From: Kurt Zeilenga Date: Mon, 25 Jun 2001 07:33:42 +0000 (+0000) Subject: move TLS ctx to lconn struct in prep for supporting TLS with referrals X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~1280 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=c4f5497ac62e309b3aecf08897908d4f955351f5;p=openldap move TLS ctx to lconn struct in prep for supporting TLS with referrals need to rework cert check to use per lconn host name --- diff --git a/include/ldap.h b/include/ldap.h index 9376ba943f..b19d2d1796 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -113,16 +113,16 @@ LDAP_BEGIN_DECL #define LDAP_OPT_URI 0x5006 /* OpenLDAP TLS options */ -#define LDAP_OPT_X_TLS_CACERTFILE 0x6001 -#define LDAP_OPT_X_TLS_CACERTDIR 0x6002 -#define LDAP_OPT_X_TLS_CERT 0x6003 +#define LDAP_OPT_X_TLS 0x6000 +#define LDAP_OPT_X_TLS_CTX 0x6001 /* SSL CTX */ +#define LDAP_OPT_X_TLS_CACERTFILE 0x6002 +#define LDAP_OPT_X_TLS_CACERTDIR 0x6003 #define LDAP_OPT_X_TLS_CERTFILE 0x6004 #define LDAP_OPT_X_TLS_KEYFILE 0x6005 #define LDAP_OPT_X_TLS_REQUIRE_CERT 0x6006 -#define LDAP_OPT_X_TLS 0x6007 -#define LDAP_OPT_X_TLS_PROTOCOL 0x6008 -#define LDAP_OPT_X_TLS_CIPHER_SUITE 0x6009 -#define LDAP_OPT_X_TLS_RANDOM_FILE 0x600a +#define LDAP_OPT_X_TLS_PROTOCOL 0x6007 +#define LDAP_OPT_X_TLS_CIPHER_SUITE 0x6008 +#define LDAP_OPT_X_TLS_RANDOM_FILE 0x6009 #define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_HARD 1 diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h index 8ba083f7a8..2f7da1dfbc 100644 --- a/include/ldap_pvt.h +++ b/include/ldap_pvt.h @@ -149,6 +149,7 @@ LDAP_F (int) ldap_pvt_sasl_install LDAP_P(( struct sockbuf *, void * )); #define LDAP_PVT_SASL_LOCAL_SSF 71 /* SSF for Unix Domain Sockets */ struct ldap; + LDAP_F (int) ldap_open_internal_connection LDAP_P(( struct ldap **ldp, ber_socket_t *fdp )); @@ -167,11 +168,9 @@ LDAP_F( char * ) ldap_pvt_str2lower LDAP_P(( char *str )); /* tls.c */ -struct ldapoptions; -struct ldap; - LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void )); -LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld, Sockbuf *sb, void *ctx_arg )); +LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld, + Sockbuf *sb, void *ctx_arg )); LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg )); LDAP_F (void *) ldap_pvt_tls_sb_handle LDAP_P(( Sockbuf *sb )); LDAP_F (void *) ldap_pvt_tls_get_handle LDAP_P(( struct ldap *ld )); @@ -179,10 +178,12 @@ LDAP_F (char *) ldap_pvt_tls_get_peer LDAP_P(( void *handle )); LDAP_F (char *) ldap_pvt_tls_get_peer_dn LDAP_P(( void *handle )); LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *handle )); LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb )); -LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld, Sockbuf *sb, void *ctx_arg )); - -LDAP_F (int) ldap_pvt_tls_get_option LDAP_P(( struct ldapoptions *lo, int option, void *arg )); -LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldapoptions *lo, int option, void *arg )); +LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld, + Sockbuf *sb, void *ctx_arg )); +LDAP_F (int) ldap_pvt_tls_get_option LDAP_P(( struct ldap *ld, + int option, void *arg )); +LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld, + int option, void *arg )); LDAP_END_DECL diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c index abed0261a4..20589a5a6a 100644 --- a/libraries/libldap/cyrus.c +++ b/libraries/libldap/cyrus.c @@ -425,7 +425,7 @@ ldap_int_sasl_open( return ld->ld_errno; } - Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: %s\n", + Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: host=%s\n", host, 0, 0 ); lc->lconn_sasl_ctx = ctx; diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c index a823946c7c..f1a4be9485 100644 --- a/libraries/libldap/init.c +++ b/libraries/libldap/init.c @@ -419,12 +419,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS; #endif -#ifdef HAVE_TLS - gopts->ldo_tls_ctx = NULL; -#endif - gopts->ldo_valid = LDAP_INITIALIZED; - return; } diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h index b9eedb0130..d265957e73 100644 --- a/libraries/libldap/ldap-int.h +++ b/libraries/libldap/ldap-int.h @@ -125,6 +125,10 @@ struct ldapoptions { ber_int_t ldo_timelimit; ber_int_t ldo_sizelimit; +#ifdef HAVE_TLS + int ldo_tls_mode; +#endif + LDAPURLDesc *ldo_defludp; int ldo_defport; char* ldo_defbase; @@ -150,32 +154,22 @@ struct ldapoptions { LDAP_REBIND_PROC *ldo_rebind_proc; void *ldo_rebind_params; -#ifdef HAVE_TLS - /* tls context */ - void *ldo_tls_ctx; - int ldo_tls_mode; -#endif LDAP_BOOLEANS ldo_booleans; /* boolean options */ }; -/* - * structure for tracking LDAP server host, ports, DNs, etc. - */ -typedef struct ldap_server { - char *lsrv_host; - char *lsrv_dn; /* if NULL, use default */ - int lsrv_port; - struct ldap_server *lsrv_next; -} LDAPServer; - - /* * structure for representing an LDAP server connection */ typedef struct ldap_conn { Sockbuf *lconn_sb; +#ifdef HAVE_TLS + /* tls context */ + void *lconn_tls_ctx; +#endif +#ifdef HAVE_CYRUS_SASL void *lconn_sasl_ctx; +#endif int lconn_refcnt; time_t lconn_lastused; /* time */ int lconn_rebind_inprogress; /* set if rebind in progress */ @@ -188,8 +182,9 @@ typedef struct ldap_conn { #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND char *lconn_krbinstance; #endif + BerElement *lconn_ber; /* ber receiving on this conn. */ + struct ldap_conn *lconn_next; - BerElement *lconn_ber;/* ber receiving on this conn. */ } LDAPConn; @@ -274,9 +269,6 @@ struct ldap { #define ld_version ld_options.ldo_version - char *ld_host; - int ld_port; - unsigned short ld_lberoptions; ber_int_t ld_errno; @@ -410,10 +402,11 @@ LDAP_F (int) ldap_connect_to_host( LDAP *ld, Sockbuf *sb, int proto, const char *host, unsigned long address, int port, int async ); -#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) || defined(HAVE_TLS) || defined(HAVE_CYRUS_SASL) +#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) || \ + defined(HAVE_TLS) || defined(HAVE_CYRUS_SASL) LDAP_V (char *) ldap_int_hostname; LDAP_F (char *) ldap_host_connected_to( Sockbuf *sb ); -#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */ +#endif LDAP_F (void) ldap_int_ip_init( void ); LDAP_F (int) do_ldap_select( LDAP *ld, struct timeval *timeout ); @@ -543,7 +536,7 @@ LDAP_F (int) ldap_int_sasl_config LDAP_P(( struct ldapoptions *lo, int option, const char *arg )); LDAP_F (int) ldap_int_sasl_bind LDAP_P(( - struct ldap *ld, + LDAP *ld, const char *, const char *, LDAPControl **, LDAPControl **, @@ -557,7 +550,8 @@ LDAP_F (int) ldap_int_sasl_bind LDAP_P(( /* * in tls.c */ -LDAP_F (int) ldap_int_tls_config LDAP_P(( struct ldapoptions *lo, int option, const char *arg )); +LDAP_F (int) ldap_int_tls_config LDAP_P(( LDAP *ld, + int option, const char *arg )); LDAP_END_DECL diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c index 904fb0af08..b968778653 100644 --- a/libraries/libldap/open.c +++ b/libraries/libldap/open.c @@ -54,9 +54,11 @@ ldap_open( LDAP_CONST char *host, int port ) int rc; LDAP *ld; - Debug( LDAP_DEBUG_TRACE, "ldap_open\n", 0, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, "ldap_open(%s, %d)\n", + host, port, 0 ); - if (( ld = ldap_init( host, port )) == NULL ) { + ld = ldap_init( host, port ); + if ( ld == NULL ) { return( NULL ); } @@ -64,13 +66,13 @@ ldap_open( LDAP_CONST char *host, int port ) if( rc < 0 ) { ldap_ld_free( ld, 0, NULL, NULL ); - return( NULL ); + ld = NULL; } - Debug( LDAP_DEBUG_TRACE, "ldap_open successful, ld_host is %s\n", - ( ld->ld_host == NULL ) ? "(null)" : ld->ld_host, 0, 0 ); + Debug( LDAP_DEBUG_TRACE, "ldap_open: %s\n", + ld == NULL ? "succeeded" : "failed", 0, 0 ); - return( ld ); + return ld; } @@ -334,7 +336,7 @@ ldap_int_open_connection( ld->ld_defconn = conn; rc = ldap_pvt_tls_start( ld, conn->lconn_sb, - ld->ld_options.ldo_tls_ctx ); + conn->lconn_tls_ctx ); ld->ld_defconn = savedefconn; --conn->lconn_refcnt; diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c index 455af6ba65..3360fa3ab4 100644 --- a/libraries/libldap/options.c +++ b/libraries/libldap/options.c @@ -282,12 +282,14 @@ ldap_get_option( default: #ifdef HAVE_TLS - if ( ldap_pvt_tls_get_option((struct ldapoptions *)lo, option, outvalue ) == 0 ) - return LDAP_OPT_SUCCESS; + if ( ldap_pvt_tls_get_option( ld, option, outvalue ) == 0 ) { + return LDAP_OPT_SUCCESS; + } #endif #ifdef HAVE_CYRUS_SASL - if ( ldap_int_sasl_get_option(ld, option, outvalue ) == 0 ) - return LDAP_OPT_SUCCESS; + if ( ldap_int_sasl_get_option( ld, option, outvalue ) == 0 ) { + return LDAP_OPT_SUCCESS; + } #endif /* bad param */ break; diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c index 30f4b3c3e5..ef6ec1c87b 100644 --- a/libraries/libldap/os-ip.c +++ b/libraries/libldap/os-ip.c @@ -294,7 +294,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, struct hostent *hp = NULL; char *ha_buf=NULL, *p, *q; - osip_debug(ld, "ldap_connect_to_host\n",0,0,0); + osip_debug(ld, "ldap_connect_to_host: %s\n",host,0,0); if (host != NULL) { #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c index 4d1d52732b..15c51e8e77 100644 --- a/libraries/libldap/request.c +++ b/libraries/libldap/request.c @@ -95,8 +95,8 @@ ldap_send_initial_request( } Debug( LDAP_DEBUG_TRACE, - "ldap_delayed_open successful, ld_host is %s\n", - ( ld->ld_host == NULL ) ? "(null)" : ld->ld_host, 0, 0 ); + "ldap_open_defconn: successful\n", + 0, 0, 0 ); } { diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index b03b877e5a..d048608821 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -767,7 +767,7 @@ ldap_pvt_tls_get_peer_issuer( void *s ) } int -ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) +ldap_int_tls_config( LDAP *ld, int option, const char *arg ) { int i; @@ -778,11 +778,13 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) case LDAP_OPT_X_TLS_KEYFILE: case LDAP_OPT_X_TLS_RANDOM_FILE: return ldap_pvt_tls_set_option( NULL, option, (void *) arg ); + case LDAP_OPT_X_TLS_REQUIRE_CERT: i = ( ( strcasecmp( arg, "on" ) == 0 ) || ( strcasecmp( arg, "yes" ) == 0) || ( strcasecmp( arg, "true" ) == 0 ) ); return ldap_pvt_tls_set_option( NULL, option, (void *) &i ); + case LDAP_OPT_X_TLS: i = -1; if ( strcasecmp( arg, "never" ) == 0 ) @@ -795,8 +797,10 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) i = LDAP_OPT_X_TLS_TRY ; if ( strcasecmp( arg, "hard" ) == 0 ) i = LDAP_OPT_X_TLS_HARD ; - if (i >= 0) - return ldap_pvt_tls_set_option( lo, option, &i ); + + if (i >= 0) { + return ldap_pvt_tls_set_option( ld, option, &i ); + } return -1; } @@ -804,17 +808,35 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg ) } int -ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if (NULL == lo) { + return LDAP_NO_MEMORY; + } + + if(ld != NULL) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + } + switch( option ) { case LDAP_OPT_X_TLS: *(int *)arg = lo->ldo_tls_mode; break; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) *(void **)arg = (void *) tls_def_ctx; else - *(void **)arg = lo->ldo_tls_ctx; + *(void **)arg = ld->ld_defconn->lconn_tls_ctx; break; case LDAP_OPT_X_TLS_CACERTFILE: *(char **)arg = tls_opt_cacertfile ? @@ -845,8 +867,26 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg ) } int -ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) +ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) { + struct ldapoptions *lo; + + /* Get pointer to global option structure */ + lo = LDAP_INT_GLOBAL_OPT(); + if (NULL == lo) { + return LDAP_NO_MEMORY; + } + + if(ld != NULL) { + assert( LDAP_VALID( ld ) ); + + if( !LDAP_VALID( ld ) ) { + return LDAP_OPT_ERROR; + } + + lo = &ld->ld_options; + } + switch( option ) { case LDAP_OPT_X_TLS: switch( *(int *) arg ) { @@ -863,12 +903,12 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) } return -1; - case LDAP_OPT_X_TLS_CERT: - if ( lo == NULL ) { + case LDAP_OPT_X_TLS_CTX: + if ( ld == NULL ) { tls_def_ctx = (SSL_CTX *) arg; } else { - lo->ldo_tls_ctx = arg; + ld->ld_defconn->lconn_tls_ctx = arg; } return 0; } @@ -914,7 +954,9 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) int ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) { +#if 0 char *peer_cert_cn; +#endif void *ssl; (void) ldap_pvt_tls_init(); @@ -929,8 +971,9 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) ssl = (void *) ldap_pvt_tls_sb_handle( sb ); assert( ssl != NULL ); +#if 0 /* - * compare ld->ld_host with name in certificate + * compare host with name in certificate */ peer_cert_cn = ldap_pvt_tls_get_peer_hostname( ssl ); @@ -942,7 +985,7 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) return LDAP_LOCAL_ERROR; } - if ( strcasecmp(ld->ld_host, peer_cert_cn) != 0 ) { + if ( strcasecmp( ld->ld_host, peer_cert_cn ) != 0 ) { Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " "common name in certificate (%s).\n", ld->ld_host, peer_cert_cn, 0 ); @@ -951,6 +994,7 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) } LDAP_FREE( peer_cert_cn ); +#endif /* * set SASL properties to TLS ssf and authid @@ -1145,7 +1189,7 @@ ldap_start_tls_s ( LDAP *ld, char *rspoid = NULL; struct berval *rspdata = NULL; - /* XXYYZ: this initiates operaton only on default connection! */ + /* XXYYZ: this initiates operation only on default connection! */ if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) { return LDAP_LOCAL_ERROR; @@ -1165,7 +1209,9 @@ ldap_start_tls_s ( LDAP *ld, ber_bvfree( rspdata ); } - rc = ldap_pvt_tls_start( ld, ld->ld_sb, ld->ld_options.ldo_tls_ctx ); + rc = ldap_pvt_tls_start( ld, ld->ld_sb, + ld->ld_defconn->lconn_tls_ctx ); + return rc; #else return LDAP_NOT_SUPPORTED; diff --git a/libraries/libldap/unbind.c b/libraries/libldap/unbind.c index 776aded7ec..24312af238 100644 --- a/libraries/libldap/unbind.c +++ b/libraries/libldap/unbind.c @@ -99,11 +99,6 @@ ldap_ld_free( ld->ld_matched = NULL; } - if ( ld->ld_host != NULL ) { - LDAP_FREE( ld->ld_host ); - ld->ld_host = NULL; - } - if ( ld->ld_abandoned != NULL ) { LDAP_FREE( ld->ld_abandoned ); ld->ld_abandoned = NULL; diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index 97bbab084a..b5582e7652 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -75,7 +75,7 @@ starttls_extop ( } /* fail if TLS could not be initialized */ - if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0 + if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0 || ctx == NULL) { if (default_referral != NULL) {