From 0045e56c34bc8897f69219a366a763f852df5534 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 9 Sep 2013 11:41:28 -0700 Subject: [PATCH 1/1] ITS#7683 more for tls version/cipher info Add LDAP_OPT_X_TLS_VERSION / LDAP_OPT_X_TLS_CIPHER for retrieving from an LDAP session handle. Update ldap_get_option(3). --- doc/man/man3/ldap_get_option.3 | 32 +++++++++++++++++++++++++++++++- include/ldap.h | 2 ++ libraries/libldap/tls2.c | 31 +++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 index 4170ac09f5..e67de75e94 100644 --- a/doc/man/man3/ldap_get_option.3 +++ b/doc/man/man3/ldap_get_option.3 @@ -608,6 +608,14 @@ must be and its contents need to be freed by the caller using .BR ldap_memfree (3). .TP +.B LDAP_OPT_X_TLS_CIPHER +Gets the cipher being used on an established TLS session. +.BR outvalue +must be +.BR "char **" , +and its contents need to be freed by the caller using +.BR ldap_memfree (3). +.TP .B LDAP_OPT_X_TLS_CIPHER_SUITE Sets/gets the allowed cipher suite. .BR invalue @@ -688,7 +696,21 @@ must be .BR "char **" , and its contents need to be freed by the caller using .BR ldap_memfree (3). -Ignored by GnuTLS and Mozilla NSS. +Ignored by Mozilla NSS. +.TP +.B LDAP_OPT_X_TLS_ECNAME +Gets/sets the name of the curve used for +elliptic curve key exchanges. +.BR invalue +must be +.BR "const char *" ; +.BR outvalue +must be +.BR "char **" , +and its contents need to be freed by the caller using +.BR ldap_memfree (3). +Ignored by GnuTLS and Mozilla NSS. In GnuTLS a curve may be selected +in the cipher suite specification. .TP .B LDAP_OPT_X_TLS_KEYFILE Sets/gets the full-path of the certificate key file. @@ -752,6 +774,14 @@ must be When using the OpenSSL library this is an SSL*. When using other crypto libraries this is a pointer to an OpenLDAP private structure. Applications generally should not use this option. +.TP +.B LDAP_OPT_X_TLS_VERSION +Gets the TLS version being used on an established TLS session. +.BR outvalue +must be +.BR "char **" , +and its contents need to be freed by the caller using +.BR ldap_memfree (3). .SH ERRORS On success, the functions return .BR LDAP_OPT_SUCCESS , diff --git a/include/ldap.h b/include/ldap.h index 89171aee09..4de3f7f322 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -159,6 +159,8 @@ LDAP_BEGIN_DECL #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ #define LDAP_OPT_X_TLS_PACKAGE 0x6011 #define LDAP_OPT_X_TLS_ECNAME 0x6012 +#define LDAP_OPT_X_TLS_VERSION 0x6013 /* read-only */ +#define LDAP_OPT_X_TLS_CIPHER 0x6014 /* read-only */ #define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_HARD 1 diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c index e4f63a60a9..05fce3218b 100644 --- a/libraries/libldap/tls2.c +++ b/libraries/libldap/tls2.c @@ -688,6 +688,37 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) case LDAP_OPT_X_TLS_CONNECT_ARG: *(void **)arg = lo->ldo_tls_connect_arg; break; + case LDAP_OPT_X_TLS_VERSION: { + void *sess = NULL; + const char *retval = NULL; + if ( ld != NULL ) { + LDAPConn *conn = ld->ld_defconn; + if ( conn != NULL ) { + Sockbuf *sb = conn->lconn_sb; + sess = ldap_pvt_tls_sb_ctx( sb ); + if ( sess != NULL ) + retval = ldap_pvt_tls_get_version( sess ); + } + } + *(char **)arg = retval ? LDAP_STRDUP( retval ) : NULL; + break; + } + case LDAP_OPT_X_TLS_CIPHER: { + void *sess = NULL; + const char *retval = NULL; + if ( ld != NULL ) { + LDAPConn *conn = ld->ld_defconn; + if ( conn != NULL ) { + Sockbuf *sb = conn->lconn_sb; + sess = ldap_pvt_tls_sb_ctx( sb ); + if ( sess != NULL ) + retval = ldap_pvt_tls_get_cipher( sess ); + } + } + *(char **)arg = retval ? LDAP_STRDUP( retval ) : NULL; + break; + } + default: return -1; } -- 2.39.2