X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls.c;h=4cfd6a93dd77d0516f3ae162a924599e9ed3de4e;hb=a2eec74fc1d535fa9092f4d7b82a669b39eef539;hp=ff72666090ee294e78c0b76b54dcde2388197994;hpb=2e0912622bca412c0a1b1a3fdba30f65bf222ade;p=openldap diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index ff72666090..4cfd6a93dd 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -8,8 +8,6 @@ #include "portable.h" -#ifdef HAVE_TLS - #include #include @@ -18,9 +16,12 @@ #include #include #include +#include #include "ldap-int.h" +#ifdef HAVE_TLS + #ifdef LDAP_R_COMPILE #include #endif @@ -29,6 +30,7 @@ #include #include #include +#include #elif defined( HAVE_SSL_H ) #include #endif @@ -40,6 +42,7 @@ static char *tls_opt_cacertfile = NULL; static char *tls_opt_cacertdir = NULL; static int tls_opt_require_cert = 0; static char *tls_opt_ciphersuite = NULL; +static char *tls_opt_randfile = NULL; #define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \ (void *)&ldap_pvt_sockbuf_io_tls ) @@ -57,6 +60,8 @@ static DH * tls_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); static SSL_CTX *tls_def_ctx = NULL; +static int tls_seed_PRNG( const char *randfile ); + #ifdef LDAP_R_COMPILE /* * provide mutexes for the SSLeay library. @@ -66,9 +71,9 @@ static ldap_pvt_thread_mutex_t tls_mutexes[CRYPTO_NUM_LOCKS]; static void tls_locking_cb( int mode, int type, const char *file, int line ) { if ( mode & CRYPTO_LOCK ) { - ldap_pvt_thread_mutex_lock( tls_mutexes+type ); + ldap_pvt_thread_mutex_lock( &tls_mutexes[type] ); } else { - ldap_pvt_thread_mutex_unlock( tls_mutexes+type ); + ldap_pvt_thread_mutex_unlock( &tls_mutexes[type] ); } } @@ -83,7 +88,7 @@ static void tls_init_threads( void ) int i; for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { - ldap_pvt_thread_mutex_init( tls_mutexes+i ); + ldap_pvt_thread_mutex_init( &tls_mutexes[i] ); } CRYPTO_set_locking_callback( tls_locking_cb ); /* FIXME: the thread id should be added somehow... */ @@ -93,21 +98,25 @@ static void tls_init_threads( void ) #endif /* LDAP_R_COMPILE */ /* - * Initialize tls system. Should be called only once. + * Initialize TLS subsystem. Should be called only once. */ int ldap_pvt_tls_init( void ) { static int tls_initialized = 0; - if ( tls_initialized ) - return 0; + if ( tls_initialized ) return 0; tls_initialized = 1; + + (void) tls_seed_PRNG( tls_opt_randfile ); + #ifdef LDAP_R_COMPILE tls_init_threads(); #endif + SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); + /* FIXME: mod_ssl does this */ X509V3_add_standard_extensions(); return 0; @@ -128,12 +137,14 @@ ldap_pvt_tls_init_def_ctx( void ) tls_def_ctx = SSL_CTX_new( SSLv23_method() ); if ( tls_def_ctx == NULL ) { Debug( LDAP_DEBUG_ANY, - "TLS: could not allocate default ctx.\n",0,0,0); + "TLS: could not allocate default ctx (%d).\n", + ERR_peek_error(),0,0); goto error_exit; } if ( tls_opt_ciphersuite && !SSL_CTX_set_cipher_list( tls_def_ctx, - tls_opt_ciphersuite ) ) { + tls_opt_ciphersuite ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: could not set cipher list %s.\n", tls_opt_ciphersuite, 0, 0 ); @@ -146,17 +157,21 @@ ldap_pvt_tls_init_def_ctx( void ) tls_opt_cacertdir ) || !SSL_CTX_set_default_verify_paths( tls_def_ctx ) ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not load verify locations (file:`%s',dir:`%s').\n", - tls_opt_cacertfile,tls_opt_cacertdir,0); + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not load verify locations (file:`%s',dir:`%s').\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", + 0 ); tls_report_error(); goto error_exit; } calist = get_ca_list( tls_opt_cacertfile, tls_opt_cacertdir ); if ( !calist ) { - Debug( LDAP_DEBUG_ANY, - "TLS: could not load client CA list (file:`%s',dir:`%s').\n", - tls_opt_cacertfile,tls_opt_cacertdir,0); + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not load client CA list (file:`%s',dir:`%s').\n", + tls_opt_cacertfile ? tls_opt_cacertfile : "", + tls_opt_cacertdir ? tls_opt_cacertdir : "", + 0 ); tls_report_error(); goto error_exit; } @@ -165,7 +180,8 @@ ldap_pvt_tls_init_def_ctx( void ) if ( tls_opt_keyfile && !SSL_CTX_use_PrivateKey_file( tls_def_ctx, tls_opt_keyfile, - SSL_FILETYPE_PEM ) ) { + SSL_FILETYPE_PEM ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: could not use key file `%s'.\n", tls_opt_keyfile,0,0); @@ -175,7 +191,8 @@ ldap_pvt_tls_init_def_ctx( void ) if ( tls_opt_certfile && !SSL_CTX_use_certificate_file( tls_def_ctx, tls_opt_certfile, - SSL_FILETYPE_PEM ) ) { + SSL_FILETYPE_PEM ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: could not use certificate `%s'.\n", tls_opt_certfile,0,0); @@ -183,7 +200,8 @@ ldap_pvt_tls_init_def_ctx( void ) goto error_exit; } if ( ( tls_opt_certfile || tls_opt_keyfile ) && - !SSL_CTX_check_private_key( tls_def_ctx ) ) { + !SSL_CTX_check_private_key( tls_def_ctx ) ) + { Debug( LDAP_DEBUG_ANY, "TLS: private key mismatch.\n", 0,0,0); @@ -193,9 +211,11 @@ ldap_pvt_tls_init_def_ctx( void ) if ( tls_opt_trace ) { SSL_CTX_set_info_callback( tls_def_ctx, tls_info_cb ); } - SSL_CTX_set_verify( tls_def_ctx, (tls_opt_require_cert) ? + SSL_CTX_set_verify( tls_def_ctx, + tls_opt_require_cert ? (SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT) : - SSL_VERIFY_PEER, tls_verify_cb ); + SSL_VERIFY_NONE, + tls_verify_cb ); SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb ); /* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */ } @@ -238,8 +258,7 @@ alloc_handle( void *ctx_arg ) if ( ctx_arg ) { ctx = (SSL_CTX *) ctx_arg; } else { - if ( ldap_pvt_tls_init_def_ctx() < 0 ) - return NULL; + if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL; ctx = tls_def_ctx; } @@ -248,10 +267,6 @@ alloc_handle( void *ctx_arg ) Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0); return NULL; } - - if ( tls_opt_trace ) { - SSL_set_info_callback( ssl, tls_info_cb ); - } return ssl; } @@ -350,6 +365,11 @@ sb_tls_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg ) if ( opt == LBER_SB_OPT_GET_SSL ) { *((SSL **)arg) = p->ssl; return 1; + + } else if ( opt == LBER_SB_OPT_DATA_READY ) { + if( SSL_pending( p->ssl ) > 0 ) { + return 1; + } } return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg ); @@ -466,7 +486,7 @@ sb_tls_bio_read( BIO *b, char *buf, int len ) } static int -sb_tls_bio_write( BIO *b, char *buf, int len ) +sb_tls_bio_write( BIO *b, const char *buf, int len ) { struct tls_data *p; int ret; @@ -479,7 +499,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len ) if ( p == NULL || p->sbiod == NULL ) return 0; - ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, buf, len ); + ret = LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len ); BIO_clear_retry_flags( b ); if ( ret < 0 && errno == EWOULDBLOCK ) @@ -489,7 +509,7 @@ sb_tls_bio_write( BIO *b, char *buf, int len ) } static long -sb_tls_bio_ctrl( BIO *b, int cmd, long num, char *ptr ) +sb_tls_bio_ctrl( BIO *b, int cmd, long num, void *ptr ) { if ( cmd == BIO_CTRL_FLUSH ) { /* The OpenSSL library needs this */ @@ -505,7 +525,7 @@ sb_tls_bio_gets( BIO *b, char *buf, int len ) } static int -sb_tls_bio_puts( BIO *b, char *str ) +sb_tls_bio_puts( BIO *b, const char *str ) { return sb_tls_bio_write( b, str, strlen( str ) ); } @@ -536,24 +556,34 @@ BIO_METHOD ldap_pvt_sb_bio_method = * and call again. */ -int -ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +static int +ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) { + Sockbuf *sb = conn->lconn_sb; int err; SSL *ssl; if ( HAS_TLS( sb ) ) { ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); + } else { - ssl = alloc_handle( ctx_arg ); - if ( ssl == NULL ) - return -1; + void *ctx = ld->ld_defconn + ? ld->ld_defconn->lconn_tls_ctx : NULL; + + ssl = alloc_handle( ctx ); + + if ( ssl == NULL ) return -1; + #ifdef LDAP_DEBUG ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug, LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" ); #endif ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls, LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl ); + + if( ctx == NULL ) { + conn->lconn_tls_ctx = tls_def_ctx; + } } err = SSL_connect( ssl ); @@ -562,11 +592,12 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) errno = WSAGetLastError(); #endif if ( err <= 0 ) { - if ( update_flags( sb, ssl, err )) + if ( update_flags( sb, ssl, err )) { return 1; + } if ((err = ERR_peek_error())) { char buf[256]; - ld->ld_error = ldap_strdup(ERR_error_string(err, buf)); + ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf)); } Debug( LDAP_DEBUG_ANY,"TLS: can't connect.\n",0,0,0); ber_sockbuf_remove_io( sb, &ldap_pvt_sockbuf_io_tls, @@ -577,6 +608,7 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) #endif return -1; } + return 0; } @@ -622,6 +654,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg ) #endif return -1; } + return 0; } @@ -634,7 +667,7 @@ ldap_pvt_tls_inplace ( Sockbuf *sb ) } void * -ldap_pvt_tls_sb_handle( Sockbuf *sb ) +ldap_pvt_tls_sb_ctx( Sockbuf *sb ) { void *p; @@ -642,29 +675,196 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&p ); return p; } - return NULL; + + return NULL; } -void * -ldap_pvt_tls_get_handle( LDAP *ld ) +int +ldap_pvt_tls_get_strength( void *s ) { - return ldap_pvt_tls_sb_handle( ld->ld_sb ); + SSL_CIPHER *c; + + c = SSL_get_current_cipher((SSL *)s); + return SSL_CIPHER_get_bits(c, NULL); } -const char * -ldap_pvt_tls_get_peer( LDAP *ld ) + +char * +ldap_pvt_tls_get_peer( void *s ) { - return NULL; + X509 *x; + X509_NAME *xn; + char buf[2048], *p; + + x = SSL_get_peer_certificate((SSL *)s); + + if (!x) + return NULL; + + xn = X509_get_subject_name(x); + p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf))); + X509_free(x); + return p; +} + +char * +ldap_pvt_tls_get_peer_dn( void *s ) +{ + X509 *x; + X509_NAME *xn; + char buf[2048], *p, *dn; + + x = SSL_get_peer_certificate((SSL *)s); + + if (!x) return NULL; + + xn = X509_get_subject_name(x); + p = X509_NAME_oneline(xn, buf, sizeof(buf)); + + dn = ldap_dcedn2dn( p ); + + X509_free(x); + return dn; +} + +char * +ldap_pvt_tls_get_peer_hostname( void *s ) +{ + X509 *x; + X509_NAME *xn; + char buf[2048], *p; + int ret; + + x = SSL_get_peer_certificate((SSL *)s); + + if (!x) + return NULL; + + xn = X509_get_subject_name(x); + + ret = X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)); + if( ret == -1 ) { + X509_free(x); + return NULL; + } + + p = LDAP_STRDUP(buf); + X509_free(x); + return p; +} + +int +ldap_pvt_tls_check_hostname( void *s, char *name ) +{ + int i, ret = LDAP_LOCAL_ERROR; + X509 *x; + + x = SSL_get_peer_certificate((SSL *)s); + if (!x) + { + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get peer certificate.\n", + 0, 0, 0 ); + return ret; + } + + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) + { + X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + + ex = X509_get_ext(x, i); + alt = X509V3_EXT_d2i(ex); + if (alt) + { + int n, len1, len2; + char *domain; + GENERAL_NAME *gn; + X509V3_EXT_METHOD *method; + + len1 = strlen(name); + n = sk_GENERAL_NAME_num(alt); + domain = strchr(name, '.'); + if (domain) + len2 = len1 - (domain-name); + for (i=0; itype == GEN_DNS) + { + char *sn = ASN1_STRING_data(gn->d.ia5); + int sl = ASN1_STRING_length(gn->d.ia5); + + /* Is this an exact match? */ + if ((len1 == sl) && !strncasecmp(name, sn, len1)) + break; + + /* Is this a wildcard match? */ + if ((*sn == '*') && domain && (len2 == sl-1) && + !strncasecmp(domain, sn+1, len2)) + break; + } + } + method = X509V3_EXT_get(ex); + method->ext_free(alt); + if (i < n) /* Found a match */ + ret = LDAP_SUCCESS; + } + } + + if (ret != LDAP_SUCCESS) + { + X509_NAME *xn; + char buf[2048]; + + xn = X509_get_subject_name(x); + + if (X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)) + == -1) + { + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get common name from peer certificate.\n", + 0, 0, 0 ); + } else if (strcasecmp(name, buf)) + { + Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " + "common name in certificate (%s).\n", + name, buf, 0 ); + ret = LDAP_CONNECT_ERROR; + } else + { + ret = LDAP_SUCCESS; + } + } + X509_free(x); + return ret; } const char * -ldap_pvt_tls_get_peer_issuer( LDAP *ld ) +ldap_pvt_tls_get_peer_issuer( void *s ) { +#if 0 /* currently unused; see ldap_pvt_tls_get_peer() if needed */ + X509 *x; + X509_NAME *xn; + char buf[2048], *p; + + x = SSL_get_peer_certificate((SSL *)s); + + if (!x) + return NULL; + + xn = X509_get_issuer_name(x); + p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf))); + X509_free(x); + return p; +#else return NULL; +#endif } int -ldap_pvt_tls_config( struct ldapoptions *lo, int option, const char *arg ) +ldap_int_tls_config( LDAP *ld, int option, const char *arg ) { int i; @@ -673,12 +873,15 @@ ldap_pvt_tls_config( struct ldapoptions *lo, int option, const char *arg ) case LDAP_OPT_X_TLS_CACERTDIR: case LDAP_OPT_X_TLS_CERTFILE: case LDAP_OPT_X_TLS_KEYFILE: - return ldap_pvt_tls_set_option( NULL, option, (void *) arg ); + case LDAP_OPT_X_TLS_RANDOM_FILE: + return ldap_pvt_tls_set_option( ld, option, (void *) arg ); + case LDAP_OPT_X_TLS_REQUIRE_CERT: i = ( ( strcasecmp( arg, "on" ) == 0 ) || ( strcasecmp( arg, "yes" ) == 0) || ( strcasecmp( arg, "true" ) == 0 ) ); - return ldap_pvt_tls_set_option( NULL, option, (void *) &i ); + return ldap_pvt_tls_set_option( ld, option, (void *) &i ); + case LDAP_OPT_X_TLS: i = -1; if ( strcasecmp( arg, "never" ) == 0 ) @@ -691,26 +894,47 @@ ldap_pvt_tls_config( struct ldapoptions *lo, int option, const char *arg ) i = LDAP_OPT_X_TLS_TRY ; if ( strcasecmp( arg, "hard" ) == 0 ) i = LDAP_OPT_X_TLS_HARD ; - if (i >= 0) - return ldap_pvt_tls_set_option( lo, option, &i ); - return -1; - default: + + if (i >= 0) { + return ldap_pvt_tls_set_option( ld, option, &i ); + } return -1; } + + return -1; } int -ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + if( ld != NULL ) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + + } else { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if ( lo == NULL ) { + return LDAP_NO_MEMORY; + } + } + switch( option ) { case LDAP_OPT_X_TLS: *(int *)arg = lo->ldo_tls_mode; break; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) *(void **)arg = (void *) tls_def_ctx; else - *(void **)arg = lo->ldo_tls_ctx; + *(void **)arg = ld->ld_defconn->lconn_tls_ctx; break; case LDAP_OPT_X_TLS_CACERTFILE: *(char **)arg = tls_opt_cacertfile ? @@ -731,6 +955,9 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) case LDAP_OPT_X_TLS_REQUIRE_CERT: *(int *)arg = tls_opt_require_cert; break; + case LDAP_OPT_X_TLS_RANDOM_FILE: + *(char **)arg = tls_opt_randfile; + break; default: return -1; } @@ -738,8 +965,27 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) } int -ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + if( ld != NULL ) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + + } else { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if ( lo == NULL ) { + return LDAP_NO_MEMORY; + } + } + switch( option ) { case LDAP_OPT_X_TLS: switch( *(int *) arg ) { @@ -756,44 +1002,48 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) } return -1; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) { + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) { tls_def_ctx = (SSL_CTX *) arg; } else { - lo->ldo_tls_ctx = arg; + ld->ld_defconn->lconn_tls_ctx = arg; } return 0; } - if ( lo != NULL ) { + if ( ld != NULL ) { return -1; } switch( option ) { case LDAP_OPT_X_TLS_CACERTFILE: - if ( tls_opt_cacertfile ) free( tls_opt_cacertfile ); + if ( tls_opt_cacertfile ) LDAP_FREE( tls_opt_cacertfile ); tls_opt_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; case LDAP_OPT_X_TLS_CACERTDIR: - if ( tls_opt_cacertdir ) free( tls_opt_cacertdir ); + if ( tls_opt_cacertdir ) LDAP_FREE( tls_opt_cacertdir ); tls_opt_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; case LDAP_OPT_X_TLS_CERTFILE: - if ( tls_opt_certfile ) free( tls_opt_certfile ); + if ( tls_opt_certfile ) LDAP_FREE( tls_opt_certfile ); tls_opt_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; case LDAP_OPT_X_TLS_KEYFILE: - if ( tls_opt_keyfile ) free( tls_opt_keyfile ); + if ( tls_opt_keyfile ) LDAP_FREE( tls_opt_keyfile ); tls_opt_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; case LDAP_OPT_X_TLS_REQUIRE_CERT: tls_opt_require_cert = * (int *) arg; break; case LDAP_OPT_X_TLS_CIPHER_SUITE: - if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite ); + if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite ); tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; break; + case LDAP_OPT_X_TLS_RANDOM_FILE: + if (tls_opt_randfile ) LDAP_FREE (tls_opt_randfile ); + tls_opt_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; + break; default: return -1; } @@ -801,18 +1051,55 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) } int -ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { + Sockbuf *sb = conn->lconn_sb; + char *host; + void *ssl; + + if( srv ) { + host = srv->lud_host; + } else { + host = conn->lconn_server->lud_host; + } + + /* avoid NULL host */ + if( host == NULL ) host = "localhost"; + + (void) ldap_pvt_tls_init(); + /* * Fortunately, the lib uses blocking io... */ - if ( ldap_pvt_tls_connect( ld, sb, ctx_arg ) < 0 ) { - return LDAP_CONNECT_ERROR; + if ( ldap_int_tls_connect( ld, conn ) < 0 ) { + ld->ld_errno = LDAP_CONNECT_ERROR; + return (ld->ld_errno); + } + + ssl = (void *) ldap_pvt_tls_sb_ctx( sb ); + assert( ssl != NULL ); + + /* + * compare host with name(s) in certificate + */ + ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host ); + if (ld->ld_errno != LDAP_SUCCESS) { + return ld->ld_errno; } - /* FIXME: hostname of server must be compared with name in - * certificate.... + /* + * set SASL properties to TLS ssf and authid */ + { + const char *authid; + ber_len_t ssf; + + /* we need to let SASL know */ + ssf = ldap_pvt_tls_get_strength( ssl ); + authid = ldap_pvt_tls_get_peer( ssl ); + + (void) ldap_int_sasl_external( ld, conn, authid, ssf ); + } return LDAP_SUCCESS; } @@ -919,13 +1206,61 @@ tls_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ) tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL ); if ( !tmp_rsa ) { - Debug( LDAP_DEBUG_ANY, "TLS: Failed to generate temporary %d-bit %s RSA key\n", - key_length, is_export ? "export" : "domestic", 0 ); + Debug( LDAP_DEBUG_ANY, + "TLS: Failed to generate temporary %d-bit %s RSA key\n", + key_length, is_export ? "export" : "domestic", 0 ); return NULL; } return tmp_rsa; } +static int +tls_seed_PRNG( const char *randfile ) +{ +#ifndef URANDOM_DEVICE + /* no /dev/urandom (or equiv) */ + long total=0; + char buffer[MAXPATHLEN]; + + if (randfile == NULL) { + /* The seed file is $RANDFILE if defined, otherwise $HOME/.rnd. + * If $HOME is not set or buffer too small to hold the pathname, + * an error occurs. - From RAND_file_name() man page. + * The fact is that when $HOME is NULL, .rnd is used. + */ + randfile = RAND_file_name( buffer, sizeof( buffer ) ); + + } else if (RAND_egd(randfile) > 0) { + /* EGD socket */ + return 0; + } + + if (randfile == NULL) { + Debug( LDAP_DEBUG_ANY, + "TLS: Use configuration file or $RANDFILE to define seed PRNG\n", + 0, 0, 0); + return -1; + } + + total = RAND_load_file(randfile, -1); + + if (RAND_status() == 0) { + Debug( LDAP_DEBUG_ANY, + "TLS: PRNG not been seeded with enough data\n", + 0, 0, 0); + return -1; + } + + /* assume if there was enough bits to seed that it's okay + * to write derived bits to the file + */ + RAND_write_file(randfile); + +#endif + + return 0; +} + #if 0 static DH * tls_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) @@ -933,7 +1268,43 @@ tls_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) return NULL; } #endif +#endif + +int +ldap_start_tls_s ( LDAP *ld, + LDAPControl **serverctrls, + LDAPControl **clientctrls ) +{ + int rc; + +#ifdef HAVE_TLS + char *rspoid = NULL; + struct berval *rspdata = NULL; + /* XXYYZ: this initiates operation only on default connection! */ + + if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) { + return LDAP_LOCAL_ERROR; + } + + rc = ldap_extended_operation_s( ld, LDAP_EXOP_START_TLS, + NULL, serverctrls, clientctrls, &rspoid, &rspdata ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } + + if ( rspoid != NULL ) { + LDAP_FREE(rspoid); + } + + if ( rspdata != NULL ) { + ber_bvfree( rspdata ); + } + + rc = ldap_int_tls_start( ld, ld->ld_defconn, NULL ); #else -static int dummy; + rc = LDAP_NOT_SUPPORTED; #endif + return rc; +} +