upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 00:29:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
22306 commits 38 branches 309 tags 68 MiB
Commit graph

1879 commits

Author SHA1 Message Date
Jan Vcelak
cbf5f03476 ITS#7389 - MozNSS: load certificates from certdb, fallback to PEM 
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.

This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.
 2017-10-06 13:59:07 -07:00
Ian Puleston
46c93e41f4 ITS#8167 Fix non-blocking TLS with referrals 2017-10-06 13:57:13 -07:00
Quanah Gibson-Mount
35a880c53e ITS#8687 - EGD is disabled by default in OpenSSL 1.1. We need to comment out this block if it is not detected. Particularly affects cross compilation. 2017-10-06 13:48:40 -07:00
sca+openldap@andreasschulze.de
90835da72f ITS#8578 - remove unused-variables in RE24 testing call (2.4.45) 2017-10-06 10:45:08 -07:00
Jan Vcelak
19fd969d21 ITS#7374 - MozNSS: better file name matching for hashed CA certificate directory 
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
file extension was '.0'. However the file name should be 8 letters long
certificate hash of the certificate subject name, followed by a numeric
suffix which is used to differentiate between two certificates with the
same subject name.

Wit this patch, certificate file names are matched correctly (using
regular expressions).
 2017-10-06 10:44:13 -07:00
Jan Vcelak
acc5b88661 ITS#7373 - TLS: do not reuse tls_session if hostname check fails 
If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.

This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.
 2017-10-06 10:44:07 -07:00
Quanah Gibson-Mount
43a039eba4 ITS#7428 - Non-blocking TLS is not compatible with MOZNSS 2017-09-26 10:59:08 -07:00
Quanah Gibson-Mount
c1512eea58 Fix typo "errror" -> "error" 2017-09-08 12:03:02 -07:00
Howard Chu
01a5eeac1d ITS#8727 plug ber leaks 2017-09-08 16:35:32 +01:00
Howard Chu
738723866e ITS#8717 call connection delete callbacks 
When TLS fails to start
 2017-09-06 21:46:09 +01:00
Ryan Tandy
431c4af526 ITS#8648 init SASL library in global init 2017-05-07 21:29:44 +00:00
Ryan Tandy
e437b12277 ITS#8648 check result of ldap_int_initialize in ldap_{get,set}_option 2017-05-07 20:16:25 +00:00
Ryan Tandy
7b5181da8c ITS#8650 retry gnutls_handshake after GNUTLS_E_AGAIN 2017-05-06 22:50:13 +00:00
Howard Chu
9e051001d4 Add GnuTLS support for direct DER config of cacert/cert/key 
Followon to b402a2805f
 2017-04-10 00:21:08 +01:00
Howard Chu
2e011eeb67 Fixup cacert option 2017-04-09 15:39:13 +01:00
Howard Chu
83fb515555 Fixup cacert/cert/key options 
Add get_option support, allow delete by setting a NULL arg.
 2017-04-09 14:49:48 +01:00
Howard Chu
b402a2805f Add options to use DER format cert+keys directly 
Instead of loading from files.
 2017-04-09 00:13:42 +01:00
Quanah Gibson-Mount
eb8f1a7247 ITS#8353, ITS#8533 - Cleanup for libldap_r 2017-04-07 13:39:11 -07:00
Quanah Gibson-Mount
6ced84af79 ITS#8353, ITS#8533 - Fix libldap_r compilation 2017-04-06 15:12:02 -07:00
Quanah Gibson-Mount
01cbb7f4c6 ITS#8353, ITS#8533 - Ensure that the deprecated API is not used when using OpenSSL 1.1 or later 2017-04-06 11:47:06 -07:00
Howard Guo
4962dd6083 ITS#8529 Avoid hiding the error if user specified CA does not load 
The TLS configuration deliberately hid the error in case that
user specified CA locations cannot be read, by loading CAs from default
locations; and when user does not specify CA locations, the CAs from default
locations are not read at all.

This patch corrects the behaviour so that CAs from default location are used
if user does not specify a CA location, and user is informed of the error if
CAs cannot be loaded from the user specified location.
 2017-02-22 09:56:17 -08:00
Howard Chu
9773f43b11 ITS#8585 Fail ldap_result if handle is already bad 2017-02-07 13:00:05 +00:00
Howard Chu
2bf650d95e ITS#8533 OpenSSL 1.1.0c compat 2017-01-11 14:12:45 +00:00
Quanah Gibson-Mount
1df85d3427 Happy New Year! 2017-01-03 12:36:47 -08:00
Howard Chu
283f3ae171 ITS#8385 Fix use-after-free with GnuTLS 2016-03-12 11:03:29 +00:00
Howard Chu
6bb6d5e3c6 ITS#8353 more for OpenSSL 1.1 compat 
tmp_rsa callback has been removed from OpenSSL 1.1
Use new X509_NAME accessor function to retrieve DER bytes
 2016-01-31 03:29:28 +00:00
Quanah Gibson-Mount
6c4d6c880b Happy New Year! 2016-01-29 13:32:05 -06:00
Howard Chu
f3a7bf79db ITS#8353 partial fix 
Use newly added SSL_CTX_up_ref()
Still waiting for X509_NAME accessor
 2016-01-26 18:06:46 +00:00
Howard Chu
f2d0aa7d22 ITS#8353 partial fixes 
ERR_remove_state() is deprecated since OpenSSL 1.0.0
Use X509_NAME_ENTRY_get_object() instead of direct access.
 2016-01-21 18:05:42 +00:00
Howard Chu
597ce61000 ITS#8295 fix Windows microsecond timer 
Also add ldap_pvt_gettimeofday() to
emulate gettimeofday on Windows
 2015-10-28 13:49:25 +00:00
Howard Chu
28a02271f0 ITS#8273 Windows file:// URL fixup 2015-10-19 08:52:28 +01:00
Howard Chu
db3175eaba ITS#8262 more 
extended ops
 2015-10-02 05:14:53 +01:00
Howard Chu
34ccd14f3e ITS#8262 add ldap_build_*_req functions 
Basic ops except abandon and unbind; since they get no reply
it's not important for the caller to know their msgID.
 2015-10-02 05:02:15 +01:00
Howard Chu
e75fbc953f ITS#8201 LDAPSTACKGUARD feature 2015-07-16 18:58:23 +01:00
Howard Chu
4796f01209 ITS#8195 fix ITS#7027 regression, port number sign bit overflow 
Another bug from 5de85b922a
 2015-07-12 11:14:33 +01:00
Hallvard Furuseth
17853783df Silence warnings 2015-05-04 21:07:02 +02:00
Mikko Auvinen
de76b8d1ce ITS#8093 add LDAP_X_CONNECTING error string 2015-04-01 20:54:54 +01:00
Howard Chu
7aefa46b37 ITS#8090 fix for async connect 2015-04-01 20:54:12 +01:00
Quanah Gibson-Mount
1705fa7e55 Happy New Year 2015-02-11 15:36:57 -06:00
Howard Chu
79d90c3935 ITS#8050 fix ldap_get_option(LDAP_OPT_SESSION_REFCNT) 2015-02-04 03:16:20 +00:00
Howard Chu
e2b4366044 ITS#8028 fix ldap_new_connection 2015-01-21 01:02:12 +00:00
Howard Chu
fccca0ead9 Minor cleanup (coverity) 2015-01-14 16:59:54 +00:00
Howard Chu
bf4ed09c5e Plug leak (coverity) 2015-01-14 14:16:24 +00:00
Howard Chu
ae6347bac1 ITS#8022 an async connect may still succeed immediately 2015-01-12 22:27:58 +00:00
Howard Chu
234931acb0 ITS#8001 fix ldap_sync_initialize 2014-12-10 22:58:33 +00:00
Mark Reynolds
7a7d941943 ITS#7979 MozNSS fix for TLS_PROTOCOL_MIN 
Fix NSS code to check for TLS_PROCOTOL_MIN, and then set the SSL
version range(min and max). Also updated SSL version string map
table to support up to TLSv1.3
 2014-11-13 15:11:40 +00:00
Howard Chu
d06073d0d6 Fix a1e3b1cf3c 
copy/paste error
 2014-10-15 11:11:08 +01:00
Howard Chu
b36bd703d7 ITS#7967 fix abandon regression 
From ITS#7712, avoid double-free of request
 2014-10-15 11:08:29 +01:00
Kurt Zeilenga
a1e3b1cf3c Fix pointer incompatibility issue on some platforms 
Don't assume tv_sec is a time_t.
 2014-10-10 11:56:31 -07:00
Howard Chu
eef1ca007f ITS#7027 actually implement RFC 2782 shuffle 2014-07-21 22:17:21 -07:00