X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls.c;h=97db901a5e94bd0844e36eb5648674bdc73cb087;hb=966616b274d24c45b1f3a71ff35ddd502153b4a1;hp=3e0d55e42b6f67f894b1904199a0d2b57ef5d092;hpb=c0a06f25c2a64e3af374e3a64bd205987b3065f6;p=openldap diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 3e0d55e42b..97db901a5e 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -137,7 +137,8 @@ ldap_pvt_tls_init_def_ctx( void ) tls_def_ctx = SSL_CTX_new( SSLv23_method() ); if ( tls_def_ctx == NULL ) { Debug( LDAP_DEBUG_ANY, - "TLS: could not allocate default ctx.\n",0,0,0); + "TLS: could not allocate default ctx (%d).\n", + ERR_peek_error(),0,0); goto error_exit; } if ( tls_opt_ciphersuite && @@ -249,8 +250,7 @@ alloc_handle( void *ctx_arg ) if ( ctx_arg ) { ctx = (SSL_CTX *) ctx_arg; } else { - if ( ldap_pvt_tls_init_def_ctx() < 0 ) - return NULL; + if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL; ctx = tls_def_ctx; } @@ -259,10 +259,6 @@ alloc_handle( void *ctx_arg ) Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0); return NULL; } - - if ( tls_opt_trace ) { - SSL_set_info_callback( ssl, tls_info_cb ); - } return ssl; } @@ -552,24 +548,34 @@ BIO_METHOD ldap_pvt_sb_bio_method = * and call again. */ -int -ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +static int +ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) { + Sockbuf *sb = conn->lconn_sb; int err; SSL *ssl; if ( HAS_TLS( sb ) ) { ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); + } else { - ssl = alloc_handle( ctx_arg ); - if ( ssl == NULL ) - return -1; + void *ctx = ld->ld_defconn + ? ld->ld_defconn->lconn_tls_ctx : NULL; + + ssl = alloc_handle( ctx ); + + if ( ssl == NULL ) return -1; + #ifdef LDAP_DEBUG ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug, LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" ); #endif ber_sockbuf_add_io( sb, &ldap_pvt_sockbuf_io_tls, LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl ); + + if( ctx == NULL ) { + conn->lconn_tls_ctx = tls_def_ctx; + } } err = SSL_connect( ssl ); @@ -578,8 +584,9 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) errno = WSAGetLastError(); #endif if ( err <= 0 ) { - if ( update_flags( sb, ssl, err )) + if ( update_flags( sb, ssl, err )) { return 1; + } if ((err = ERR_peek_error())) { char buf[256]; ld->ld_error = LDAP_STRDUP(ERR_error_string(err, buf)); @@ -593,6 +600,7 @@ ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) #endif return -1; } + return 0; } @@ -651,7 +659,7 @@ ldap_pvt_tls_inplace ( Sockbuf *sb ) } void * -ldap_pvt_tls_sb_handle( Sockbuf *sb ) +ldap_pvt_tls_sb_ctx( Sockbuf *sb ) { void *p; @@ -663,12 +671,6 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb ) return NULL; } -void * -ldap_pvt_tls_get_handle( LDAP *ld ) -{ - return ldap_pvt_tls_sb_handle( ld->ld_sb ); -} - int ldap_pvt_tls_get_strength( void *s ) { @@ -743,6 +745,94 @@ ldap_pvt_tls_get_peer_hostname( void *s ) return p; } +int +ldap_pvt_tls_check_hostname( void *s, char *name ) +{ + int i, ret = LDAP_LOCAL_ERROR; + X509 *x; + + x = SSL_get_peer_certificate((SSL *)s); + if (!x) + { + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get peer certificate.\n", + 0, 0, 0 ); + return ret; + } + + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) + { + X509_EXTENSION *ex; + STACK_OF(GENERAL_NAME) *alt; + + ex = X509_get_ext(x, i); + alt = X509V3_EXT_d2i(ex); + if (alt) + { + int n, len1, len2; + char *domain; + GENERAL_NAME *gn; + X509V3_EXT_METHOD *method; + + len1 = strlen(name); + n = sk_GENERAL_NAME_num(alt); + domain = strchr(name, '.'); + if (domain) + len2 = len1 - (domain-name); + for (i=0; itype == GEN_DNS) + { + char *sn = ASN1_STRING_data(gn->d.ia5); + int sl = ASN1_STRING_length(gn->d.ia5); + + /* Is this an exact match? */ + if ((len1 == sl) && !strncasecmp(name, sn, len1)) + break; + + /* Is this a wildcard match? */ + if ((*sn == '*') && domain && (len2 == sl-1) && + !strncasecmp(domain, sn+1, len2)) + break; + } + } + method = X509V3_EXT_get(ex); + method->ext_free(alt); + if (i < n) /* Found a match */ + ret = LDAP_SUCCESS; + } + } + + if (ret != LDAP_SUCCESS) + { + X509_NAME *xn; + char buf[2048]; + + xn = X509_get_subject_name(x); + + if (X509_NAME_get_text_by_NID(xn, NID_commonName, buf, sizeof(buf)) + == -1) + { + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get common name from peer certificate.\n", + 0, 0, 0 ); + } else if (strcasecmp(name, buf)) + { + Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " + "common name in certificate (%s).\n", + name, buf, 0 ); + ret = LDAP_CONNECT_ERROR; + } else + { + ret = LDAP_SUCCESS; + } + } + X509_free(x); + return ret; +} + const char * ldap_pvt_tls_get_peer_issuer( void *s ) { @@ -766,7 +856,7 @@ ldap_pvt_tls_get_peer_issuer( void *s ) } int -ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) +ldap_int_tls_config( LDAP *ld, int option, const char *arg ) { int i; @@ -776,12 +866,14 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) case LDAP_OPT_X_TLS_CERTFILE: case LDAP_OPT_X_TLS_KEYFILE: case LDAP_OPT_X_TLS_RANDOM_FILE: - return ldap_pvt_tls_set_option( NULL, option, (void *) arg ); + return ldap_pvt_tls_set_option( ld, option, (void *) arg ); + case LDAP_OPT_X_TLS_REQUIRE_CERT: i = ( ( strcasecmp( arg, "on" ) == 0 ) || ( strcasecmp( arg, "yes" ) == 0) || ( strcasecmp( arg, "true" ) == 0 ) ); - return ldap_pvt_tls_set_option( NULL, option, (void *) &i ); + return ldap_pvt_tls_set_option( ld, option, (void *) &i ); + case LDAP_OPT_X_TLS: i = -1; if ( strcasecmp( arg, "never" ) == 0 ) @@ -794,8 +886,10 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) i = LDAP_OPT_X_TLS_TRY ; if ( strcasecmp( arg, "hard" ) == 0 ) i = LDAP_OPT_X_TLS_HARD ; - if (i >= 0) - return ldap_pvt_tls_set_option( lo, option, &i ); + + if (i >= 0) { + return ldap_pvt_tls_set_option( ld, option, &i ); + } return -1; } @@ -803,17 +897,36 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) } int -ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + if( ld != NULL ) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + + } else { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if ( lo == NULL ) { + return LDAP_NO_MEMORY; + } + } + switch( option ) { case LDAP_OPT_X_TLS: *(int *)arg = lo->ldo_tls_mode; break; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) *(void **)arg = (void *) tls_def_ctx; else - *(void **)arg = lo->ldo_tls_ctx; + *(void **)arg = ld->ld_defconn->lconn_tls_ctx; break; case LDAP_OPT_X_TLS_CACERTFILE: *(char **)arg = tls_opt_cacertfile ? @@ -844,8 +957,27 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) } int -ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + if( ld != NULL ) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + + } else { + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if ( lo == NULL ) { + return LDAP_NO_MEMORY; + } + } + switch( option ) { case LDAP_OPT_X_TLS: switch( *(int *) arg ) { @@ -862,17 +994,17 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) } return -1; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) { + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) { tls_def_ctx = (SSL_CTX *) arg; } else { - lo->ldo_tls_ctx = arg; + ld->ld_defconn->lconn_tls_ctx = arg; } return 0; } - if ( lo != NULL ) { + if ( ld != NULL ) { return -1; } @@ -911,54 +1043,40 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) } int -ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { - char *peer_cert_cn, *peer_hostname; + Sockbuf *sb = conn->lconn_sb; + char *host; void *ssl; + if( srv ) { + host = srv->lud_host; + } else { + host = conn->lconn_server->lud_host; + } + (void) ldap_pvt_tls_init(); /* * Fortunately, the lib uses blocking io... */ - if ( ldap_pvt_tls_connect( ld, sb, ctx_arg ) < 0 ) { - return LDAP_CONNECT_ERROR; + if ( ldap_int_tls_connect( ld, conn ) < 0 ) { + ld->ld_errno = LDAP_CONNECT_ERROR; + return (ld->ld_errno); } - ssl = (void *) ldap_pvt_tls_sb_handle( sb ); + ssl = (void *) ldap_pvt_tls_sb_ctx( sb ); + assert( ssl != NULL ); + /* - * compare hostname of server with name in certificate + * compare host with name(s) in certificate. avoid NULL host */ - peer_cert_cn = ldap_pvt_tls_get_peer_hostname( ssl ); - if ( !peer_cert_cn ) { - /* could not get hostname from peer certificate */ - Debug( LDAP_DEBUG_ANY, - "TLS: unable to get common name from peer certificate.\n", - 0, 0, 0 ); - return LDAP_LOCAL_ERROR; - } - - peer_hostname = ldap_host_connected_to( sb ); - if ( !peer_hostname ) { - /* could not lookup hostname */ - Debug( LDAP_DEBUG_ANY, - "TLS: unable to reverse lookup peer hostname.\n", - 0, 0, 0 ); - LDAP_FREE( peer_cert_cn ); - return LDAP_LOCAL_ERROR; - } - if ( strcasecmp(peer_hostname, peer_cert_cn) != 0 ) { - Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " - "common name in certificate (%s).", - peer_hostname, peer_cert_cn, 0 ); - LDAP_FREE( peer_cert_cn ); - LDAP_FREE( peer_hostname ); - return LDAP_CONNECT_ERROR; - - } else { - LDAP_FREE( peer_cert_cn ); - LDAP_FREE( peer_hostname ); + if( host == NULL ) + host = "localhost"; + ld->ld_errno = ldap_pvt_tls_check_hostname( ssl, host ); + if (ld->ld_errno != LDAP_SUCCESS) { + return ld->ld_errno; } /* @@ -972,7 +1090,7 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) ssf = ldap_pvt_tls_get_strength( ssl ); authid = ldap_pvt_tls_get_peer( ssl ); - (void) ldap_int_sasl_external( ld, authid, ssf ); + (void) ldap_int_sasl_external( ld, conn, authid, ssf ); } return LDAP_SUCCESS; @@ -1149,12 +1267,13 @@ ldap_start_tls_s ( LDAP *ld, LDAPControl **serverctrls, LDAPControl **clientctrls ) { -#ifdef HAVE_TLS int rc; + +#ifdef HAVE_TLS char *rspoid = NULL; struct berval *rspdata = NULL; - /* XXYYZ: this initiates operaton only on default connection! */ + /* XXYYZ: this initiates operation only on default connection! */ if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) { return LDAP_LOCAL_ERROR; @@ -1174,10 +1293,10 @@ ldap_start_tls_s ( LDAP *ld, ber_bvfree( rspdata ); } - rc = ldap_pvt_tls_start( ld, ld->ld_sb, ld->ld_options.ldo_tls_ctx ); - return rc; + rc = ldap_int_tls_start( ld, ld->ld_defconn, NULL ); #else - return LDAP_NOT_SUPPORTED; + rc = LDAP_NOT_SUPPORTED; #endif + return rc; }