int
ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
{
Sockbuf *sb;
char *host;
void *ssl;
if ( !conn )
return LDAP_PARAM_ERROR;
sb = conn->lconn_sb;
if( srv ) {
host = srv->lud_host;
} else {
host = conn->lconn_server->lud_host;
}
/* avoid NULL host */
if( host == NULL ) {
host = "localhost";
}
(void) tls_init( tls_imp );
/*
* Fortunately, the lib uses blocking io...
*/
if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
ld->ld_errno = LDAP_CONNECT_ERROR;
return (ld->ld_errno);
}
ssl = ldap_pvt_tls_sb_ctx( sb );
assert( ssl != NULL );
/*
* compare host with name(s) in certificate
*/
if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
if (ld->ld_errno != LDAP_SUCCESS) {
return ld->ld_errno;
}
}
return LDAP_SUCCESS;
}
int
ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
{
Sockbuf *sb;
char *host;
void *ssl;
int ret;
#ifdef LDAP_USE_NON_BLOCKING_TLS
struct timeval start_time_tv, tv, tv0;
ber_socket_t sd = AC_SOCKET_ERROR;
#endif /* LDAP_USE_NON_BLOCKING_TLS */
if ( !conn )
return LDAP_PARAM_ERROR;
sb = conn->lconn_sb;
if( srv ) {
host = srv->lud_host;
} else {
host = conn->lconn_server->lud_host;
}
/* avoid NULL host */
if( host == NULL ) {
host = "localhost";
}
(void) tls_init( tls_imp );
#ifdef LDAP_USE_NON_BLOCKING_TLS
/*
* Use non-blocking io during SSL Handshake when a timeout is configured
*/
if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb );
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd );
tv = ld->ld_options.ldo_tm_net;
tv0 = tv;
#ifdef HAVE_GETTIMEOFDAY
gettimeofday( &start_time_tv, NULL );
#else /* ! HAVE_GETTIMEOFDAY */
time( &start_time_tv.tv_sec );
start_time_tv.tv_usec = 0;
#endif /* ! HAVE_GETTIMEOFDAY */
}
#endif /* LDAP_USE_NON_BLOCKING_TLS */
ld->ld_errno = LDAP_SUCCESS;
ret = ldap_int_tls_connect( ld, conn );
#ifdef LDAP_USE_NON_BLOCKING_TLS
while ( ret > 0 ) { /* this should only happen for non-blocking io */
int wr=0;
if ( sb->sb_trans_needs_read ) {
wr=0;
} else if ( sb->sb_trans_needs_write ) {
wr=1;
}
Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n",
wr ? "write": "read", 0, 0);
ret = ldap_int_poll( ld, sd, &tv, wr);
if ( ret < 0 ) {
ld->ld_errno = LDAP_TIMEOUT;
break;
} else {
/* ldap_int_poll called ldap_pvt_ndelay_off */
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb );
ret = ldap_int_tls_connect( ld, conn );
if ( ret > 0 ) { /* need to call tls_connect once more */
struct timeval curr_time_tv, delta_tv;
/* This is mostly copied from result.c:wait4msg(), should
* probably be moved into a separate function */
#ifdef HAVE_GETTIMEOFDAY
gettimeofday( &curr_time_tv, NULL );
#else /* ! HAVE_GETTIMEOFDAY */
time( &curr_time_tv.tv_sec );
curr_time_tv.tv_usec = 0;
#endif /* ! HAVE_GETTIMEOFDAY */
/* delta = curr - start */
delta_tv.tv_sec = curr_time_tv.tv_sec - start_time_tv.tv_sec;
delta_tv.tv_usec = curr_time_tv.tv_usec - start_time_tv.tv_usec;
if ( delta_tv.tv_usec < 0 ) {
delta_tv.tv_sec--;
delta_tv.tv_usec += 1000000;
}
/* tv0 < delta ? */
if ( ( tv0.tv_sec < delta_tv.tv_sec ) ||
( ( tv0.tv_sec == delta_tv.tv_sec ) &&
( tv0.tv_usec < delta_tv.tv_usec ) ) )
{
ret = -1;
ld->ld_errno = LDAP_TIMEOUT;
break;
} else {
/* timeout -= delta_time */
tv0.tv_sec -= delta_tv.tv_sec;
tv0.tv_usec -= delta_tv.tv_usec;
if ( tv0.tv_usec < 0 ) {
tv0.tv_sec--;
tv0.tv_usec += 1000000;
}
start_time_tv.tv_sec = curr_time_tv.tv_sec;
start_time_tv.tv_usec = curr_time_tv.tv_usec;
}
tv = tv0;
Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n",
(void *)ld, (long) tv.tv_sec, (long) tv.tv_usec );
}
}
}
if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, NULL );
}
#endif /* LDAP_USE_NON_BLOCKING_TLS */
if ( ret < 0 ) {
if ( ld->ld_errno == LDAP_SUCCESS )
ld->ld_errno = LDAP_CONNECT_ERROR;
return (ld->ld_errno);
}
ssl = ldap_pvt_tls_sb_ctx( sb );
assert( ssl != NULL );
/*
* compare host with name(s) in certificate
*/
if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
if (ld->ld_errno != LDAP_SUCCESS) {
return ld->ld_errno;
}
}
return LDAP_SUCCESS;
}
int
ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
{
struct ldapoptions *lo;
if( option == LDAP_OPT_X_TLS_PACKAGE ) {
*(char **)arg = LDAP_STRDUP( tls_imp->ti_name );
return 0;
}
if( ld != NULL ) {
assert( LDAP_VALID( ld ) );
if( !LDAP_VALID( ld ) ) {
return LDAP_OPT_ERROR;
}
lo = &ld->ld_options;
} else {
/* Get pointer to global option structure */
lo = LDAP_INT_GLOBAL_OPT();
if ( lo == NULL ) {
return LDAP_NO_MEMORY;
}
}
switch( option ) {
case LDAP_OPT_X_TLS:
*(int *)arg = lo->ldo_tls_mode;
break;
case LDAP_OPT_X_TLS_CTX:
*(void **)arg = lo->ldo_tls_ctx;
if ( lo->ldo_tls_ctx ) {
tls_ctx_ref( lo->ldo_tls_ctx );
}
break;
case LDAP_OPT_X_TLS_CACERTFILE:
*(char **)arg = lo->ldo_tls_cacertfile ?
LDAP_STRDUP( lo->ldo_tls_cacertfile ) : NULL;
break;
case LDAP_OPT_X_TLS_CACERTDIR:
*(char **)arg = lo->ldo_tls_cacertdir ?
LDAP_STRDUP( lo->ldo_tls_cacertdir ) : NULL;
break;
case LDAP_OPT_X_TLS_CERTFILE:
*(char **)arg = lo->ldo_tls_certfile ?
LDAP_STRDUP( lo->ldo_tls_certfile ) : NULL;
break;
case LDAP_OPT_X_TLS_KEYFILE:
*(char **)arg = lo->ldo_tls_keyfile ?
LDAP_STRDUP( lo->ldo_tls_keyfile ) : NULL;
break;
case LDAP_OPT_X_TLS_DHFILE:
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
break;
case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = lo->ldo_tls_require_cert;
break;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck;
break;
#endif
case LDAP_OPT_X_TLS_CIPHER_SUITE:
*(char **)arg = lo->ldo_tls_ciphersuite ?
LDAP_STRDUP( lo->ldo_tls_ciphersuite ) : NULL;
break;
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
*(int *)arg = lo->ldo_tls_protocol_min;
break;
case LDAP_OPT_X_TLS_RANDOM_FILE:
*(char **)arg = lo->ldo_tls_randfile ?
LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL;
break;
case LDAP_OPT_X_TLS_SSL_CTX: {
void *retval = 0;
if ( ld != NULL ) {
LDAPConn *conn = ld->ld_defconn;
if ( conn != NULL ) {
Sockbuf *sb = conn->lconn_sb;
retval = ldap_pvt_tls_sb_ctx( sb );
}
}
*(void **)arg = retval;
break;
}
case LDAP_OPT_X_TLS_CONNECT_CB:
*(LDAP_TLS_CONNECT_CB **)arg = lo->ldo_tls_connect_cb;
break;
case LDAP_OPT_X_TLS_CONNECT_ARG:
*(void **)arg = lo->ldo_tls_connect_arg;
break;
default:
return -1;
}
return 0;
}
int
ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
{
Sockbuf *sb;
char *host;
void *ssl;
if ( !conn )
return LDAP_PARAM_ERROR;
sb = conn->lconn_sb;
if( srv ) {
host = srv->lud_host;
} else {
host = conn->lconn_server->lud_host;
}
/* avoid NULL host */
if( host == NULL ) {
host = "localhost";
}
(void) tls_init( tls_imp );
#if defined(__APPLE__) && !defined(HAVE_SECURE_TRANSPORT)
/* Get the host's certificate from the keychain if possible, and stash
* it in the options for use once the SSL context is created.
*/
tls_get_cert_from_keychain( host );
#endif
/*
* Fortunately, the lib uses blocking io...
*/
if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
ld->ld_errno = LDAP_CONNECT_ERROR;
return (ld->ld_errno);
}
ssl = ldap_pvt_tls_sb_ctx( sb );
assert( ssl != NULL );
/*
* compare host with name(s) in certificate
*/
if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
if (ld->ld_errno != LDAP_SUCCESS) {
#ifdef __APPLE__
/* If the hostname is really an IP address, do the reverse
* lookup and see if that matches the cert.
*/
char *hostname = ldap_host_connected_to( sb, host );
if (hostname) {
Debug( LDAP_DEBUG_ANY,
"TLS reverse lookup of '%s' is '%s', checking if that matches the certificate common name\n",
host, hostname, 0);
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, hostname );
free(hostname);
hostname = NULL;
}
#endif
return ld->ld_errno;
}
}
return LDAP_SUCCESS;
}
