]> git.sur5r.net Git - openldap/blobdiff - libraries/libldap/tls.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Don't pass NULL hostname to ldap_pvt_tls_check_hostname, use "localhost"
[openldap] / libraries / libldap / tls.c
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 6053ef85cbf062b322c6e15694bc3c9067a1628b..97db901a5e94bd0844e36eb5648674bdc73cb087 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -250,8 +250,7 @@ alloc_handle( void *ctx_arg )
        if ( ctx_arg ) {
                ctx = (SSL_CTX *) ctx_arg;
        } else {
-               if ( ldap_pvt_tls_init_def_ctx() < 0 )
-                       return NULL;
+               if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL;
                ctx = tls_def_ctx;
        }
 
@@ -260,10 +259,6 @@ alloc_handle( void *ctx_arg )
                Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0);
                return NULL;
        }
-
-       if ( tls_opt_trace ) {
-               SSL_set_info_callback( ssl, tls_info_cb );
-       }
        return ssl;
 }
 
@@ -557,23 +552,30 @@ static int
 ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 {
        Sockbuf *sb = conn->lconn_sb;
-       void *ctx = ld->ld_defconn->lconn_tls_ctx;
-
        int     err;
        SSL     *ssl;
 
        if ( HAS_TLS( sb ) ) {
                ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
+
        } else {
+               void *ctx = ld->ld_defconn
+                       ? ld->ld_defconn->lconn_tls_ctx : NULL;
+
                ssl = alloc_handle( ctx );
-               if ( ssl == NULL )
-                       return -1;
+
+               if ( ssl == NULL ) return -1;
+
 #ifdef LDAP_DEBUG
                ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
                        LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
 #endif
                ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls,
                        LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
+
+               if( ctx == NULL ) {
+                       conn->lconn_tls_ctx = tls_def_ctx;
+               }
        }
 
        err = SSL_connect( ssl );
@@ -582,8 +584,9 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
        errno = WSAGetLastError();
 #endif
        if ( err <= 0 ) {
-               if ( update_flags( sb, ssl, err ))
+               if ( update_flags( sb, ssl, err )) {
                        return 1;
+               }
                if ((err = ERR_peek_error())) {
                        char buf[256];
                        ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf));
@@ -597,6 +600,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 #endif
                return -1;
        }
+
        return 0;
 }
 
@@ -741,6 +745,94 @@ ldap_pvt_tls_get_peer_hostname( void *s )
        return p;
 }
 
+int
+ldap_pvt_tls_check_hostname( void *s, char *name )
+{
+    int i, ret = LDAP_LOCAL_ERROR;
+    X509 *x;
+
+    x = SSL_get_peer_certificate((SSL *)s);
+    if (!x)
+    {
+       Debug( LDAP_DEBUG_ANY,
+               "TLS: unable to get peer certificate.\n",
+               0, 0, 0 );
+       return ret;
+    }
+
+    i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
+    if (i >= 0)
+    {
+       X509_EXTENSION *ex;
+       STACK_OF(GENERAL_NAME) *alt;
+
+       ex = X509_get_ext(x, i);
+       alt = X509V3_EXT_d2i(ex);
+       if (alt)
+       {
+           int n, len1, len2;
+           char *domain;
+           GENERAL_NAME *gn;
+           X509V3_EXT_METHOD *method;
+
+           len1 = strlen(name);
+           n = sk_GENERAL_NAME_num(alt);
+           domain = strchr(name, '.');
+           if (domain)
+               len2 = len1 - (domain-name);
+           for (i=0; i<n; i++)
+           {
+               gn = sk_GENERAL_NAME_value(alt, i);
+               if (gn->type == GEN_DNS)
+               {
+                   char *sn = ASN1_STRING_data(gn->d.ia5);
+                   int sl = ASN1_STRING_length(gn->d.ia5);
+
+                   /* Is this an exact match? */
+                   if ((len1 == sl) && !strncasecmp(name, sn, len1))
+                       break;
+
+                   /* Is this a wildcard match? */
+                   if ((*sn == '*') && domain && (len2 == sl-1) &&
+                       !strncasecmp(domain, sn+1, len2))
+                       break;
+               }
+           }
+           method = X509V3_EXT_get(ex);
+           method->ext_free(alt);
+           if (i < n)  /* Found a match */
+               ret = LDAP_SUCCESS;
+       }
+    }
+
+    if (ret != LDAP_SUCCESS)
+    {
+       X509_NAME *xn;
+       char buf[2048];
+
+       xn = X509_get_subject_name(x);
+
+       if (X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf))
+           == -1)
+       {
+           Debug( LDAP_DEBUG_ANY,
+                   "TLS: unable to get common name from peer certificate.\n",
+                   0, 0, 0 );
+       } else if (strcasecmp(name, buf))
+       {
+           Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+                   "common name in certificate (%s).\n", 
+                   name, buf, 0 );
+           ret =  LDAP_CONNECT_ERROR;
+       } else
+       {
+           ret = LDAP_SUCCESS;
+       }
+    }
+    X509_free(x);
+    return ret;
+}
+
 const char *
 ldap_pvt_tls_get_peer_issuer( void *s )
 {
@@ -774,13 +866,13 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
        case LDAP_OPT_X_TLS_CERTFILE:
        case LDAP_OPT_X_TLS_KEYFILE:
        case LDAP_OPT_X_TLS_RANDOM_FILE:
-               return ldap_pvt_tls_set_option( NULL, option, (void *) arg );
+               return ldap_pvt_tls_set_option( ld, option, (void *) arg );
 
        case LDAP_OPT_X_TLS_REQUIRE_CERT:
                i = ( ( strcasecmp( arg, "on" ) == 0 ) ||
                      ( strcasecmp( arg, "yes" ) == 0) ||
                      ( strcasecmp( arg, "true" ) == 0 ) );
-               return ldap_pvt_tls_set_option( NULL, option, (void *) &i );
+               return ldap_pvt_tls_set_option( ld, option, (void *) &i );
 
        case LDAP_OPT_X_TLS:
                i = -1;
@@ -809,13 +901,7 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 {
        struct ldapoptions *lo;
 
-       /* Get pointer to global option structure */
-       lo = LDAP_INT_GLOBAL_OPT();   
-       if (NULL == lo) {
-               return LDAP_NO_MEMORY;
-       }
-
-       if(ld != NULL) {
+       if( ld != NULL ) {
                assert( LDAP_VALID( ld ) );
 
                if( !LDAP_VALID( ld ) ) {
@@ -823,6 +909,13 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
                }
 
                lo = &ld->ld_options;
+
+       } else {
+               /* Get pointer to global option structure */
+               lo = LDAP_INT_GLOBAL_OPT();   
+               if ( lo == NULL ) {
+                       return LDAP_NO_MEMORY;
+               }
        }
 
        switch( option ) {
@@ -868,13 +961,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 {
        struct ldapoptions *lo;
 
-       /* Get pointer to global option structure */
-       lo = LDAP_INT_GLOBAL_OPT();   
-       if (NULL == lo) {
-               return LDAP_NO_MEMORY;
-       }
-
-       if(ld != NULL) {
+       if( ld != NULL ) {
                assert( LDAP_VALID( ld ) );
 
                if( !LDAP_VALID( ld ) ) {
@@ -882,6 +969,13 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
                }
 
                lo = &ld->ld_options;
+
+       } else {
+               /* Get pointer to global option structure */
+               lo = LDAP_INT_GLOBAL_OPT();   
+               if ( lo == NULL ) {
+                       return LDAP_NO_MEMORY;
+               }
        }
 
        switch( option ) {
@@ -910,7 +1004,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
                return 0;
        }
 
-       if ( lo != NULL ) {
+       if ( ld != NULL ) {
                return -1;
        }
 
@@ -949,50 +1043,42 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 }
 
 int
-ldap_int_tls_start ( LDAP *ld, LDAPConn *conn )
+ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 {
        Sockbuf *sb = conn->lconn_sb;
-       char *host = conn->lconn_server->lud_host;
-       void *ctx = ld->ld_defconn->lconn_tls_ctx;
-
-       char *peer_cert_cn;
+       char *host;
        void *ssl;
 
+       if( srv ) {
+               host = srv->lud_host;
+       } else {
+               host = conn->lconn_server->lud_host;
+       }
+
        (void) ldap_pvt_tls_init();
 
        /*
         * Fortunately, the lib uses blocking io...
         */
        if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
-               return LDAP_CONNECT_ERROR;
+               ld->ld_errno = LDAP_CONNECT_ERROR;
+               return (ld->ld_errno);
        }
 
        ssl = (void *) ldap_pvt_tls_sb_ctx( sb );
        assert( ssl != NULL );
 
        /* 
-        * compare host with name in certificate 
+        * compare host with name(s) in certificate. avoid NULL host
         */
 
-       peer_cert_cn = ldap_pvt_tls_get_peer_hostname( ssl );
-       if ( !peer_cert_cn ) {
-               /* could not get hostname from peer certificate */
-               Debug( LDAP_DEBUG_ANY,
-                       "TLS: unable to get common name from peer certificate.\n",
-                       0, 0, 0 );
-               return LDAP_LOCAL_ERROR;
+       if( host == NULL )
+               host = "localhost";
+       ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host );
+       if (ld->ld_errno != LDAP_SUCCESS) {
+               return ld->ld_errno;
        }
 
-       if ( strcasecmp( host, peer_cert_cn ) != 0 ) {
-               Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
-                       "common name in certificate (%s).\n", 
-                       host, peer_cert_cn, 0 );
-               LDAP_FREE( peer_cert_cn );
-               return LDAP_CONNECT_ERROR;
-       }
-
-       LDAP_FREE( peer_cert_cn );
-
        /*
         * set SASL properties to TLS ssf and authid
         */
@@ -1004,7 +1090,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn )
                ssf = ldap_pvt_tls_get_strength( ssl );
                authid = ldap_pvt_tls_get_peer( ssl );
 
-               (void) ldap_int_sasl_external( ld, authid, ssf );
+               (void) ldap_int_sasl_external( ld, conn, authid, ssf );
        }
 
        return LDAP_SUCCESS;
@@ -1207,7 +1293,7 @@ ldap_start_tls_s ( LDAP *ld,
                ber_bvfree( rspdata );
        }
 
-       rc = ldap_int_tls_start( ld, ld->ld_defconn );
+       rc = ldap_int_tls_start( ld, ld->ld_defconn, NULL );
 #else
        rc = LDAP_NOT_SUPPORTED;
 #endif
Cloned from git://git.openldap.org/openldap.git