/* sets needed mutexes - no mutexes set to this point */
ber_int_t
ldap_send_initial_request(
LDAP *ld,
ber_tag_t msgtype,
const char *dn,
BerElement *ber,
ber_int_t msgid)
{
int rc = 1;
ber_socket_t sd = AC_SOCKET_INVALID;
Debug( LDAP_DEBUG_TRACE, "ldap_send_initial_request\n", 0, 0, 0 );
LDAP_MUTEX_LOCK( &ld->ld_conn_mutex );
if ( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, &sd ) == -1 ) {
/* not connected yet */
rc = ldap_open_defconn( ld );
}
if ( ld->ld_defconn && ld->ld_defconn->lconn_status == LDAP_CONNST_CONNECTING )
rc = ldap_int_check_async_open( ld, sd );
if( rc < 0 ) {
ber_free( ber, 1 );
LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
return( -1 );
} else if ( rc == 0 ) {
Debug( LDAP_DEBUG_TRACE,
"ldap_open_defconn: successful\n",
0, 0, 0 );
}
#ifdef LDAP_CONNECTIONLESS
if (LDAP_IS_UDP(ld)) {
if (msgtype == LDAP_REQ_BIND) {
LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex );
if (ld->ld_options.ldo_cldapdn)
ldap_memfree(ld->ld_options.ldo_cldapdn);
ld->ld_options.ldo_cldapdn = ldap_strdup(dn);
ber_free( ber, 1 );
LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex );
LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
return 0;
}
if (msgtype != LDAP_REQ_ABANDON && msgtype != LDAP_REQ_SEARCH)
{
ber_free( ber, 1 );
LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
return LDAP_PARAM_ERROR;
}
}
#endif
LDAP_MUTEX_LOCK( &ld->ld_req_mutex );
rc = ldap_send_server_request( ld, ber, msgid, NULL,
NULL, NULL, NULL, 0, 0 );
LDAP_MUTEX_UNLOCK( &ld->ld_req_mutex );
LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
return(rc);
}
ber_int_t
ldap_send_initial_request(
LDAP *ld,
ber_tag_t msgtype,
const char *dn,
BerElement *ber,
ber_int_t msgid)
{
int rc = 1;
Debug( LDAP_DEBUG_TRACE, "ldap_send_initial_request\n", 0, 0, 0 );
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
#endif
if ( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, NULL ) == -1 ) {
/* not connected yet */
rc = ldap_open_defconn( ld );
}
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
#endif
if( rc < 0 ) {
ber_free( ber, 1 );
return( -1 );
} else if ( rc == 0 ) {
Debug( LDAP_DEBUG_TRACE,
"ldap_open_defconn: successful\n",
0, 0, 0 );
}
#ifdef LDAP_CONNECTIONLESS
if (LDAP_IS_UDP(ld)) {
if (msgtype == LDAP_REQ_BIND) {
if (ld->ld_options.ldo_cldapdn)
ldap_memfree(ld->ld_options.ldo_cldapdn);
ld->ld_options.ldo_cldapdn = ldap_strdup(dn);
return 0;
}
if (msgtype != LDAP_REQ_ABANDON && msgtype != LDAP_REQ_SEARCH)
return LDAP_PARAM_ERROR;
}
#endif
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex );
#endif
rc = ldap_send_server_request( ld, ber, msgid, NULL,
NULL, NULL, NULL );
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
#endif
return(rc);
}
int
OPENLDAP::BookFormInfo (Ekiga::Form &result,
struct BookInfo &bookinfo,
std::string &errmsg)
{
LDAPURLDesc *url_base = NULL, *url_host = NULL;
char *url_str;
std::string name = result.text ("name");
std::string uri = result.text ("uri");
std::string nameAttr = result.text ("nameAttr");
std::string callAttr = result.text ("callAttr");
std::string filter = result.text ("filter");
errmsg = "";
if (name.empty())
errmsg += _("Please provide a Book Name for this directory\n");
if (uri.empty())
errmsg += _("Please provide a Server URI\n");
if (nameAttr.empty())
errmsg += _("Please provide a DisplayName attribute\n");
if (callAttr.empty())
errmsg += _("Please provide a Call attribute\n");
if (ldap_url_parse (uri.c_str(), &url_host))
errmsg += _("Invalid Server URI\n");
if (!errmsg.empty()) {
return -1;
}
if (filter.empty())
filter = "(cn=$)";
bookinfo.name = name;
std::string base = result.text ("base");
std::string new_bits = "ldap:///?" +
result.text ("nameAttr") + "," +
result.text ("callAttr") + "?" +
result.single_choice ("scope") + "?" +
result.text ("filter");
bookinfo.authcID = result.text ("authcID");
bookinfo.password = result.text ("password");
bookinfo.starttls = result.boolean ("startTLS");
bookinfo.sasl = result.boolean ("sasl");
bookinfo.saslMech = result.single_choice ("saslMech");
if (bookinfo.sasl || bookinfo.starttls) {
new_bits += "?";
if (bookinfo.starttls)
new_bits += "StartTLS";
if (bookinfo.sasl) {
if (bookinfo.starttls)
new_bits += ",";
new_bits += "SASL";
if (!bookinfo.saslMech.empty())
new_bits += "=" + bookinfo.saslMech;
}
}
if (ldap_url_parse (new_bits.c_str(), &url_base))
errmsg += _("Invalid Server URI\n");
if (!errmsg.empty()) {
return -1;
}
url_host->lud_dn = ldap_strdup (base.c_str());
url_host->lud_attrs = url_base->lud_attrs;
url_host->lud_scope = url_base->lud_scope;
url_host->lud_filter = url_base->lud_filter;
if (!url_host->lud_exts) {
url_host->lud_exts = url_base->lud_exts;
url_base->lud_exts = NULL;
}
url_base->lud_attrs = NULL;
url_base->lud_filter = NULL;
ldap_free_urldesc (url_base);
bookinfo.urld = boost::shared_ptr<LDAPURLDesc> (url_host, ldap_url_desc_deleter ());
url_str = ldap_url_desc2str (url_host);
bookinfo.uri = std::string(url_str);
ldap_memfree (url_str);
{
size_t pos;
pos = bookinfo.uri.find ('/', strlen(url_host->lud_scheme) + 3);
if (pos != std::string::npos)
bookinfo.uri_host = bookinfo.uri.substr (0,pos);
else
bookinfo.uri_host = bookinfo.uri;
}
return 0;
}
static int
tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{
tlsg_session *s = (tlsg_session *)session;
int i, ret;
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
char altname[NI_MAXHOST];
size_t altnamesize;
gnutls_x509_crt_t cert;
const char *name;
char *ptr;
char *domain = NULL;
#ifdef LDAP_PF_INET6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
int len1 = 0, len2 = 0;
int ntype = IS_DNS;
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
{
name = ldap_int_hostname;
} else {
name = name_in;
}
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
if ( !peer_cert_list ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get peer certificate.\n",
0, 0, 0 );
/* If this was a fatal condition, things would have
* aborted long before now.
*/
return LDAP_SUCCESS;
}
ret = gnutls_x509_crt_init( &cert );
if ( ret < 0 )
return LDAP_LOCAL_ERROR;
ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
if ( ret ) {
gnutls_x509_crt_deinit( cert );
return LDAP_LOCAL_ERROR;
}
#ifdef LDAP_PF_INET6
if (name[0] == '[' && strchr(name, ']')) {
char *n2 = ldap_strdup(name+1);
*strchr(n2, ']') = 0;
if (inet_pton(AF_INET6, n2, &addr))
ntype = IS_IP6;
LDAP_FREE(n2);
} else
#endif
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
if (ntype == IS_DNS) {
len1 = strlen(name);
domain = strchr(name, '.');
if (domain) {
len2 = len1 - (domain-name);
}
}
for ( i=0, ret=0; ret >= 0; i++ ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
altname, &altnamesize, NULL );
if ( ret < 0 ) break;
/* ignore empty */
if ( altnamesize == 0 ) continue;
if ( ret == GNUTLS_SAN_DNSNAME ) {
if (ntype != IS_DNS) continue;
/* Is this an exact match? */
if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
break;
}
/* Is this a wildcard match? */
if (domain && (altname[0] == '*') && (altname[1] == '.') &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
{
break;
}
} else if ( ret == GNUTLS_SAN_IPADDRESS ) {
if (ntype == IS_DNS) continue;
#ifdef LDAP_PF_INET6
if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
continue;
} else
#endif
if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
continue;
}
if (!memcmp(altname, &addr, altnamesize)) {
break;
}
}
}
if ( ret >= 0 ) {
ret = LDAP_SUCCESS;
} else {
/* find the last CN */
i=0;
do {
altnamesize = 0;
ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
i, 1, altname, &altnamesize );
if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER )
i++;
else
break;
} while ( 1 );
if ( i ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
i-1, 0, altname, &altnamesize );
}
if ( ret < 0 ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
} else {
ret = LDAP_LOCAL_ERROR;
if ( !len1 ) len1 = strlen( name );
if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
ret = LDAP_SUCCESS;
} else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
/* Is this a wildcard match? */
if( domain &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
ret = LDAP_SUCCESS;
}
}
}
if( ret == LDAP_LOCAL_ERROR ) {
altname[altnamesize] = '\0';
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%s).\n",
name, altname, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
}
}
gnutls_x509_crt_deinit( cert );
return ret;
}
int
main( int argc, char *argv[] )
{
int rc;
LDAP *ld = NULL;
char *matcheddn = NULL, *text = NULL, **refs = NULL;
int rcode;
char * diag = NULL;
struct berval *scookie = NULL;
struct berval *scred = NULL;
int id, code = 0;
LDAPMessage *res;
LDAPControl **ctrls = NULL;
LDAPControl **vcctrls = NULL;
int nvcctrls = 0;
tool_init( TOOL_VC );
prog = lutil_progname( "ldapvc", argc, argv );
/* LDAPv3 only */
protocol = LDAP_VERSION3;
tool_args( argc, argv );
if (argc - optind > 0) {
dn = argv[optind++];
}
if (argc - optind > 0) {
cred.bv_val = strdup(argv[optind++]);
cred.bv_len = strlen(cred.bv_val);
}
if (argc - optind > 0) {
usage();
}
if (dn
#ifdef LDAP_API_FEATURE_VERIFY_CREDENTIALS_INTERACTIVE
&& !vc_sasl_mech
#endif
&& !cred.bv_val)
{
cred.bv_val = strdup(getpassphrase(_("User's password: "******"ldap_verify_credentials_interactive", rc, NULL, NULL, text, NULL);
ldap_memfree(text);
tool_exit(ld, rc);
}
} while (rc == LDAP_SASL_BIND_IN_PROGRESS);
lutil_sasl_freedefs(defaults);
if( rc != LDAP_SUCCESS ) {
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &text);
tool_perror( "ldap_verify_credentials", rc, NULL, NULL, text, NULL );
rc = EXIT_FAILURE;
goto skip;
}
} else
#endif
#endif
{
rc = ldap_verify_credentials( ld,
NULL,
dn, NULL, cred.bv_val ? &cred: NULL, vcctrls,
NULL, NULL, &id );
if( rc != LDAP_SUCCESS ) {
ldap_get_option(ld, LDAP_OPT_DIAGNOSTIC_MESSAGE, (void*) &text);
tool_perror( "ldap_verify_credentials", rc, NULL, NULL, text, NULL );
rc = EXIT_FAILURE;
goto skip;
}
for ( ; ; ) {
struct timeval tv;
if ( tool_check_abandon( ld, id ) ) {
tool_exit( ld, LDAP_CANCELLED );
}
tv.tv_sec = 0;
tv.tv_usec = 100000;
rc = ldap_result( ld, LDAP_RES_ANY, LDAP_MSG_ALL, &tv, &res );
if ( rc < 0 ) {
tool_perror( "ldap_result", rc, NULL, NULL, NULL, NULL );
tool_exit( ld, rc );
}
if ( rc != 0 ) {
break;
}
}
}
ldap_controls_free(vcctrls);
vcctrls = NULL;
rc = ldap_parse_result( ld, res,
&code, &matcheddn, &text, &refs, &ctrls, 0 );
if (rc == LDAP_SUCCESS) rc = code;
if (rc != LDAP_SUCCESS) {
tool_perror( "ldap_parse_result", rc, NULL, matcheddn, text, refs );
rc = EXIT_FAILURE;
goto skip;
}
rc = ldap_parse_verify_credentials( ld, res, &rcode, &diag, &scookie, &scred, &vcctrls );
ldap_msgfree(res);
if (rc != LDAP_SUCCESS) {
tool_perror( "ldap_parse_verify_credentials", rc, NULL, NULL, NULL, NULL );
rc = EXIT_FAILURE;
goto skip;
}
if (rcode != LDAP_SUCCESS) {
printf(_("Failed: %s (%d)\n"), ldap_err2string(rcode), rcode);
}
if (diag && *diag) {
printf(_("Diagnostic: %s\n"), diag);
}
if (vcctrls) {
tool_print_ctrls( ld, vcctrls );
}
skip:
if ( verbose || code != LDAP_SUCCESS ||
( matcheddn && *matcheddn ) || ( text && *text ) || refs || ctrls )
{
printf( _("Result: %s (%d)\n"), ldap_err2string( code ), code );
if( text && *text ) {
printf( _("Additional info: %s\n"), text );
}
if( matcheddn && *matcheddn ) {
printf( _("Matched DN: %s\n"), matcheddn );
}
if( refs ) {
int i;
for( i=0; refs[i]; i++ ) {
printf(_("Referral: %s\n"), refs[i] );
}
}
if (ctrls) {
tool_print_ctrls( ld, ctrls );
ldap_controls_free( ctrls );
}
}
ber_memfree( text );
ber_memfree( matcheddn );
ber_memvfree( (void **) refs );
ber_bvfree( scookie );
ber_bvfree( scred );
ber_memfree( diag );
free( cred.bv_val );
/* disconnect from server */
tool_exit( ld, code == LDAP_SUCCESS ? EXIT_SUCCESS : EXIT_FAILURE );
}
