From 8d37018050373a47566bf8ea0d894da20ed292c7 Mon Sep 17 00:00:00 2001 From: Justus Winter Date: Fri, 30 Sep 2016 10:57:32 +0200 Subject: [PATCH] w32: Fix STARTTLS on LDAP connections. * dirmngr/ks-engine-ldap.c (my_ldap_connect): Fix build against . GnuPG-bug-id: 1338 Debian-bug-id: 623526 Fixes-commit: 9e6f8a55 Signed-off-by: Justus Winter --- dirmngr/ks-engine-ldap.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index 9b9efc7e6..baed6cdb8 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -519,6 +519,7 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, /* XXX: We need an option to determine whether to abort if the certificate is bad or not. Right now we conservatively default to checking the certificate and aborting. */ +#ifndef HAVE_W32_SYSTEM int check_cert = LDAP_OPT_X_TLS_HARD; /* LDAP_OPT_X_TLS_NEVER */ err = ldap_set_option (ldap_conn, @@ -528,8 +529,21 @@ my_ldap_connect (parsed_uri_t uri, LDAP **ldap_connp, log_error ("Failed to set TLS option on LDAP connection.\n"); goto out; } +#else + /* On Windows, the certificates are checked by default. If the + option to disable checking mentioned above is ever + implemented, the way to do that on Windows is to install a + callback routine using ldap_set_option (.., + LDAP_OPT_SERVER_CERTIFICATE, ..); */ +#endif - err = ldap_start_tls_s (ldap_conn, NULL, NULL); + err = ldap_start_tls_s (ldap_conn, +#ifdef HAVE_W32_SYSTEM + /* ServerReturnValue, result */ + NULL, NULL, +#endif + /* ServerControls, ClientControls */ + NULL, NULL); if (err) { log_error ("Failed to connect to LDAP server with TLS.\n");