/* sets needed mutexes - no mutexes set to this point */ ber_int_t ldap_send_initial_request( LDAP *ld, ber_tag_t msgtype, const char *dn, BerElement *ber, ber_int_t msgid) { int rc = 1; ber_socket_t sd = AC_SOCKET_INVALID; Debug( LDAP_DEBUG_TRACE, "ldap_send_initial_request\n", 0, 0, 0 ); LDAP_MUTEX_LOCK( &ld->ld_conn_mutex ); if ( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd ) == -1 ) { /* not connected yet */ rc = ldap_open_defconn( ld ); } if ( ld->ld_defconn && ld->ld_defconn->lconn_status == LDAP_CONNST_CONNECTING ) rc = ldap_int_check_async_open( ld, sd ); if( rc < 0 ) { ber_free( ber, 1 ); LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex ); return( -1 ); } else if ( rc == 0 ) { Debug( LDAP_DEBUG_TRACE, "ldap_open_defconn: successful\n", 0, 0, 0 ); } #ifdef LDAP_CONNECTIONLESS if (LDAP_IS_UDP(ld)) { if (msgtype == LDAP_REQ_BIND) { LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex ); if (ld->ld_options.ldo_cldapdn) ldap_memfree(ld->ld_options.ldo_cldapdn); ld->ld_options.ldo_cldapdn = ldap_strdup(dn); ber_free( ber, 1 ); LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex ); LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex ); return 0; } if (msgtype != LDAP_REQ_ABANDON && msgtype != LDAP_REQ_SEARCH) { ber_free( ber, 1 ); LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex ); return LDAP_PARAM_ERROR; } } #endif LDAP_MUTEX_LOCK( &ld->ld_req_mutex ); rc = ldap_send_server_request( ld, ber, msgid, NULL, NULL, NULL, NULL, 0, 0 ); LDAP_MUTEX_UNLOCK( &ld->ld_req_mutex ); LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex ); return(rc); }
ber_int_t ldap_send_initial_request( LDAP *ld, ber_tag_t msgtype, const char *dn, BerElement *ber, ber_int_t msgid) { int rc = 1; Debug( LDAP_DEBUG_TRACE, "ldap_send_initial_request\n", 0, 0, 0 ); #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex ); #endif if ( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, NULL ) == -1 ) { /* not connected yet */ rc = ldap_open_defconn( ld ); } #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex ); #endif if( rc < 0 ) { ber_free( ber, 1 ); return( -1 ); } else if ( rc == 0 ) { Debug( LDAP_DEBUG_TRACE, "ldap_open_defconn: successful\n", 0, 0, 0 ); } #ifdef LDAP_CONNECTIONLESS if (LDAP_IS_UDP(ld)) { if (msgtype == LDAP_REQ_BIND) { if (ld->ld_options.ldo_cldapdn) ldap_memfree(ld->ld_options.ldo_cldapdn); ld->ld_options.ldo_cldapdn = ldap_strdup(dn); return 0; } if (msgtype != LDAP_REQ_ABANDON && msgtype != LDAP_REQ_SEARCH) return LDAP_PARAM_ERROR; } #endif #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex ); #endif rc = ldap_send_server_request( ld, ber, msgid, NULL, NULL, NULL, NULL ); #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex ); #endif return(rc); }
int OPENLDAP::BookFormInfo (Ekiga::Form &result, struct BookInfo &bookinfo, std::string &errmsg) { LDAPURLDesc *url_base = NULL, *url_host = NULL; char *url_str; std::string name = result.text ("name"); std::string uri = result.text ("uri"); std::string nameAttr = result.text ("nameAttr"); std::string callAttr = result.text ("callAttr"); std::string filter = result.text ("filter"); errmsg = ""; if (name.empty()) errmsg += _("Please provide a Book Name for this directory\n"); if (uri.empty()) errmsg += _("Please provide a Server URI\n"); if (nameAttr.empty()) errmsg += _("Please provide a DisplayName attribute\n"); if (callAttr.empty()) errmsg += _("Please provide a Call attribute\n"); if (ldap_url_parse (uri.c_str(), &url_host)) errmsg += _("Invalid Server URI\n"); if (!errmsg.empty()) { return -1; } if (filter.empty()) filter = "(cn=$)"; bookinfo.name = name; std::string base = result.text ("base"); std::string new_bits = "ldap:///?" + result.text ("nameAttr") + "," + result.text ("callAttr") + "?" + result.single_choice ("scope") + "?" + result.text ("filter"); bookinfo.authcID = result.text ("authcID"); bookinfo.password = result.text ("password"); bookinfo.starttls = result.boolean ("startTLS"); bookinfo.sasl = result.boolean ("sasl"); bookinfo.saslMech = result.single_choice ("saslMech"); if (bookinfo.sasl || bookinfo.starttls) { new_bits += "?"; if (bookinfo.starttls) new_bits += "StartTLS"; if (bookinfo.sasl) { if (bookinfo.starttls) new_bits += ","; new_bits += "SASL"; if (!bookinfo.saslMech.empty()) new_bits += "=" + bookinfo.saslMech; } } if (ldap_url_parse (new_bits.c_str(), &url_base)) errmsg += _("Invalid Server URI\n"); if (!errmsg.empty()) { return -1; } url_host->lud_dn = ldap_strdup (base.c_str()); url_host->lud_attrs = url_base->lud_attrs; url_host->lud_scope = url_base->lud_scope; url_host->lud_filter = url_base->lud_filter; if (!url_host->lud_exts) { url_host->lud_exts = url_base->lud_exts; url_base->lud_exts = NULL; } url_base->lud_attrs = NULL; url_base->lud_filter = NULL; ldap_free_urldesc (url_base); bookinfo.urld = boost::shared_ptr<LDAPURLDesc> (url_host, ldap_url_desc_deleter ()); url_str = ldap_url_desc2str (url_host); bookinfo.uri = std::string(url_str); ldap_memfree (url_str); { size_t pos; pos = bookinfo.uri.find ('/', strlen(url_host->lud_scheme) + 3); if (pos != std::string::npos) bookinfo.uri_host = bookinfo.uri.substr (0,pos); else bookinfo.uri_host = bookinfo.uri; } return 0; }
static int tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) { tlsg_session *s = (tlsg_session *)session; int i, ret; const gnutls_datum_t *peer_cert_list; unsigned int list_size; char altname[NI_MAXHOST]; size_t altnamesize; gnutls_x509_crt_t cert; const char *name; char *ptr; char *domain = NULL; #ifdef LDAP_PF_INET6 struct in6_addr addr; #else struct in_addr addr; #endif int len1 = 0, len2 = 0; int ntype = IS_DNS; if( ldap_int_hostname && ( !name_in || !strcasecmp( name_in, "localhost" ) ) ) { name = ldap_int_hostname; } else { name = name_in; } peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size ); if ( !peer_cert_list ) { Debug( LDAP_DEBUG_ANY, "TLS: unable to get peer certificate.\n", 0, 0, 0 ); /* If this was a fatal condition, things would have * aborted long before now. */ return LDAP_SUCCESS; } ret = gnutls_x509_crt_init( &cert ); if ( ret < 0 ) return LDAP_LOCAL_ERROR; ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER ); if ( ret ) { gnutls_x509_crt_deinit( cert ); return LDAP_LOCAL_ERROR; } #ifdef LDAP_PF_INET6 if (name[0] == '[' && strchr(name, ']')) { char *n2 = ldap_strdup(name+1); *strchr(n2, ']') = 0; if (inet_pton(AF_INET6, n2, &addr)) ntype = IS_IP6; LDAP_FREE(n2); } else #endif if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) { if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4; } if (ntype == IS_DNS) { len1 = strlen(name); domain = strchr(name, '.'); if (domain) { len2 = len1 - (domain-name); } } for ( i=0, ret=0; ret >= 0; i++ ) { altnamesize = sizeof(altname); ret = gnutls_x509_crt_get_subject_alt_name( cert, i, altname, &altnamesize, NULL ); if ( ret < 0 ) break; /* ignore empty */ if ( altnamesize == 0 ) continue; if ( ret == GNUTLS_SAN_DNSNAME ) { if (ntype != IS_DNS) continue; /* Is this an exact match? */ if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) { break; } /* Is this a wildcard match? */ if (domain && (altname[0] == '*') && (altname[1] == '.') && (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) { break; } } else if ( ret == GNUTLS_SAN_IPADDRESS ) { if (ntype == IS_DNS) continue; #ifdef LDAP_PF_INET6 if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) { continue; } else #endif if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) { continue; } if (!memcmp(altname, &addr, altnamesize)) { break; } } } if ( ret >= 0 ) { ret = LDAP_SUCCESS; } else { /* find the last CN */ i=0; do { altnamesize = 0; ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID, i, 1, altname, &altnamesize ); if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER ) i++; else break; } while ( 1 ); if ( i ) { altnamesize = sizeof(altname); ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID, i-1, 0, altname, &altnamesize ); } if ( ret < 0 ) { Debug( LDAP_DEBUG_ANY, "TLS: unable to get common name from peer certificate.\n", 0, 0, 0 ); ret = LDAP_CONNECT_ERROR; if ( ld->ld_error ) { LDAP_FREE( ld->ld_error ); } ld->ld_error = LDAP_STRDUP( _("TLS: unable to get CN from peer certificate")); } else { ret = LDAP_LOCAL_ERROR; if ( !len1 ) len1 = strlen( name ); if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) { ret = LDAP_SUCCESS; } else if (( altname[0] == '*' ) && ( altname[1] == '.' )) { /* Is this a wildcard match? */ if( domain && (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) { ret = LDAP_SUCCESS; } } } if( ret == LDAP_LOCAL_ERROR ) { altname[altnamesize] = '\0'; Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " "common name in certificate (%s).\n", name, altname, 0 ); ret = LDAP_CONNECT_ERROR; if ( ld->ld_error ) { LDAP_FREE( ld->ld_error ); } ld->ld_error = LDAP_STRDUP( _("TLS: hostname does not match CN in peer certificate")); } } gnutls_x509_crt_deinit( cert ); return ret; }
int main( int argc, char *argv[] ) { int rc; LDAP *ld = NULL; char *matcheddn = NULL, *text = NULL, **refs = NULL; int rcode; char * diag = NULL; struct berval *scookie = NULL; struct berval *scred = NULL; int id, code = 0; LDAPMessage *res; LDAPControl **ctrls = NULL; LDAPControl **vcctrls = NULL; int nvcctrls = 0; tool_init( TOOL_VC ); prog = lutil_progname( "ldapvc", argc, argv ); /* LDAPv3 only */ protocol = LDAP_VERSION3; tool_args( argc, argv ); if (argc - optind > 0) { dn = argv[optind++]; } if (argc - optind > 0) { cred.bv_val = strdup(argv[optind++]); cred.bv_len = strlen(cred.bv_val); } if (argc - optind > 0) { usage(); } if (dn #ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE && !vc_sasl_mech #endif && !cred.bv_val) { cred.bv_val = strdup(getpassphrase(_("User's password: "******"ldap_verify_credentials_interactive", rc, NULL, NULL, text, NULL); ldap_memfree(text); tool_exit(ld, rc); } } while (rc == LDAP_SASL_BIND_IN_PROGRESS); lutil_sasl_freedefs(defaults); if( rc != LDAP_SUCCESS ) { ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &text); tool_perror( "ldap_verify_credentials", rc, NULL, NULL, text, NULL ); rc = EXIT_FAILURE; goto skip; } } else #endif #endif { rc = ldap_verify_credentials( ld, NULL, dn, NULL, cred.bv_val ? &cred: NULL, vcctrls, NULL, NULL, &id ); if( rc != LDAP_SUCCESS ) { ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &text); tool_perror( "ldap_verify_credentials", rc, NULL, NULL, text, NULL ); rc = EXIT_FAILURE; goto skip; } for ( ; ; ) { struct timeval tv; if ( tool_check_abandon( ld, id ) ) { tool_exit( ld, LDAP_CANCELLED ); } tv.tv_sec = 0; tv.tv_usec = 100000; rc = ldap_result( ld, LDAP_RES_ANY, LDAP_MSG_ALL, &tv, &res ); if ( rc < 0 ) { tool_perror( "ldap_result", rc, NULL, NULL, NULL, NULL ); tool_exit( ld, rc ); } if ( rc != 0 ) { break; } } } ldap_controls_free(vcctrls); vcctrls = NULL; rc = ldap_parse_result( ld, res, &code, &matcheddn, &text, &refs, &ctrls, 0 ); if (rc == LDAP_SUCCESS) rc = code; if (rc != LDAP_SUCCESS) { tool_perror( "ldap_parse_result", rc, NULL, matcheddn, text, refs ); rc = EXIT_FAILURE; goto skip; } rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, &vcctrls ); ldap_msgfree(res); if (rc != LDAP_SUCCESS) { tool_perror( "ldap_parse_verify_credentials", rc, NULL, NULL, NULL, NULL ); rc = EXIT_FAILURE; goto skip; } if (rcode != LDAP_SUCCESS) { printf(_("Failed: %s (%d)\n"), ldap_err2string(rcode), rcode); } if (diag && *diag) { printf(_("Diagnostic: %s\n"), diag); } if (vcctrls) { tool_print_ctrls( ld, vcctrls ); } skip: if ( verbose || code != LDAP_SUCCESS || ( matcheddn && *matcheddn ) || ( text && *text ) || refs || ctrls ) { printf( _("Result: %s (%d)\n"), ldap_err2string( code ), code ); if( text && *text ) { printf( _("Additional info: %s\n"), text ); } if( matcheddn && *matcheddn ) { printf( _("Matched DN: %s\n"), matcheddn ); } if( refs ) { int i; for( i=0; refs[i]; i++ ) { printf(_("Referral: %s\n"), refs[i] ); } } if (ctrls) { tool_print_ctrls( ld, ctrls ); ldap_controls_free( ctrls ); } } ber_memfree( text ); ber_memfree( matcheddn ); ber_memvfree( (void **) refs ); ber_bvfree( scookie ); ber_bvfree( scred ); ber_memfree( diag ); free( cred.bv_val ); /* disconnect from server */ tool_exit( ld, code == LDAP_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE ); }