int ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { Sockbuf *sb; char *host; void *ssl; if ( !conn ) return LDAP_PARAM_ERROR; sb = conn->lconn_sb; if( srv ) { host = srv->lud_host; } else { host = conn->lconn_server->lud_host; } /* avoid NULL host */ if( host == NULL ) { host = "localhost"; } (void) tls_init( tls_imp ); /* * Fortunately, the lib uses blocking io... */ if ( ldap_int_tls_connect( ld, conn ) < 0 ) { ld->ld_errno = LDAP_CONNECT_ERROR; return (ld->ld_errno); } ssl = ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* * compare host with name(s) in certificate */ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { return ld->ld_errno; } } return LDAP_SUCCESS; }
int ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { Sockbuf *sb; char *host; void *ssl; int ret; #ifdef LDAP_USE_NON_BLOCKING_TLS struct timeval start_time_tv, tv, tv0; ber_socket_t sd = AC_SOCKET_ERROR; #endif /* LDAP_USE_NON_BLOCKING_TLS */ if ( !conn ) return LDAP_PARAM_ERROR; sb = conn->lconn_sb; if( srv ) { host = srv->lud_host; } else { host = conn->lconn_server->lud_host; } /* avoid NULL host */ if( host == NULL ) { host = "localhost"; } (void) tls_init( tls_imp ); #ifdef LDAP_USE_NON_BLOCKING_TLS /* * Use non-blocking io during SSL Handshake when a timeout is configured */ if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd ); tv = ld->ld_options.ldo_tm_net; tv0 = tv; #ifdef HAVE_GETTIMEOFDAY gettimeofday( &start_time_tv, NULL ); #else /* ! HAVE_GETTIMEOFDAY */ time( &start_time_tv.tv_sec ); start_time_tv.tv_usec = 0; #endif /* ! HAVE_GETTIMEOFDAY */ } #endif /* LDAP_USE_NON_BLOCKING_TLS */ ld->ld_errno = LDAP_SUCCESS; ret = ldap_int_tls_connect( ld, conn ); #ifdef LDAP_USE_NON_BLOCKING_TLS while ( ret > 0 ) { /* this should only happen for non-blocking io */ int wr=0; if ( sb->sb_trans_needs_read ) { wr=0; } else if ( sb->sb_trans_needs_write ) { wr=1; } Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", wr ? "write": "read", 0, 0); ret = ldap_int_poll( ld, sd, &tv, wr); if ( ret < 0 ) { ld->ld_errno = LDAP_TIMEOUT; break; } else { /* ldap_int_poll called ldap_pvt_ndelay_off */ ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); ret = ldap_int_tls_connect( ld, conn ); if ( ret > 0 ) { /* need to call tls_connect once more */ struct timeval curr_time_tv, delta_tv; /* This is mostly copied from result.c:wait4msg(), should * probably be moved into a separate function */ #ifdef HAVE_GETTIMEOFDAY gettimeofday( &curr_time_tv, NULL ); #else /* ! HAVE_GETTIMEOFDAY */ time( &curr_time_tv.tv_sec ); curr_time_tv.tv_usec = 0; #endif /* ! HAVE_GETTIMEOFDAY */ /* delta = curr - start */ delta_tv.tv_sec = curr_time_tv.tv_sec - start_time_tv.tv_sec; delta_tv.tv_usec = curr_time_tv.tv_usec - start_time_tv.tv_usec; if ( delta_tv.tv_usec < 0 ) { delta_tv.tv_sec--; delta_tv.tv_usec += 1000000; } /* tv0 < delta ? */ if ( ( tv0.tv_sec < delta_tv.tv_sec ) || ( ( tv0.tv_sec == delta_tv.tv_sec ) && ( tv0.tv_usec < delta_tv.tv_usec ) ) ) { ret = -1; ld->ld_errno = LDAP_TIMEOUT; break; } else { /* timeout -= delta_time */ tv0.tv_sec -= delta_tv.tv_sec; tv0.tv_usec -= delta_tv.tv_usec; if ( tv0.tv_usec < 0 ) { tv0.tv_sec--; tv0.tv_usec += 1000000; } start_time_tv.tv_sec = curr_time_tv.tv_sec; start_time_tv.tv_usec = curr_time_tv.tv_usec; } tv = tv0; Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); } } } if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, NULL ); } #endif /* LDAP_USE_NON_BLOCKING_TLS */ if ( ret < 0 ) { if ( ld->ld_errno == LDAP_SUCCESS ) ld->ld_errno = LDAP_CONNECT_ERROR; return (ld->ld_errno); } ssl = ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* * compare host with name(s) in certificate */ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { return ld->ld_errno; } } return LDAP_SUCCESS; }
int ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) { struct ldapoptions *lo; if( option == LDAP_OPT_X_TLS_PACKAGE ) { *(char **)arg = LDAP_STRDUP( tls_imp->ti_name ); return 0; } if( ld != NULL ) { assert( LDAP_VALID( ld ) ); if( !LDAP_VALID( ld ) ) { return LDAP_OPT_ERROR; } lo = &ld->ld_options; } else { /* Get pointer to global option structure */ lo = LDAP_INT_GLOBAL_OPT(); if ( lo == NULL ) { return LDAP_NO_MEMORY; } } switch( option ) { case LDAP_OPT_X_TLS: *(int *)arg = lo->ldo_tls_mode; break; case LDAP_OPT_X_TLS_CTX: *(void **)arg = lo->ldo_tls_ctx; if ( lo->ldo_tls_ctx ) { tls_ctx_ref( lo->ldo_tls_ctx ); } break; case LDAP_OPT_X_TLS_CACERTFILE: *(char **)arg = lo->ldo_tls_cacertfile ? LDAP_STRDUP( lo->ldo_tls_cacertfile ) : NULL; break; case LDAP_OPT_X_TLS_CACERTDIR: *(char **)arg = lo->ldo_tls_cacertdir ? LDAP_STRDUP( lo->ldo_tls_cacertdir ) : NULL; break; case LDAP_OPT_X_TLS_CERTFILE: *(char **)arg = lo->ldo_tls_certfile ? LDAP_STRDUP( lo->ldo_tls_certfile ) : NULL; break; case LDAP_OPT_X_TLS_KEYFILE: *(char **)arg = lo->ldo_tls_keyfile ? LDAP_STRDUP( lo->ldo_tls_keyfile ) : NULL; break; case LDAP_OPT_X_TLS_DHFILE: *(char **)arg = lo->ldo_tls_dhfile ? LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; break; case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ *(char **)arg = lo->ldo_tls_crlfile ? LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; break; case LDAP_OPT_X_TLS_REQUIRE_CERT: *(int *)arg = lo->ldo_tls_require_cert; break; #ifdef HAVE_OPENSSL_CRL case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ *(int *)arg = lo->ldo_tls_crlcheck; break; #endif case LDAP_OPT_X_TLS_CIPHER_SUITE: *(char **)arg = lo->ldo_tls_ciphersuite ? LDAP_STRDUP( lo->ldo_tls_ciphersuite ) : NULL; break; case LDAP_OPT_X_TLS_PROTOCOL_MIN: *(int *)arg = lo->ldo_tls_protocol_min; break; case LDAP_OPT_X_TLS_RANDOM_FILE: *(char **)arg = lo->ldo_tls_randfile ? LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL; break; case LDAP_OPT_X_TLS_SSL_CTX: { void *retval = 0; if ( ld != NULL ) { LDAPConn *conn = ld->ld_defconn; if ( conn != NULL ) { Sockbuf *sb = conn->lconn_sb; retval = ldap_pvt_tls_sb_ctx( sb ); } } *(void **)arg = retval; break; } case LDAP_OPT_X_TLS_CONNECT_CB: *(LDAP_TLS_CONNECT_CB **)arg = lo->ldo_tls_connect_cb; break; case LDAP_OPT_X_TLS_CONNECT_ARG: *(void **)arg = lo->ldo_tls_connect_arg; break; default: return -1; } return 0; }
int ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) { Sockbuf *sb; char *host; void *ssl; if ( !conn ) return LDAP_PARAM_ERROR; sb = conn->lconn_sb; if( srv ) { host = srv->lud_host; } else { host = conn->lconn_server->lud_host; } /* avoid NULL host */ if( host == NULL ) { host = "localhost"; } (void) tls_init( tls_imp ); #if defined(__APPLE__) && !defined(HAVE_SECURE_TRANSPORT) /* Get the host's certificate from the keychain if possible, and stash * it in the options for use once the SSL context is created. */ tls_get_cert_from_keychain( host ); #endif /* * Fortunately, the lib uses blocking io... */ if ( ldap_int_tls_connect( ld, conn ) < 0 ) { ld->ld_errno = LDAP_CONNECT_ERROR; return (ld->ld_errno); } ssl = ldap_pvt_tls_sb_ctx( sb ); assert( ssl != NULL ); /* * compare host with name(s) in certificate */ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { #ifdef __APPLE__ /* If the hostname is really an IP address, do the reverse * lookup and see if that matches the cert. */ char *hostname = ldap_host_connected_to( sb, host ); if (hostname) { Debug( LDAP_DEBUG_ANY, "TLS reverse lookup of '%s' is '%s', checking if that matches the certificate common name\n", host, hostname, 0); ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, hostname ); free(hostname); hostname = NULL; } #endif return ld->ld_errno; } } return LDAP_SUCCESS; }