf, sb_tls_ecname), LDAP_OPT_X_TLS_ECNAME },
{0, 0} {0, 0}
}; };
...@@ -1951,6 +1966,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) ...@@ -1951,6 +1966,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
res = -1; res = -1;
} }
} }
if ( bc->sb_tls_reqsan ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
bc->sb_tls_reqsan );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_reqsan to %s\n",
bc->sb_tls_reqsan );
res = -1;
}
}
if ( bc->sb_tls_protocol_min ) { if ( bc->sb_tls_protocol_min ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
bc->sb_tls_protocol_min ); bc->sb_tls_protocol_min );
...@@ -1961,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) ...@@ -1961,7 +1986,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
res = -1; res = -1;
} }
} }
#ifdef HAVE_OPENSSL_CRL #ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) { if ( bc->sb_tls_crlcheck ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK, rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
bc->sb_tls_crlcheck ); bc->sb_tls_crlcheck );
......
...@@ -219,6 +219,7 @@ int auditlog_initialize() { ...@@ -219,6 +219,7 @@ int auditlog_initialize() {
int rc; int rc;
auditlog.on_bi.bi_type = "auditlog"; auditlog.on_bi.bi_type = "auditlog";
auditlog.on_bi.bi_flags = SLAPO_BFLAG_SINGLE;
auditlog.on_bi.bi_db_init = auditlog_db_init; auditlog.on_bi.bi_db_init = auditlog_db_init;
auditlog.on_bi.bi_db_destroy = auditlog_db_destroy; auditlog.on_bi.bi_db_destroy = auditlog_db_destroy;
auditlog.on_response = auditlog_response; auditlog.on_response = auditlog_response;
......