upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-23 16:19:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
23926 commits 38 branches 309 tags 68 MiB
Commit graph

2028 commits

Author SHA1 Message Date
Ondřej Kuzník
639e5f15fd ITS#9081 Do not leak sb (ITS#8755 regression) 2019-09-23 17:27:18 +01:00
Ryan Tandy
63c82c0ed7 ITS#9069 Do not call gnutls_global_set_mutex() 
Since GnuTLS moved to implicit initialization on library load, calling
this function deinitializes GnuTLS and then re-initializes it.

When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
available, or older versions of GnuTLS), and the application closed all
file descriptors at startup, this could result in GnuTLS opening
/dev/urandom over one of the application's file descriptors when
re-initialized.

Additionally, the custom mutex functions are never reset, so if libldap
is unloaded (for example via dlclose()) after calling this, its code may
be unmapped and the application could crash when GnuTLS calls the mutex
functions.

On typical systems, GnuTLS system mutexes are probably the same as what
libldap uses anyway.
 2019-09-12 13:16:30 -07:00
Quanah Gibson-Mount
0eed0ccefc ITS#7585 - Windows doesn't support LDAPI 
Adjust patch for ITS#7585 as Windows does not have LDAPI support.
 2019-07-23 14:45:16 +00:00
Quanah Gibson-Mount
4ccd139355 Revert "use AI_ADDRCONFIG if defined in the environment" 
This reverts commit ebf0ef5cb1.

Depends on custom glibc from RedHat
 2019-07-19 16:24:45 +00:00
Quanah Gibson-Mount
403c01b5e6 Fix previous commit. It broke builds where --with-cyrus-sasl=no is set. 2019-06-27 17:44:18 +00:00
Howard Chu
b02807ea2f Cleanup limits in cyrus.c 2019-06-25 15:31:31 +01:00
Ondřej Kuzník
b2f4cacd47 ITS#7996 Use a separate mutex in ldap_int_initialize 2019-06-21 12:19:38 +02:00
Ondřej Kuzník
60754d77c8 ITS#8755 Do not close the default SockBuf a second time 2019-06-20 16:58:25 +02:00
Jame Gerwe
6c177e6629 ITS#8794 - Fix implicit declaration for ldap_is_ldapc_url 
Fix building OpenLDAP with -DLDAP_CONNECTIONLESS so that ldap_is_ldapc_url function is defined
 2019-06-17 17:25:29 +00:00
Ondřej Kuzník
5e8aa3f6d1 ITS#8754 Don't try IPv6 addresses unless configured to 2019-06-13 10:24:43 +02:00
Côme Chilliet
2cac3ceb03 ITS#8674 Return correct result from ldap_create_assertion_control_value 
ldap_create_assertion_control_value was returning ld->ld_errno
 upon success without reseting it to LDAP_SUCCESS first
 2019-06-12 16:57:13 +02:00
Ondřej Kuzník
db40120a27 ITS#7996 Tighten race in ldap_int_initialize 2019-06-12 11:53:38 +02:00
Ondřej Kuzník
860daa0989 ITS#7042 More to unsetting opts with an empty string 2019-06-12 11:50:14 +02:00
Patrick Monnerat
0f9afae02d ITS#7042 Allow unsetting of tls_* syncrepl options. 
This can be done by setting them to an empty string value.
 2019-06-11 15:36:03 +02:00
Jan Vcelak
ebf0ef5cb1 use AI_ADDRCONFIG if defined in the environment 2019-05-13 15:33:55 +00:00
Sumit Bose
6c5a79be98 ITS#7585 fix ldapi with SASL_NOCANON 
Was using the ldapi socket path as a hostname
 2019-04-18 21:57:04 +01:00
Ondřej Kuzník
5b55054544 Do not allocate a new cbinding if we have one already. 2019-03-27 10:54:42 +00:00
Ondřej Kuzník
aba073e171 ITS#8980 Actually return the computed status 2019-03-19 16:46:03 +00:00
Nadezhda Ivanova
f239bbd3c6 Add LDAP_OPT_KEEPCONN option 
This option instructs try_read1msg to not free the connection on read error
or on Notice of disconnections, but leave it to the caller. It is needed,
for example, by back-asyncmeta, who expects to have control on when
its target connections are freed. Must be used with caution.
 2019-02-28 17:27:54 +00:00
Vernon Smith
8158888085 ITS#8980 fix async connections with non-blocking TLS 2019-02-28 17:02:40 +00:00
Howard Chu
06d289f985 ITS#8983 Add draft Persistent Search 2019-02-25 15:19:33 +00:00
Ondřej Kuzník
e6ae7d5136 ITS#8731 Make loading ldap-int.h possible from server code again 2019-02-19 17:14:26 +00:00
Ondřej Kuzník
cd914149a6 Make prototypes available where needed 2019-02-19 10:26:39 +00:00
Ondřej Kuzník
09cec1f1b4 ITS#8731 Apply doc/devel/variadic_debug/03-libldap_Debug.cocci 2019-02-15 16:51:53 +00:00
Ondřej Kuzník
254d2adab0 ITS#8731 Rework logging 2019-02-15 16:51:53 +00:00
Quanah Gibson-Mount
09ff530036 ITS#8957 - Fix ASYNC TLS 
Fix ASYNC TLS by correctly handling a return code of -2 in addition to 0
 2019-01-31 23:28:36 +00:00
Quanah Gibson-Mount
50b33cc6b8 ITS#8968 - Fix ASYNC connection on Solaris 10 
Fixes ASYNC connections to handle a return code of ENOTCONN as this is
what Solaris 10 does.
 2019-01-31 23:28:28 +00:00
Howard Chu
e8c62bf8b4 ITS#8966 add changelog support to syncrepl consumer 
Tested against DSEE7. The DSEE binaries must be in your path to run the test script.
 2019-01-29 18:51:43 -08:00
Quanah Gibson-Mount
b45a6a7dc7 Happy New Year! 2019-01-14 18:46:16 +00:00
Howard Chu
d3b1558dcb ITS#8353 CRYPTO_set_id_callback deprecated in OpenSSL 0.9.9 2019-01-02 10:16:40 +00:00
Howard Chu
18e0bcb7de Add MS AD persistent search ctrl 2018-12-13 05:44:46 -08:00
Howard Chu
de998c3518 DirSync ctrl requires critical 2018-11-18 02:47:21 +00:00
Howard Chu
a9bfce1292 Add some MS AD controls 2018-11-17 18:33:41 -08:00
Ondřej Kuzník
10a6ffa3e9 Expose ldap_int_tls_connect as ldap_pvt_tls_connect 2018-10-22 11:35:31 +01:00
Howard Chu
d7a778004b ITS#8809 add missing includes 2018-09-21 18:42:34 +01:00
Ryan Tandy
4c1ab16ade Revert "ITS#8650 retry gnutls_handshake after GNUTLS_E_AGAIN" 
This reverts commit 7b5181da8c.
 2018-09-18 19:16:31 -07:00
Ondřej Kuzník
b0244fc869 ITS#8842 Do some printability checks on the dc RDN 2018-07-02 16:18:26 +01:00
Ondřej Kuzník
8a259e3df1 ITS#8573 allow all libldap options in tools -o option 2018-06-14 16:19:10 +01:00
Quanah Gibson-Mount
59e9ff6243 Happy New Year 2018-03-22 15:35:24 +00:00
Howard Chu
650b4822ce Avoid unnecessary C99 initializers 2018-01-25 15:40:26 +00:00
Howard Chu
f09ffffcbd Cleanup warnings 2018-01-25 15:36:00 +00:00
Bradley Baetz
e5ee07785e ITS#8791 fix OpenSSL 1.1.1 BIO_method compat 
Use the new methods unconditionally, define helper functions for older versions.
 2018-01-25 15:28:51 +00:00
Soohoon Lee
1863245f49 ITS#8484 - Fix MozNSS initialization 2017-12-08 07:00:02 -08:00
Howard Chu
f82ca15a18 ITS#8782 plug memleaks in cancel 2017-12-04 16:00:33 +00:00
Quanah Gibson-Mount
f5da6638ec ITS#8753, ITS#8774 - Fix compilation with older versions of OpenSSL 2017-11-17 14:30:45 -08:00
Ondřej Kuzník
8e34ed8c78 ITS#8753 Public key pinning support in libldap 2017-11-13 17:24:49 +00:00
Ondřej Kuzník
91ebfc82ea ITS#8753 Move base64 decoding to separate file 2017-11-13 16:51:01 +00:00
Josh Soref
10566c8be3 ITS#8605 - spelling fixes 
* javascript
* kernel
* ldap
* length
* macros
* maintained
* manager
* matching
* maximum
* mechanism
* memory
* method
* mimic
* minimum
* modifiable
* modifiers
* modifying
* multiple
* necessary
* normalized
* objectclass
* occurrence
* occurring
* offered
* operation
* original
* overridden
* parameter
* permanent
* preemptively
* printable
* protocol
* provider
* really
* redistribution
* referenced
* refresh
* regardless
* registered
* request
* reserved
* resource
* response
* sanity
* separated
* setconcurrency
* should
* specially
* specifies
* structure
* structures
* subordinates
* substitution
* succeed
* successful
* successfully
* sudoers
* sufficient
* superiors
* supported
* synchronization
* terminated
* they're
* through
* traffic
* transparent
* unsigned
* unsupported
* version
* absence
* achieves
* adamson
* additional
* address
* against
* appropriate
* architecture
* associated
* async
* attribute
* authentication
* authorized
* auxiliary
* available
* begin
* beginning
* buffered
* canonical
* certificate
* charray
* check
* class
* compatibility
* compilation
* component
* configurable
* configuration
* configure
* conjunction
* constraints
* constructor
* contained
* containing
* continued
* control
* convenience
* correspond
* credentials
* cyrillic
* database
* definitions
* deloldrdn
* dereferencing
* destroy
* distinguish
* documentation
* emmanuel
* enabled
* entry
* enumerated
* everything
* exhaustive
* existence
* existing
* explicitly
* extract
* fallthru
* fashion
* february
* finally
* function
* generically
* groupname
* happened
* implementation
* including
* initialization
* initializes
* insensitive
* instantiated
* instantiation
* integral
* internal
* iterate
 2017-10-11 14:39:38 -07:00
Nathaniel McCallum
29f6260364 ITS#7532 - Add new function ldap_connect(). 
This function is used to manually establish a connection after
a call to ldap_initialize(). This is primarily so that a file
descriptor can be obtained before any requests are sent for the
purposes of polling for writability.
 2017-10-11 14:31:22 -07:00
Jan Vcelak
cbf5f03476 ITS#7389 - MozNSS: load certificates from certdb, fallback to PEM 
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.

This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.
 2017-10-06 13:59:07 -07:00
Ian Puleston
46c93e41f4 ITS#8167 Fix non-blocking TLS with referrals 2017-10-06 13:57:13 -07:00
Quanah Gibson-Mount
35a880c53e ITS#8687 - EGD is disabled by default in OpenSSL 1.1. We need to comment out this block if it is not detected. Particularly affects cross compilation. 2017-10-06 13:48:40 -07:00
sca+openldap@andreasschulze.de
90835da72f ITS#8578 - remove unused-variables in RE24 testing call (2.4.45) 2017-10-06 10:45:08 -07:00
Jan Vcelak
19fd969d21 ITS#7374 - MozNSS: better file name matching for hashed CA certificate directory 
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
file extension was '.0'. However the file name should be 8 letters long
certificate hash of the certificate subject name, followed by a numeric
suffix which is used to differentiate between two certificates with the
same subject name.

Wit this patch, certificate file names are matched correctly (using
regular expressions).
 2017-10-06 10:44:13 -07:00
Jan Vcelak
acc5b88661 ITS#7373 - TLS: do not reuse tls_session if hostname check fails 
If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.

This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.
 2017-10-06 10:44:07 -07:00
Quanah Gibson-Mount
43a039eba4 ITS#7428 - Non-blocking TLS is not compatible with MOZNSS 2017-09-26 10:59:08 -07:00
Quanah Gibson-Mount
c1512eea58 Fix typo "errror" -> "error" 2017-09-08 12:03:02 -07:00
Howard Chu
01a5eeac1d ITS#8727 plug ber leaks 2017-09-08 16:35:32 +01:00
Howard Chu
738723866e ITS#8717 call connection delete callbacks 
When TLS fails to start
 2017-09-06 21:46:09 +01:00
Ryan Tandy
431c4af526 ITS#8648 init SASL library in global init 2017-05-07 21:29:44 +00:00
Ryan Tandy
e437b12277 ITS#8648 check result of ldap_int_initialize in ldap_{get,set}_option 2017-05-07 20:16:25 +00:00
Ryan Tandy
7b5181da8c ITS#8650 retry gnutls_handshake after GNUTLS_E_AGAIN 2017-05-06 22:50:13 +00:00
Howard Chu
9e051001d4 Add GnuTLS support for direct DER config of cacert/cert/key 
Followon to b402a2805f
 2017-04-10 00:21:08 +01:00
Howard Chu
2e011eeb67 Fixup cacert option 2017-04-09 15:39:13 +01:00
Howard Chu
83fb515555 Fixup cacert/cert/key options 
Add get_option support, allow delete by setting a NULL arg.
 2017-04-09 14:49:48 +01:00
Howard Chu
b402a2805f Add options to use DER format cert+keys directly 
Instead of loading from files.
 2017-04-09 00:13:42 +01:00
Quanah Gibson-Mount
eb8f1a7247 ITS#8353, ITS#8533 - Cleanup for libldap_r 2017-04-07 13:39:11 -07:00
Quanah Gibson-Mount
6ced84af79 ITS#8353, ITS#8533 - Fix libldap_r compilation 2017-04-06 15:12:02 -07:00
Quanah Gibson-Mount
01cbb7f4c6 ITS#8353, ITS#8533 - Ensure that the deprecated API is not used when using OpenSSL 1.1 or later 2017-04-06 11:47:06 -07:00
Howard Guo
4962dd6083 ITS#8529 Avoid hiding the error if user specified CA does not load 
The TLS configuration deliberately hid the error in case that
user specified CA locations cannot be read, by loading CAs from default
locations; and when user does not specify CA locations, the CAs from default
locations are not read at all.

This patch corrects the behaviour so that CAs from default location are used
if user does not specify a CA location, and user is informed of the error if
CAs cannot be loaded from the user specified location.
 2017-02-22 09:56:17 -08:00
Howard Chu
9773f43b11 ITS#8585 Fail ldap_result if handle is already bad 2017-02-07 13:00:05 +00:00
Howard Chu
2bf650d95e ITS#8533 OpenSSL 1.1.0c compat 2017-01-11 14:12:45 +00:00
Quanah Gibson-Mount
1df85d3427 Happy New Year! 2017-01-03 12:36:47 -08:00
Howard Chu
283f3ae171 ITS#8385 Fix use-after-free with GnuTLS 2016-03-12 11:03:29 +00:00
Howard Chu
6bb6d5e3c6 ITS#8353 more for OpenSSL 1.1 compat 
tmp_rsa callback has been removed from OpenSSL 1.1
Use new X509_NAME accessor function to retrieve DER bytes
 2016-01-31 03:29:28 +00:00
Quanah Gibson-Mount
6c4d6c880b Happy New Year! 2016-01-29 13:32:05 -06:00
Howard Chu
f3a7bf79db ITS#8353 partial fix 
Use newly added SSL_CTX_up_ref()
Still waiting for X509_NAME accessor
 2016-01-26 18:06:46 +00:00
Howard Chu
f2d0aa7d22 ITS#8353 partial fixes 
ERR_remove_state() is deprecated since OpenSSL 1.0.0
Use X509_NAME_ENTRY_get_object() instead of direct access.
 2016-01-21 18:05:42 +00:00
Howard Chu
597ce61000 ITS#8295 fix Windows microsecond timer 
Also add ldap_pvt_gettimeofday() to
emulate gettimeofday on Windows
 2015-10-28 13:49:25 +00:00
Howard Chu
28a02271f0 ITS#8273 Windows file:// URL fixup 2015-10-19 08:52:28 +01:00
Howard Chu
db3175eaba ITS#8262 more 
extended ops
 2015-10-02 05:14:53 +01:00
Howard Chu
34ccd14f3e ITS#8262 add ldap_build_*_req functions 
Basic ops except abandon and unbind; since they get no reply
it's not important for the caller to know their msgID.
 2015-10-02 05:02:15 +01:00
Howard Chu
e75fbc953f ITS#8201 LDAPSTACKGUARD feature 2015-07-16 18:58:23 +01:00
Howard Chu
4796f01209 ITS#8195 fix ITS#7027 regression, port number sign bit overflow 
Another bug from 5de85b922a
 2015-07-12 11:14:33 +01:00
Hallvard Furuseth
17853783df Silence warnings 2015-05-04 21:07:02 +02:00
Mikko Auvinen
de76b8d1ce ITS#8093 add LDAP_X_CONNECTING error string 2015-04-01 20:54:54 +01:00
Howard Chu
7aefa46b37 ITS#8090 fix for async connect 2015-04-01 20:54:12 +01:00
Quanah Gibson-Mount
1705fa7e55 Happy New Year 2015-02-11 15:36:57 -06:00
Howard Chu
79d90c3935 ITS#8050 fix ldap_get_option(LDAP_OPT_SESSION_REFCNT) 2015-02-04 03:16:20 +00:00
Howard Chu
e2b4366044 ITS#8028 fix ldap_new_connection 2015-01-21 01:02:12 +00:00
Howard Chu
fccca0ead9 Minor cleanup (coverity) 2015-01-14 16:59:54 +00:00
Howard Chu
bf4ed09c5e Plug leak (coverity) 2015-01-14 14:16:24 +00:00
Howard Chu
ae6347bac1 ITS#8022 an async connect may still succeed immediately 2015-01-12 22:27:58 +00:00
Howard Chu
234931acb0 ITS#8001 fix ldap_sync_initialize 2014-12-10 22:58:33 +00:00
Mark Reynolds
7a7d941943 ITS#7979 MozNSS fix for TLS_PROTOCOL_MIN 
Fix NSS code to check for TLS_PROCOTOL_MIN, and then set the SSL
version range(min and max). Also updated SSL version string map
table to support up to TLSv1.3
 2014-11-13 15:11:40 +00:00
Howard Chu
d06073d0d6 Fix a1e3b1cf3c 
copy/paste error
 2014-10-15 11:11:08 +01:00
Howard Chu
b36bd703d7 ITS#7967 fix abandon regression 
From ITS#7712, avoid double-free of request
 2014-10-15 11:08:29 +01:00
Kurt Zeilenga
a1e3b1cf3c Fix pointer incompatibility issue on some platforms 
Don't assume tv_sec is a time_t.
 2014-10-10 11:56:31 -07:00
Howard Chu
eef1ca007f ITS#7027 actually implement RFC 2782 shuffle 2014-07-21 22:17:21 -07:00
Howard Chu
31995b535e ITS#7027 fix bugs in prev commit 2014-07-21 22:12:22 -07:00
James M Leddy
5de85b922a ITS#7027 Implement priority/weight for DNS SRV records 
From RFC 2782:

  A client MUST attempt to contact the target host with the
  lowest-numbered priority it can reach.

This patch sorts the DNS SRV records by their priority, and
additionally gives records with a larger weight a higher probability
of appearing earlier. This way, the DNS SRV records are tried in the
order of their priority.
 2014-07-21 19:31:59 -07:00
Howard Chu
3102cbbd55 ITS#7859 more for revert 2014-07-11 12:38:16 -07:00
Howard Chu
189f312d64 ITS#7859 refix 
This was actually broken by 65e163d2, ITS#6947. Reverting both
of those changes and fixing #6947 again.
 2014-07-11 12:29:15 -07:00
Ryan Tandy
7d2f9c6277 ITS#7877 assume gnutls is at least 2.12.0 2014-06-30 20:08:38 -07:00
Ryan Tandy
0fd0f24f03 ITS#7877 assume gnutls provides cipher suites 2014-06-30 20:08:17 -07:00
Ryan Tandy
829027945f ITS#7877 use nettle instead of gcrypt 2014-06-30 20:07:41 -07:00
Howard Chu
71ff674a02 ITS#7871 fix ldif-wrap length 
Doc has been updated to note the default was actually 78.
The off-by-two error is fixed. Note that wrap=1 will still
output 2 columns, otherwise it can't output anything besides
the continuation character.
 2014-06-04 00:52:01 -07:00
Howard Chu
b22a614224 ITS#7859 fix to read 4096-character lines 2014-05-26 11:08:14 -07:00
Howard Chu
106a4b90aa More for ITS#4365 refix CR/LF handling 
Was rejecting "-\r\n" in input LDIF
 2014-02-07 00:31:23 -08:00
Kurt Zeilenga
5c878c1bf2 Happy new year (belated) 2014-01-25 05:21:25 -08:00
Howard Chu
14868fcab6 ITS#7783 workaround stupid NSPR bug 
free(NULL) is supposed to be safe. "Portable wrapper libraries"
that fail to preserve this behavior are inherently broken.
But then again, this is Mozilla code, so that's redundant.
 2014-01-12 13:51:09 -08:00
Pierangelo Masarati
2358b35c58 fix years old cut'n'paste 2013-12-28 11:12:42 +01:00
Howard Chu
79b12f2f93 ITS#7762 shortcut NULL RDNs 2013-12-11 04:41:48 -08:00
Howard Chu
80e6316d37 ITS#7759 avoid assert in parse_passwdpolicy_control 2013-12-07 08:36:14 -08:00
Howard Chu
f8efeb4278 ITS#7757 plug memleak 2013-12-03 14:16:20 -08:00
Stef Walter
743a9783d5 ITS#7694 Fix use of IPv6 with LDAP_CONNECTIONLESS 
LDAP_CONNECTIONLESS code assumed that the size of an peer address
is equal to or smaller than sizeof (struct sockaddr).

Fix to use struct sockaddr_storage instead which is intended for
this purpose. Use getnameinfo() where appropriate so we don't
assume anything about the contents of struct sockaddr
 2013-10-10 10:26:28 -07:00
Emily Backes
85003d8a54 ITS#7712 Fix lock ordering in libldap abandon 2013-09-30 15:31:27 -07:00
Quanah Gibson-Mount
1a712bf18e Enable features that were hidden behind LDAP_DEVEL 2013-09-19 09:50:52 -07:00
Howard Chu
16f8b0902c ITS#7398 add LDAP_OPT_X_TLS_PEERCERT 
retrieve peer cert for an active TLS session
 2013-09-10 04:31:39 -07:00
Howard Chu
0045e56c34 ITS#7683 more for tls version/cipher info 
Add LDAP_OPT_X_TLS_VERSION / LDAP_OPT_X_TLS_CIPHER for
retrieving from an LDAP session handle. Update ldap_get_option(3).
 2013-09-09 11:52:10 -07:00
Howard Chu
721e46fe66 ITS#7595 don't try to use EC if OpenSSL lacks it 2013-09-08 06:32:23 -07:00
Howard Chu
7d6d6944c5 ITS#7683 log tls prot/cipher info 
Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.
 2013-09-07 12:22:09 -07:00
Howard Chu
e631ce808e ITS#7595 Add Elliptic Curve support for OpenSSL 2013-09-07 09:47:40 -07:00
Howard Chu
0205e83f46 ITS#7430 GnuTLS: Avoid use of deprecated function 2013-09-07 09:41:46 -07:00
Howard Chu
3e100bb54d Add GnuTLS channel binding support 2013-09-07 09:38:47 -07:00
Howard Chu
cb00bb0218 Fix double-free on ciphersuite parse failure 
GnuTLS does an implicit free on failure.
 2013-09-07 08:58:25 -07:00
Howard Chu
cfeb28412c ITS#7506 fix prev commit 
The patch unconditionally enabled DHparams, which is a significant
change of behavior. Reverting to previous behavior, which only enables
DH use if a DHparam file was configured.
 2013-09-07 06:39:53 -07:00
Ben Jencks
6f120920d3 ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. 
If a DHParamFile or olcDHParamFile is specified, then it will be used,
otherwise a hardcoded 1024 bit parameter will be used. This allows the use of
larger parameters; previously only 512 or 1024 bit parameters would ever be
used.
 2013-09-07 06:33:39 -07:00
Howard Chu
a72d1ffe0f ITS#7506 cleanup prev commit 2013-09-07 06:31:58 -07:00
Ben Jencks
622d13a32e ITS#7506 tls_g.c: Properly support DHParamFile. 
If a DHParamFile or olcDHParamFile is specified then it will be loaded. This
allows use of DHE/EDH cipher suites which was previously impossible with
GnuTLS.
 2013-09-07 06:29:14 -07:00
Howard Chu
ca310ebff4 Add channel binding support 
Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.
 2013-08-26 23:31:48 -07:00
Philip Guenther
c6cf495247 ITS#7645 more OpenSSL TLS versions 2013-07-29 07:01:15 -07:00
Stef Walter
ffe383c27b ITS#7583 Fix ldap_init_fd() for LDAP_PROTO_UDP 
ldap_init_fd() tried to handle UDP sockets but was missing
certain key pieces to make it work. Fill in the address and
set the UDP flag correctly.
 2013-05-23 12:40:09 -07:00
Howard Chu
63312f109f ITS#7582 CLDAP, avoid ref to uninit'd memory 2013-05-23 12:36:15 -07:00
Howard Chu
1e68029078 Drop ldap_int_sasl_mutex 
It was introduced for Cyrus 1.5 in 2001; we've been on 2.x since 2002 and
Cyrus does its own locking when needed.
 2013-04-24 00:52:52 -07:00
Howard Chu
461db2de1a ITS#7497 fix lineno overflow in ldif_read_record() 2013-01-23 02:19:02 +00:00
David Bender
8f52aa24d3 ITS#7476 Prevent EINTR from stopping otherwise successful connect 2013-01-09 09:11:35 -08:00
Kurt Zeilenga
0fd1bf30b8 Happy New Year 2013-01-02 10:22:57 -08:00
Howard Chu
2565e974b9 ITS#7477 check for invalid LDIF 2012-12-19 09:15:09 -08:00
Ralf Haferkamp
c728ebf586 ITS#7428 Use non-blocking IO during SSL Handshake 
If a timeout is set, perform the SSL Handshake using non-blocking IO.  This way
we can timeout if SSL Handshake gets stuck for whatever reason.

This code is currently hidden behind #ifdefs (LDAP_USE_NON_BLOCKING_TLS) and
disabled by default as there seem to be some problems using NON-blocking
I/O during the TLS Handshake when linking against NSS (either a bug in NSS
itself of in tls_m.c, see discussion on -devel)

This patch adds an additional parameter to ldap_int_poll() in order to indicate
if we're waiting in order to perform a read or write operation.
 2012-11-21 14:25:18 +01:00
Rich Megginson
a0e48e7246 ITS#7360 accept nss certname in the form of tokenname:certnickname 
There are cases where the user may want to force the use of a particular
PKCS11 device to use for a given certificate.  Allow the user to do this
with MozNSS by specifying the cert as "tokenname:certnickname" where
token name is the name of a token/slot in a PKCS11 device and certnickname
is the nickname of a certificate on that device.
 2012-08-22 14:21:23 -07:00
Howard Chu
1ebf95c31b ITS#7359 cleanup for loop 2012-08-22 14:13:10 -07:00
Jan Vcelak
6833b8717a ITS#7359 MozNSS: fix whitespaces in all my changes 
To be compliant with OpenLDAP coding standards.
 2012-08-22 14:12:01 -07:00
Jan Vcelak
46dc6c424b ITS#7359 MozNSS: prefer unlocked slot when getting private key 2012-08-21 13:32:34 -07:00
Howard Chu
68c3cf9795 ITS#7358 fix ITS#7270 patch 
commit 8bb9e88d5f breaks Visual C
(as well as our own coding rules)
 2012-08-21 13:22:19 -07:00
Jan Vcelak
f425a07d02 ITS#7331 MozNSS: ignore untrusted issuer error when verifying server cert 
Untrusted issuer error can appear with self-signed PEM certificates.
 2012-07-26 10:16:39 -07:00
Mat Booth
e6d190c7de ITS#7332 Changes required to build with Microsoft Visual Studio 2012-07-23 08:29:39 -07:00
Emily Backes
c453a236fc Update name information 2012-07-22 07:08:35 -07:00
Howard Chu
43d47c46a7 ITS#6262 fix gettime() regression 
Add a mutex in ldap_pvt_gettime(), delete the mutex comment
since it's no longer relevant (and was ignored anyway). This
could only ever affect multi-processor machines.
 2012-07-11 16:53:33 -07:00
Jan Vcelak
2db5195650 ITS#7316 MozNSS: do not retry when reading the pin from file 
Avoid infinite loop if the pin in the password file is wrong.
 2012-06-26 06:47:48 -07:00