Fix bug # 153250 - need a way to set SSL options when using libssldap.

Added two new libssldap public functions: ldapssl_set_option() and
		ldapssl_get_option().
	Also fixed a bug in ldapsinit:do_ldapssl_connect() that sometimes
		caused PR_Close() to be called twice on an SSL file descriptor
		if an error occurred (once in do_ldapssl_connect() itself and
		once in the libprldap close function that is called from
		do_ldapssl_connect()).
	Also updated the NSPR and NSS "error code to string" mapping
		tables that are used by ldapssl_err2string().
	Also fixed a bug in common.c:ldaptool_print_lderror (LDAP command
		line tools) where we did not check for SSL errors when the
		error code was "can't connect."  We were only checking on
		"server down" errors.

directory/c-sdk/ldap/clients/tools/common.c

@@ -489,7 +489,7 @@ ldaptool_process_args( int argc, char **argv, char *extra_opts,
 	    else
 		passwd = strdup( optarg );
 	    break;
-	    case 'j':       /* bind password from file */
+	case 'j':       /* bind password from file */
 	    isj = 1;
 	    if ((password_fp = fopen( optarg, "r" )) == NULL ) {
 		fprintf(stderr, "%s: Unable to open '%s' file\n",
@@ -1106,7 +1106,8 @@ ldaptool_print_lderror( LDAP *ld, char *msg, int check4ssl )
     ldap_perror( ld, msg );
     if ( secure && check4ssl != LDAPTOOL_CHECK4SSL_NEVER ) {
 	if ( check4ssl == LDAPTOOL_CHECK4SSL_ALWAYS
-		|| ( lderr == LDAP_SERVER_DOWN )) {
+		|| ( lderr == LDAP_SERVER_DOWN )
+		|| ( lderr == LDAP_CONNECT_ERROR )) {
 	    int		sslerr = PORT_GetError();
 
 	    fprintf( stderr, "\tSSL error %d (%s)\n", sslerr,

directory/c-sdk/ldap/include/ldap_ssl.h

@@ -186,6 +186,21 @@ int LDAP_CALL ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
 int LDAP_CALL ldapssl_set_strength( LDAP *ld, int sslstrength );
 
 
+/*
+ * Set or get SSL options for an existing SSL-enabled LDAP session handle.
+ * If ld is NULL, the default options used for all future LDAP SSL sessions
+ * are the ones affected. The option values are specific to the underlying
+ * SSL provider; see ssl.h within the Network Security Services (NSS)
+ * distribution for the options supported by NSS (the default SSL provider).
+ *
+ * The ldapssl_set_option() function should be called before any LDAP
+ * connections are created.
+ *
+ * Both functions return 0 if all goes well.
+ */
+int LDAP_CALL ldapssl_set_option( LDAP *ld, int option, int on );
+int LDAP_CALL ldapssl_get_option( LDAP *ld, int option, int *onp );
+
 #ifdef __cplusplus
 }
 #endif

directory/c-sdk/ldap/libraries/libldap_ssl.ex

@@ -8,6 +8,8 @@
 458	ldapssl_err2string
 459	ldapssl_serverauth_init
 460 ldapssl_set_strength
+461 ldapssl_set_option
+462 ldapssl_get_option
 # the last Windows ordinal number that has been reserved for SSL is 469.
 
 # Windows ordinals 1100-1150 are reserved for privately/non-published

directory/c-sdk/ldap/libraries/libssldap/ldapsinit.c

@@ -56,6 +56,13 @@
 #include <ldappr.h>
 #include <pk11func.h>
 
+/*
+ * Macro that determines how many SSL options we support. As of June, 2002
+ * NSS supports 14 options numbered 1-14 (see nss/ssl.h).  We allow some
+ * room for expansion.
+ */
+#define LDAPSSL_MAX_SSL_OPTION		20
+
 /*
  * Data structure to hold the standard NSPR I/O function pointers set by
  * libprldap.   We save them in our session data structure so we can call
@@ -76,6 +83,8 @@ typedef struct ldapssl_std_functions {
 typedef struct ldapssl_session_info {
     int			lssei_using_pcks_fns;
     int			lssei_ssl_strength;
+    PRBool		lssei_ssl_option_value[LDAPSSL_MAX_SSL_OPTION+1];
+    PRBool		lssei_ssl_option_isset[LDAPSSL_MAX_SSL_OPTION+1];
     char		*lssei_certnickname;
     char        	*lssei_keypasswd;
     LDAPSSLStdFunctions	lssei_std_functions;
@@ -108,6 +117,8 @@ void set_using_pkcs_functions( int val )
 /*
  * Utility functions:
  */
+static int set_ssl_options( PRFileDesc *sslfd, PRBool *optval,
+	PRBool *optisset );
 static void ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp );
 static void ldapssl_free_socket_info( LDAPSSLSocketInfo **soipp );
 
@@ -136,8 +147,21 @@ static char *get_keypassword( PK11SlotInfo *slot, PRBool retry,
 /*
  * Static variables.
  */
+/* SSL strength setting for new LDAPS sessions */
 static int default_ssl_strength = LDAPSSL_AUTH_CERT;
 
+/*
+ * Arrays to track global defaults for SSL options. These are used for
+ * new LDAPS sessions. For each option, we track both the option value
+ * and a Boolean that indicates whether the value has been set using
+ * the ldapssl_set_option() call. If an option has not been set, we
+ * don't make any NSS calls to set it; that way, the default NSS option
+ * values are used. Similar arrays are included in the LDAPSSLSessionInfo
+ * structure so options can be set on a per-LDAP session basis as well.
+ */
+static PRBool default_ssl_option_value[LDAPSSL_MAX_SSL_OPTION+1] = {0};
+static PRBool default_ssl_option_isset[LDAPSSL_MAX_SSL_OPTION+1] = {0};
+
 
 /*
  * Like ldap_init(), except also install I/O routines from libsec so we
@@ -160,7 +184,7 @@ ldapssl_init( const char *defhost, int defport, int defsecure )
 
     if ( ldapssl_install_routines( ld ) < 0 || ldap_set_option( ld,
 		LDAP_OPT_SSL, defsecure ? LDAP_OPT_ON : LDAP_OPT_OFF ) != 0 ) {
-	PR_SetError( PR_UNKNOWN_ERROR, EINVAL );  /* XXXmcs: just a guess! */
+	PR_SetError( PR_GetError(), EINVAL );  /* XXXmcs: just a guess! */
 	ldap_unbind( ld );
 	return( NULL );
     }
@@ -276,6 +300,15 @@ do_ldapssl_connect(const char *hostlist, int defport, int timeout,
 	goto close_socket_and_exit_with_error;
     }
 
+    /*
+     * Set any SSL options that were modified by a previous call to
+     * the ldapssl_set_option() function. 
+     */
+    if ( set_ssl_options( sslfd, sseip->lssei_ssl_option_value,
+		sseip->lssei_ssl_option_isset ) < 0 ) {
+	goto close_socket_and_exit_with_error;
+    }
+
     /*
      * Let the standard NSPR to LDAP layer know about the new socket and
      * our own socket-specific data.
@@ -302,7 +335,7 @@ do_ldapssl_connect(const char *hostlist, int defport, int timeout,
     return( intfd );	/* success */
 
 close_socket_and_exit_with_error:
-    if ( NULL != sslfd ) {
+    if ( NULL != sslfd && sslfd != soi.soinfo_prfd ) {
 	PR_Close( sslfd );
     }
     if ( NULL != ssoip ) {
@@ -392,6 +425,10 @@ ldapssl_install_routines( LDAP *ld )
      *		lssei_certdbh
      */
     ssip->lssei_ssl_strength = default_ssl_strength;
+    memcpy( ssip->lssei_ssl_option_value, default_ssl_option_value,
+		sizeof(ssip->lssei_ssl_option_value));
+    memcpy( ssip->lssei_ssl_option_isset, default_ssl_option_isset,
+		sizeof(ssip->lssei_ssl_option_isset));
     ssip->lssei_using_pcks_fns = using_pkcs_functions;
     ssip->lssei_certdbh = CERT_GetDefaultCertDB();
 
@@ -406,7 +443,7 @@ ldapssl_install_routines( LDAP *ld )
 	return( -1 );
     }
 
-    /* override socket, connect, and ioctl */
+    /* override socket, connect, and disposehandle */
     ssip->lssei_std_functions.lssf_connect_fn = iofns.lextiof_connect;
     iofns.lextiof_connect = ldapssl_connect;
     ssip->lssei_std_functions.lssf_close_fn = iofns.lextiof_close;
@@ -542,6 +579,181 @@ ldapssl_set_strength( LDAP *ld, int sslstrength )
 }
 
 
+/*
+ * Set SSL options for an existing SSL-enabled LDAP session handle.
+ * If ld is NULL, the default options used for all future LDAP SSL sessions
+ * are the ones affected. The option values are specific to the underlying
+ * SSL provider; see ssl.h within the Network Security Services (NSS)
+ * distribution for the options supported by NSS (the default SSL provider).
+ *
+ * This function should be called before any LDAP connections are created.
+ *
+ * Returns: 0 if all goes well.
+ */
+int
+LDAP_CALL
+ldapssl_set_option( LDAP *ld, int option, int on )
+{
+    int		rc = 0;	/* assume success */
+
+    if ( option < 0 || option > LDAPSSL_MAX_SSL_OPTION ) {
+	ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
+	rc = -1; 
+    } else {
+	if ( NULL == ld ) {
+	    /* set default options for new LDAP sessions */
+	    default_ssl_option_value[option] = on;
+	    default_ssl_option_isset[option] = PR_TRUE;
+	} else {
+	    /* set session options */
+	    PRLDAPSessionInfo	sei;
+	    LDAPSSLSessionInfo	*sseip;
+
+	    memset( &sei, 0, sizeof( sei ));
+	    sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
+	    if ( prldap_get_session_info( ld, NULL, &sei ) == LDAP_SUCCESS ) {
+		sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
+		sseip->lssei_ssl_option_value[option] = on;
+		sseip->lssei_ssl_option_isset[option] = PR_TRUE;
+	    } else {
+		rc = -1;
+	    }
+	}
+    }
+
+    return( rc );
+}
+
+
+/*
+ * Retrieve SSL options for an existing SSL-enabled LDAP session handle.
+ * If ld is NULL, the default options to be used for all future LDAP SSL
+ * sessions are retrieved. The option values are specific to the underlying
+ * SSL provider; see ssl.h within the Network Security Services (NSS)
+ * distribution for the options supported by NSS (the default SSL provider).
+ *
+ * Returns: 0 if all goes well.
+ */
+int
+LDAP_CALL
+ldapssl_get_option( LDAP *ld, int option, int *onp )
+{
+    int		rc = 0;	/* assume success */
+
+    if ( option < 0 || option > LDAPSSL_MAX_SSL_OPTION || onp == NULL ) {
+	ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
+	rc = -1; 
+    } else {
+	int		rv, set_rv = 0;
+
+	if ( NULL == ld ) {
+	     /* return default options for new LDAP sessions */
+	    if ( default_ssl_option_isset[option] ) {
+		rv = default_ssl_option_value[option];
+		set_rv = 1;
+	    }
+	} else {
+	    /* return session options */
+	    PRLDAPSessionInfo	sei;
+	    LDAPSSLSessionInfo	*sseip;
+
+	    memset( &sei, 0, sizeof( sei ));
+	    sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
+	    if ( prldap_get_session_info( ld, NULL, &sei )
+			== LDAP_SUCCESS ) {
+		sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
+		if ( sseip->lssei_ssl_option_isset[option] ) {
+		    rv = sseip->lssei_ssl_option_value[option];
+		    set_rv = 1;
+		}
+	    } else {
+		rc = -1;
+	    }
+	}
+
+	if ( !set_rv ) {
+	    PRBool	pron = PR_FALSE;
+	    if ( rc == 0 && SSL_OptionGetDefault( (PRInt32)option, &pron )
+			!= SECSuccess ) {
+		rc = -1;
+	    }
+	    rv = pron;
+	}
+
+	*onp = rv;	/* always return a value */
+    }
+
+    return( rc );
+}
+
+#ifdef LDAPSSL_DEBUG
+struct optitem {
+	PRInt32		om_option;
+	const char	*om_string;
+} optmap[] = {
+	{ SSL_SECURITY,			"SSL_SECURITY" },
+	{ SSL_SOCKS, 			"SSL_SOCKS" },
+	{ SSL_REQUEST_CERTIFICATE, 	"SSL_REQUEST_CERTIFICATE" },
+	{ SSL_HANDSHAKE_AS_CLIENT, 	"SSL_HANDSHAKE_AS_CLIENT" },
+	{ SSL_HANDSHAKE_AS_SERVER, 	"SSL_HANDSHAKE_AS_SERVER" },
+	{ SSL_ENABLE_SSL2, 		"SSL_ENABLE_SSL2" },
+	{ SSL_ENABLE_SSL3, 		"SSL_ENABLE_SSL3" },
+	{ SSL_NO_CACHE, 		"SSL_NO_CACHE" },
+	{ SSL_REQUIRE_CERTIFICATE, 	"SSL_REQUIRE_CERTIFICATE" },
+	{ SSL_ENABLE_FDX, 		"SSL_ENABLE_FDX" },
+	{ SSL_V2_COMPATIBLE_HELLO, 	"SSL_V2_COMPATIBLE_HELLO" },
+	{ SSL_ENABLE_TLS, 		"SSL_ENABLE_TLS" },
+	{ SSL_ROLLBACK_DETECTION, 	"SSL_ROLLBACK_DETECTION" },
+	{ -1, NULL },
+};
+	
+static const char *
+sslopt2string( PRInt32 option )
+{
+    int		i;
+    const	char *s = "unknown";
+
+    for ( i = 0; optmap[i].om_option != -1; ++i ) {
+	if ( optmap[i].om_option == option ) {
+	    s = optmap[i].om_string;
+	    break;
+	}
+    }
+	
+    return( s );
+}
+#endif /* LDAPSSL_DEBUG */
+
+static int
+set_ssl_options( PRFileDesc *sslfd, PRBool *optval, PRBool *optisset )
+{
+    SECStatus	secrc = SECSuccess;
+    PRInt32	option;
+
+    for ( option = 0;
+		( secrc == SECSuccess ) && ( option < LDAPSSL_MAX_SSL_OPTION );
+		++option ) {
+	if ( optisset[ option ] ) {
+#ifdef LDAPSSL_DEBUG
+	    fprintf( stderr,
+		    "set_ssl_options: setting option %d - %s to %d (%s)\n",
+		    option, sslopt2string(option), optval[ option ],
+		    optval[ option ] ? "ON" : "OFF" );
+#endif /* LDAPSSL_DEBUG */
+	
+	    secrc = SSL_OptionSet( sslfd, option, optval[ option ] );
+	}
+    }
+
+    if ( secrc == SECSuccess ) {
+	return( 0 );
+    }
+
+    PR_SetError( PR_GetError(), EINVAL );	/* set OS error only */
+    return( -1 );
+}
+
+
 static void
 ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp )
 {

directory/c-sdk/ldap/libraries/libssldap/prerrstrs.h

@@ -27,15 +27,12 @@
 
 /*
  ****************************************************************************
- * The code below this point was provided by Nelson Bolyard <nelsonb> of the
- *	Netscape Certificate Server team on 27-March-1998.
- *	Taken from the file ns/security/cmd/lib/NSPRerrs.h on NSS_1_BRANCH.
- *	Last updated from there: 24-July-1998 by Mark Smith <mcs>
- *
- * All of the Directory Server specific changes are enclosed inside
- *	#ifdef NS_DIRECTORY.
+ * On 21-June-2002, the code below this point was copied from the file
+ * mozilla/security/nss/cmd/lib/NSPRerrs.h (tag NSS_3_4_2_RTM).
+ * One addition was made: PR_OPERATION_ABORTED_ERROR.
  ****************************************************************************
  */
+
 /* General NSPR 2.0 errors */
 /* Caller must #include "prerror.h" */
 
@@ -123,6 +120,7 @@ ER2( PR_NO_MORE_FILES_ERROR, 	"No more entries in the directory." )
 ER2( PR_END_OF_FILE_ERROR, 	"Encountered end of file." )
 ER2( PR_FILE_SEEK_ERROR, 	"Seek error." )
 ER2( PR_FILE_IS_BUSY_ERROR, 	"The file is busy." )
+ER2( PR_OPERATION_ABORTED_ERROR,  "The I/O operation was aborted" )
 ER2( PR_IN_PROGRESS_ERROR,
 "Operation is still in progress (probably a non-blocking connect)." )
 ER2( PR_ALREADY_INITIATED_ERROR,
@@ -136,4 +134,21 @@ ER2( PR_GROUP_EMPTY_ERROR, 	"The wait group is empty." )
 ER2( PR_INVALID_STATE_ERROR, 	"Object state improper for request." )
 #endif
 
+#ifdef PR_NETWORK_DOWN_ERROR
+ER2( PR_NETWORK_DOWN_ERROR,	"Network is down." )
+#endif
+
+#ifdef PR_SOCKET_SHUTDOWN_ERROR
+ER2( PR_SOCKET_SHUTDOWN_ERROR,	"The socket was previously shut down." )
+#endif
+
+#ifdef PR_CONNECT_ABORTED_ERROR
+ER2( PR_CONNECT_ABORTED_ERROR,	"TCP Connection aborted." )
+#endif
+
+#ifdef PR_HOST_UNREACHABLE_ERROR
+ER2( PR_HOST_UNREACHABLE_ERROR,	"Host is unreachable." )
+#endif
+
+/* always last */
 ER2( PR_MAX_ERROR, 		"Placeholder for the end of the list" )

directory/c-sdk/ldap/libraries/libssldap/secerrstrs.h

@@ -27,20 +27,14 @@
 
 /*
  ****************************************************************************
- * The code below this point was provided by Nelson Bolyard <nelsonb> of the
- *	Netscape Certificate Server team on 27-March-1998.
- *	Taken from the file ns/security/cmd/lib/SECerrs.h on NSS_1_BRANCH.
- *	Last updated from there: 24-July-1998 by Mark Smith <mcs>
- *
- * All of the Directory Server specific changes are enclosed inside
- *	#ifdef NS_DIRECTORY.
+ * On 21-June-2002, the code below this point was copied from the file
+ * mozilla/security/nss/cmd/lib/SECerrs.h (tag NSS_3_4_2_RTM).
  ****************************************************************************
  */
 
 /* General security error codes  */
 /* Caller must #include "secerr.h" */
 
-
 ER3(SEC_ERROR_IO,				SEC_ERROR_BASE + 0,
 "An I/O error occurred during security authorization.")
 
@@ -66,7 +60,7 @@ ER3(SEC_ERROR_INVALID_AVA,			SEC_ERROR_BASE + 7,
 "security library: invalid AVA.")
 
 ER3(SEC_ERROR_INVALID_TIME,			SEC_ERROR_BASE + 8,
-"security library: invalid time.")
+"Improperly formatted time string.")
 
 ER3(SEC_ERROR_BAD_DER,				SEC_ERROR_BASE + 9,
 "security library: improperly formatted DER-encoded message.")
@@ -362,7 +356,8 @@ ER3(SEC_ERROR_BAD_NICKNAME,			(SEC_ERROR_BASE + 103),
 ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER,       	(SEC_ERROR_BASE + 104),
 "Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
 
-/* ER3(SEC_ERROR_UNKNOWN, 			(SEC_ERROR_BASE + 105), */
+ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, 	(SEC_ERROR_BASE + 105),
+"A sensitive key cannot be moved to the slot where it is needed.")
 
 ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, 		(SEC_ERROR_BASE + 106),
 "Invalid module name.")
@@ -382,11 +377,67 @@ ER3(SEC_ERROR_OLD_KRL,	     			(SEC_ERROR_BASE + 110),
 ER3(SEC_ERROR_CKL_CONFLICT,	     		(SEC_ERROR_BASE + 111),
 "New CKL has different issuer than current CKL.  Delete current CKL.")
 
-#if 0 /* This was defined AFTER HCL 1.5 was released. */
 ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, 		(SEC_ERROR_BASE + 112),
-"The Certifying Authority for this certifcate is not permitted to issue a \
-certifcate with this name.")
-#endif
+"The Certifying Authority for this certificate is not permitted to issue a \
+certificate with this name.")
 
+ER3(SEC_ERROR_KRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 113),
+"The key revocation list for this certificate is not yet valid.")
 
+ER3(SEC_ERROR_CRL_NOT_YET_VALID,		(SEC_ERROR_BASE + 114),
+"The certificate revocation list for this certificate is not yet valid.")
 
+ER3(SEC_ERROR_UNKNOWN_CERT,			(SEC_ERROR_BASE + 115),
+"The requested certificate could not be found.")
+
+ER3(SEC_ERROR_UNKNOWN_SIGNER,			(SEC_ERROR_BASE + 116),
+"The signer's certificate could not be found.")
+
+ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION,		(SEC_ERROR_BASE + 117),
+"The location for the certificate status server has invalid format.")
+
+ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE,	(SEC_ERROR_BASE + 118),
+"The OCSP response cannot be fully decoded; it is of an unknown type.")
+
+ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE,		(SEC_ERROR_BASE + 119),
+"The OCSP server returned unexpected/invalid HTTP data.")
+
+ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST,		(SEC_ERROR_BASE + 120),
+"The OCSP server found the request to be corrupted or improperly formed.")
+
+ER3(SEC_ERROR_OCSP_SERVER_ERROR,		(SEC_ERROR_BASE + 121),
+"The OCSP server experienced an internal error.")
+
+ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER,		(SEC_ERROR_BASE + 122),
+"The OCSP server suggests trying again later.")
+
+ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG,		(SEC_ERROR_BASE + 123),
+"The OCSP server requires a signature on this request.")
+
+ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST,	(SEC_ERROR_BASE + 124),
+"The OCSP server has refused this request as unauthorized.")
+
+ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS,	(SEC_ERROR_BASE + 125),
+"The OCSP server returned an unrecognizable status.")
+
+ER3(SEC_ERROR_OCSP_UNKNOWN_CERT,		(SEC_ERROR_BASE + 126),
+"The OCSP server has no status for the certificate.")
+
+ER3(SEC_ERROR_OCSP_NOT_ENABLED,			(SEC_ERROR_BASE + 127),
+"You must enable OCSP before performing this operation.")
+
+ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER,	(SEC_ERROR_BASE + 128),
+"You must set the OCSP default responder before performing this operation.")
+
+ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE,		(SEC_ERROR_BASE + 129),
+"The response from the OCSP server was corrupted or improperly formed.")
+
+ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE,	(SEC_ERROR_BASE + 130),
+"The signer of the OCSP response is not authorized to give status for \
+this certificate.")
+
+ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE,		(SEC_ERROR_BASE + 131),
+"The OCSP response is not yet valid (contains a date in the future).")
+
+ER3(SEC_ERROR_OCSP_OLD_RESPONSE,		(SEC_ERROR_BASE + 132),
+"The OCSP response contains out-of-date information.")

directory/c-sdk/ldap/libraries/libssldap/sslerrstrs.h

@@ -19,6 +19,7 @@
  *
  * Contributor(s):
  */
+
 /*
  * sslerrstrs.h - map SSL errors to strings (used by errormap.c)
  *
@@ -26,13 +27,8 @@
 
 /*
  ****************************************************************************
- * The code below this point was provided by Nelson Bolyard <nelsonb> of the
- *	Netscape Certificate Server team on 27-March-1998.
- *	Taken from the file ns/security/cmd/lib/SSLerrs.h on NSS_1_BRANCH.
- *	Last updated from there: 24-July-1998 by Mark Smith <mcs>
- *
- * All of the Directory Server specific changes are enclosed inside
- *	#ifdef NS_DIRECTORY.
+ * On 21-June-2002, the code below this point was copied from the file
+ * mozilla/security/nss/cmd/lib/SSLerrs.h (tag NSS_3_4_2_RTM).
  ****************************************************************************
  */
 
@@ -326,3 +322,46 @@ ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE      , (SSL_ERROR_BASE + 87),
 
 ER3(SSL_ERROR_CERT_KEA_MISMATCH             , (SSL_ERROR_BASE + 88),
 "The certificate provided cannot be used with the selected key exchange algorithm.")
+
+ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA	, (SSL_ERROR_BASE + 89),
+"No certificate authority is trusted for SSL client authentication.")
+
+ER3(SSL_ERROR_SESSION_NOT_FOUND		, (SSL_ERROR_BASE + 90),
+"Client's SSL session ID not found in server's session cache.")
+
+ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT     , (SSL_ERROR_BASE + 91),
+"Peer was unable to decrypt an SSL record it received.")
+
+ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT       , (SSL_ERROR_BASE + 92),
+"Peer received an SSL record that was longer than is permitted.")
+
+ER3(SSL_ERROR_UNKNOWN_CA_ALERT            , (SSL_ERROR_BASE + 93),
+"Peer does not recognize and trust the CA that issued your certificate.")
+
+ER3(SSL_ERROR_ACCESS_DENIED_ALERT         , (SSL_ERROR_BASE + 94),
+"Peer received a valid certificate, but access was denied.")
+
+ER3(SSL_ERROR_DECODE_ERROR_ALERT          , (SSL_ERROR_BASE + 95),
+"Peer could not decode an SSL handshake message.")
+
+ER3(SSL_ERROR_DECRYPT_ERROR_ALERT         , (SSL_ERROR_BASE + 96),
+"Peer reports failure of signature verification or key exchange.")
+
+ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT    , (SSL_ERROR_BASE + 97),
+"Peer reports negotiation not in compliance with export regulations.")
+
+ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT      , (SSL_ERROR_BASE + 98),
+"Peer reports incompatible or unsupported protocol version.")
+
+ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99),
+"Server requires ciphers more secure than those supported by client.")
+
+ER3(SSL_ERROR_INTERNAL_ERROR_ALERT        , (SSL_ERROR_BASE + 100),
+"Peer reports it experienced an internal error.")
+
+ER3(SSL_ERROR_USER_CANCELED_ALERT         , (SSL_ERROR_BASE + 101),
+"Peer user canceled handshake.")
+
+ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT      , (SSL_ERROR_BASE + 102),
+"Peer does not permit renegotiation of SSL security parameters.")
+

directory/c-sdk/ldap/libraries/macintosh/LDAPSSLClient.exp

@@ -11,6 +11,8 @@ ldapssl_pkcs_init
 ldapssl_err2string
 ldapssl_serverauth_init
 ldapssl_set_strength
+ldapssl_set_option
+ldapssl_get_option
 #  the last Windows ordinal number that has been reserved for SSL is 469.
 
 #  Windows ordinals 1100-1150 are reserved for privately/non-published

directory/c-sdk/ldap/libraries/msdos/winsock/ldapssl.def

@@ -13,6 +13,8 @@
 	ldapssl_err2string		@458
 	ldapssl_serverauth_init		@459
 	ldapssl_set_strength		@460
+	ldapssl_set_option		@461
+	ldapssl_get_option		@462
 ;  the last Windows ordinal number that has been reserved for SSL is 469.
 
 ;  Windows ordinals 1100-1150 are reserved for privately/non-published

directory/c-sdk/ldap/libraries/msdos/winsock/nsldapssl32.def

@@ -19,6 +19,8 @@ EXPORTS
 	ldapssl_err2string		@458
 	ldapssl_serverauth_init		@459
 	ldapssl_set_strength		@460
+	ldapssl_set_option		@461
+	ldapssl_get_option		@462
 ;  the last Windows ordinal number that has been reserved for SSL is 469.
 
 ;  Windows ordinals 1100-1150 are reserved for privately/non-published

directory/c-sdk/ldap/libraries/msdos/winsock/nssldap32.def

@@ -19,6 +19,8 @@ EXPORTS
 	ldapssl_err2string		@458
 	ldapssl_serverauth_init		@459
 	ldapssl_set_strength		@460
+	ldapssl_set_option		@461
+	ldapssl_get_option		@462
 ;  the last Windows ordinal number that has been reserved for SSL is 469.
 
 ;  Windows ordinals 1100-1150 are reserved for privately/non-published