free(NULL) is supposed to be safe. "Portable wrapper libraries"
that fail to preserve this behavior are inherently broken.
But then again, this is Mozilla code, so that's redundant.
LDAP_CONNECTIONLESS code assumed that the size of an peer address
is equal to or smaller than sizeof (struct sockaddr).
Fix to use struct sockaddr_storage instead which is intended for
this purpose. Use getnameinfo() where appropriate so we don't
assume anything about the contents of struct sockaddr
Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.
The patch unconditionally enabled DHparams, which is a significant
change of behavior. Reverting to previous behavior, which only enables
DH use if a DHparam file was configured.
If a DHParamFile or olcDHParamFile is specified, then it will be used,
otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
larger parameters; previously only 512 or 1024 bit parameters would ever be
used.
If a DHParamFile or olcDHParamFile is specified then it will be loaded. This
allows use of DHE/EDH cipher suites which was previously impossible with
GnuTLS.
If a timeout is set, perform the SSL Handshake using non-blocking IO. This way
we can timeout if SSL Handshake gets stuck for whatever reason.
This code is currently hidden behind #ifdefs (LDAP_USE_NON_BLOCKING_TLS) and
disabled by default as there seem to be some problems using NON-blocking
I/O during the TLS Handshake when linking against NSS (either a bug in NSS
itself of in tls_m.c, see discussion on -devel)
This patch adds an additional parameter to ldap_int_poll() in order to indicate
if we're waiting in order to perform a read or write operation.
There are cases where the user may want to force the use of a particular
PKCS11 device to use for a given certificate. Allow the user to do this
with MozNSS by specifying the cert as "tokenname:certnickname" where
token name is the name of a token/slot in a PKCS11 device and certnickname
is the nickname of a certificate on that device.
Add a mutex in ldap_pvt_gettime(), delete the mutex comment
since it's no longer relevant (and was ignored anyway). This
could only ever affect multi-processor machines.
PEM certificates should not be referenced by nicknames, because the
nicknames are derived from basename of the cerificate file and in
general are not easy-predictable.
The code of Mozilla NSS backend depends on some aspects of PEM module
and tries to guess the nicknames correctly. In some cases the guessing
is wrong.
