From 77f776dfd1b04b25606dcdc011c5396139f3530c Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Mon, 25 Jun 2001 19:17:42 +0000 Subject: [PATCH] Another round of TLS updates to support secure referral chasing --- include/ldap_pvt.h | 23 +++++++++---------- libraries/libldap/ldap-int.h | 3 +++ libraries/libldap/open.c | 6 +---- libraries/libldap/options.c | 2 +- libraries/libldap/tls.c | 43 ++++++++++++++++++------------------ servers/slapd/connection.c | 2 +- 6 files changed, 38 insertions(+), 41 deletions(-) diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h index 2f7da1dfbc..42d8249af5 100644 --- a/include/ldap_pvt.h +++ b/include/ldap_pvt.h @@ -168,23 +168,22 @@ LDAP_F( char * ) ldap_pvt_str2lower LDAP_P(( char *str )); /* tls.c */ -LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void )); -LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld, - Sockbuf *sb, void *ctx_arg )); -LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg )); -LDAP_F (void *) ldap_pvt_tls_sb_handle LDAP_P(( Sockbuf *sb )); -LDAP_F (void *) ldap_pvt_tls_get_handle LDAP_P(( struct ldap *ld )); -LDAP_F (char *) ldap_pvt_tls_get_peer LDAP_P(( void *handle )); -LDAP_F (char *) ldap_pvt_tls_get_peer_dn LDAP_P(( void *handle )); -LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *handle )); -LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb )); -LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld, - Sockbuf *sb, void *ctx_arg )); LDAP_F (int) ldap_pvt_tls_get_option LDAP_P(( struct ldap *ld, int option, void *arg )); LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld, int option, void *arg )); +LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void )); +LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg )); +LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb )); +LDAP_F (void *) ldap_pvt_tls_get_ctx LDAP_P(( Sockbuf *sb )); + +LDAP_F (int) ldap_pvt_tls_init_default_ctx LDAP_P(( void )); + +LDAP_F (char *) ldap_pvt_tls_get_peer LDAP_P(( void *ctx )); +LDAP_F (char *) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx )); +LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); + LDAP_END_DECL #include "ldap_pvt_uc.h" diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h index d265957e73..dc4e2b8dda 100644 --- a/libraries/libldap/ldap-int.h +++ b/libraries/libldap/ldap-int.h @@ -553,6 +553,9 @@ LDAP_F (int) ldap_int_sasl_bind LDAP_P(( LDAP_F (int) ldap_int_tls_config LDAP_P(( LDAP *ld, int option, const char *arg )); +LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld, + LDAPConn *conn )); + LDAP_END_DECL #endif /* _LDAP_INT_H */ diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c index b968778653..0b1c10e700 100644 --- a/libraries/libldap/open.c +++ b/libraries/libldap/open.c @@ -331,14 +331,10 @@ ldap_int_open_connection( if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD || strcmp( srv->lud_scheme, "ldaps" ) == 0 ) { - LDAPConn *savedefconn = ld->ld_defconn; ++conn->lconn_refcnt; /* avoid premature free */ - ld->ld_defconn = conn; - rc = ldap_pvt_tls_start( ld, conn->lconn_sb, - conn->lconn_tls_ctx ); + rc = ldap_int_tls_start( ld, conn ); - ld->ld_defconn = savedefconn; --conn->lconn_refcnt; if (rc != LDAP_SUCCESS) { diff --git a/libraries/libldap/options.c b/libraries/libldap/options.c index 3360fa3ab4..7d099089cb 100644 --- a/libraries/libldap/options.c +++ b/libraries/libldap/options.c @@ -585,7 +585,7 @@ ldap_set_option( default: #ifdef HAVE_TLS - if ( ldap_pvt_tls_set_option( lo, option, (void *)invalue ) == 0 ) + if ( ldap_pvt_tls_set_option( ld, option, (void *)invalue ) == 0 ) return LDAP_OPT_SUCCESS; #endif #ifdef HAVE_CYRUS_SASL diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 82d40ac70a..6053ef85cb 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -553,16 +553,19 @@ BIO_METHOD ldap_pvt_sb_bio_method = * and call again. */ -int -ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +static int +ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) { + Sockbuf *sb = conn->lconn_sb; + void *ctx = ld->ld_defconn->lconn_tls_ctx; + int err; SSL *ssl; if ( HAS_TLS( sb ) ) { ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); } else { - ssl = alloc_handle( ctx_arg ); + ssl = alloc_handle( ctx ); if ( ssl == NULL ) return -1; #ifdef LDAP_DEBUG @@ -652,7 +655,7 @@ ldap_pvt_tls_inplace ( Sockbuf *sb ) } void * -ldap_pvt_tls_sb_handle( Sockbuf *sb ) +ldap_pvt_tls_sb_ctx( Sockbuf *sb ) { void *p; @@ -664,12 +667,6 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb ) return NULL; } -void * -ldap_pvt_tls_get_handle( LDAP *ld ) -{ - return ldap_pvt_tls_sb_handle( ld->ld_sb ); -} - int ldap_pvt_tls_get_strength( void *s ) { @@ -952,9 +949,12 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) } int -ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) +ldap_int_tls_start ( LDAP *ld, LDAPConn *conn ) { - char *ld_host = ld->ld_conns->lconn_server->lud_host; + Sockbuf *sb = conn->lconn_sb; + char *host = conn->lconn_server->lud_host; + void *ctx = ld->ld_defconn->lconn_tls_ctx; + char *peer_cert_cn; void *ssl; @@ -963,11 +963,11 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) /* * Fortunately, the lib uses blocking io... */ - if ( ldap_pvt_tls_connect( ld, sb, ctx_arg ) < 0 ) { + if ( ldap_int_tls_connect( ld, conn ) < 0 ) { return LDAP_CONNECT_ERROR; } - ssl = (void *) ldap_pvt_tls_sb_handle( sb ); + ssl = (void *) ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* @@ -983,10 +983,10 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) return LDAP_LOCAL_ERROR; } - if ( strcasecmp( ld_host, peer_cert_cn ) != 0 ) { + if ( strcasecmp( host, peer_cert_cn ) != 0 ) { Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " "common name in certificate (%s).\n", - ld_host, peer_cert_cn, 0 ); + host, peer_cert_cn, 0 ); LDAP_FREE( peer_cert_cn ); return LDAP_CONNECT_ERROR; } @@ -1181,8 +1181,9 @@ ldap_start_tls_s ( LDAP *ld, LDAPControl **serverctrls, LDAPControl **clientctrls ) { -#ifdef HAVE_TLS int rc; + +#ifdef HAVE_TLS char *rspoid = NULL; struct berval *rspdata = NULL; @@ -1206,12 +1207,10 @@ ldap_start_tls_s ( LDAP *ld, ber_bvfree( rspdata ); } - rc = ldap_pvt_tls_start( ld, ld->ld_sb, - ld->ld_defconn->lconn_tls_ctx ); - - return rc; + rc = ldap_int_tls_start( ld, ld->ld_defconn ); #else - return LDAP_NOT_SUPPORTED; + rc = LDAP_NOT_SUPPORTED; #endif + return rc; } diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c index 4877451fe5..439c6fdd1c 100644 --- a/servers/slapd/connection.c +++ b/servers/slapd/connection.c @@ -1064,7 +1064,7 @@ int connection_read(ber_socket_t s) c->c_needs_tls_accept = 0; /* we need to let SASL know */ - ssl = (void *)ldap_pvt_tls_sb_handle( c->c_sb ); + ssl = (void *)ldap_pvt_tls_sb_ctx( c->c_sb ); c->c_tls_ssf = (slap_ssf_t) ldap_pvt_tls_get_strength( ssl ); if( c->c_tls_ssf > c->c_ssf ) { -- 2.39.5