From: Howard Chu <hyc@openldap.org>
Date: Wed, 16 Aug 2000 23:27:41 +0000 (+0000)
Subject: Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL.
X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~2244
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=0f8047b95e0f42239bbef1d97ce1c6541c0ef129;p=openldap

Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL.
Added ldap_pvt_tls_get_strength() - return encryption strength, for
use as a SASL session security factor.
---

diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 5a2fa336cd..ef42b6f9c8 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -164,6 +164,8 @@ LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld, Sockbuf *sb, void *c
 LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
 LDAP_F (void *) ldap_pvt_tls_sb_handle LDAP_P(( Sockbuf *sb ));
 LDAP_F (void *) ldap_pvt_tls_get_handle LDAP_P(( struct ldap *ld ));
+LDAP_F (const char *) ldap_pvt_tls_get_peer LDAP_P(( void *handle ));
+LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *handle ));
 LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
 LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld, Sockbuf *sb, void *ctx_arg ));
 
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index f31c95239b..9aed9ebe08 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -658,16 +658,54 @@ ldap_pvt_tls_get_handle( LDAP *ld )
 	return ldap_pvt_tls_sb_handle( ld->ld_sb );
 }
 
+int
+ldap_pvt_tls_get_strength( void *s )
+{
+    SSL_CIPHER *c;
+
+    c = SSL_get_current_cipher((SSL *)s);
+    return SSL_CIPHER_get_bits(c, NULL);
+}
+
+
 const char *
-ldap_pvt_tls_get_peer( LDAP *ld )
+ldap_pvt_tls_get_peer( void *s )
 {
-    return NULL;
+    X509 *x;
+    X509_NAME *xn;
+    char buf[2048], *p;
+
+    x = SSL_get_peer_certificate((SSL *)s);
+
+    if (!x)
+    	return NULL;
+    
+    xn = X509_get_subject_name(x);
+    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+    X509_free(x);
+    return p;
 }
 
 const char *
-ldap_pvt_tls_get_peer_issuer( LDAP *ld )
+ldap_pvt_tls_get_peer_issuer( void *s )
 {
+#if 0	/* currently unused; see ldap_pvt_tls_get_peer() if needed */
+    X509 *x;
+    X509_NAME *xn;
+    char buf[2048], *p;
+
+    x = SSL_get_peer_certificate((SSL *)s);
+
+    if (!x)
+    	return NULL;
+    
+    xn = X509_get_issuer_name(x);
+    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+    X509_free(x);
+    return p;
+#else
     return NULL;
+#endif
 }
 
 int
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index a966c0f174..c8ad754d61 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -919,12 +919,17 @@ int connection_read(ber_socket_t s)
 			connection_close( c );
 
 		} else if ( rc == 0 ) {
+			void *ssl;
+			unsigned ssf;
+			char *authid;
+
 			c->c_needs_tls_accept = 0;
 
-#if 0
 			/* we need to let SASL know */
+			ssl = (void *)ldap_pvt_tls_sb_handle( c->c_sb );
+			ssf = (unsigned)ldap_pvt_tls_get_strength( ssl );
+			authid = (char *)ldap_pvt_tls_get_peer( ssl );
 			slap_sasl_external( c, ssf, authid );
-#endif
 		}
 		connection_return( c );
 		ldap_pvt_thread_mutex_unlock( &connections_mutex );