char * ldap_pvt_get_fqdn( char *name )
{
char *fqdn, *ha_buf;
char hostbuf[MAXHOSTNAMELEN+1];
struct hostent *hp, he_buf;
int rc, local_h_errno;
if( name == NULL ) {
if( gethostname( hostbuf, MAXHOSTNAMELEN ) == 0 ) {
hostbuf[MAXHOSTNAMELEN] = '\0';
name = hostbuf;
} else {
name = "localhost";
}
}
rc = ldap_pvt_gethostbyname_a( name,
&he_buf, &ha_buf, &hp, &local_h_errno );
if( rc < 0 || hp == NULL || hp->h_name == NULL ) {
fqdn = LDAP_STRDUP( name );
} else {
fqdn = LDAP_STRDUP( hp->h_name );
}
LDAP_FREE( ha_buf );
return fqdn;
}
void ldap_int_error_init( void ) {
#ifdef LDAP_NLS
#define LDAP_NLS_SDK_CAT "openldap_sdk"
#define LDAP_NLS_LIBLDAP_SET (0)
int i;
nl_catd catd = catopen( LDAP_NLS_SDK_CAT, NL_CAT_LOCALE );
if( catd == -1 ) {
return;
}
for ( i=0; ldap_errlist[i].e_reason != NULL; i++ ) {
char *msg = catgets( catd,
LDAP_NLS_LIBLDAP_SET,
ldap_errlist[i].e_code, NULL );
if( msg != NULL ) {
msg = LDAP_STRDUP( msg );
if( msg != NULL ) {
ldap_errlist[i].e_reason = msg;
}
}
}
catclose( catd );
#endif
}
/*
* Initialize TLS subsystem. Should be called only once.
*/
static int
tlso_init( void )
{
struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
#ifdef HAVE_EBCDIC
{
char *file = LDAP_STRDUP( lo->ldo_tls_randfile );
if ( file ) __atoe( file );
(void) tlso_seed_PRNG( file );
LDAP_FREE( file );
}
#else
(void) tlso_seed_PRNG( lo->ldo_tls_randfile );
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_digests();
#else
OPENSSL_init_ssl(0, NULL);
#endif
/* FIXME: mod_ssl does this */
X509V3_add_standard_extensions();
return 0;
}
static int
tlso_verify_cb( int ok, X509_STORE_CTX *ctx )
{
X509 *cert;
int errnum;
int errdepth;
X509_NAME *subject;
X509_NAME *issuer;
char *sname;
char *iname;
char *certerr = NULL;
cert = X509_STORE_CTX_get_current_cert( ctx );
errnum = X509_STORE_CTX_get_error( ctx );
errdepth = X509_STORE_CTX_get_error_depth( ctx );
/*
* X509_get_*_name return pointers to the internal copies of
* those things requested. So do not free them.
*/
subject = X509_get_subject_name( cert );
issuer = X509_get_issuer_name( cert );
/* X509_NAME_oneline, if passed a NULL buf, allocate memomry */
sname = X509_NAME_oneline( subject, NULL, 0 );
iname = X509_NAME_oneline( issuer, NULL, 0 );
if ( !ok ) certerr = (char *)X509_verify_cert_error_string( errnum );
#ifdef HAVE_EBCDIC
if ( sname ) __etoa( sname );
if ( iname ) __etoa( iname );
if ( certerr ) {
certerr = LDAP_STRDUP( certerr );
__etoa( certerr );
}
#endif
Debug( LDAP_DEBUG_TRACE,
"TLS certificate verification: depth: %d, err: %d, subject: %s,",
errdepth, errnum,
sname ? sname : "-unknown-" );
Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 );
if ( !ok ) {
Debug( LDAP_DEBUG_ANY,
"TLS certificate verification: Error, %s\n",
certerr, 0, 0 );
}
if ( sname )
CRYPTO_free ( sname );
if ( iname )
CRYPTO_free ( iname );
#ifdef HAVE_EBCDIC
if ( certerr ) LDAP_FREE( certerr );
#endif
return ok;
}
int ldap_domain2dn(
LDAP_CONST char *domain_in,
char **dnp)
{
char *domain, *s, *tok_r, *dn, *dntmp;
size_t loc;
assert( domain_in != NULL );
assert( dnp != NULL );
domain = LDAP_STRDUP(domain_in);
if (domain == NULL) {
return LDAP_NO_MEMORY;
}
dn = NULL;
loc = 0;
for (s = ldap_pvt_strtok(domain, ".", &tok_r);
s != NULL;
s = ldap_pvt_strtok(NULL, ".", &tok_r))
{
size_t len = strlen(s);
dntmp = (char *) LDAP_REALLOC(dn, loc + sizeof(",dc=") + len );
if (dntmp == NULL) {
if (dn != NULL)
LDAP_FREE(dn);
LDAP_FREE(domain);
return LDAP_NO_MEMORY;
}
dn = dntmp;
if (loc > 0) {
/* not first time. */
strcpy(dn + loc, ",");
loc++;
}
strcpy(dn + loc, "dc=");
loc += sizeof("dc=")-1;
strcpy(dn + loc, s);
loc += len;
}
LDAP_FREE(domain);
*dnp = dn;
return LDAP_SUCCESS;
}
/* Inspired by ERR_print_errors in OpenSSL */
static void
tlso_report_error( void )
{
unsigned long l;
char buf[200];
const char *file;
int line;
while ( ( l = ERR_get_error_line( &file, &line ) ) != 0 ) {
ERR_error_string_n( l, buf, sizeof( buf ) );
#ifdef HAVE_EBCDIC
if ( file ) {
file = LDAP_STRDUP( file );
__etoa( (char *)file );
}
__etoa( buf );
#endif
Debug( LDAP_DEBUG_ANY, "TLS: %s %s:%d\n",
buf, file, line );
#ifdef HAVE_EBCDIC
if ( file ) LDAP_FREE( (void *)file );
#endif
}
}
char *
ldap_strdup( LDAP_CONST char *p )
{
return LDAP_STRDUP( p );
}
int
ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
{
struct ldapoptions *lo;
if( ld != NULL ) {
assert( LDAP_VALID( ld ) );
if( !LDAP_VALID( ld ) ) {
return LDAP_OPT_ERROR;
}
lo = &ld->ld_options;
} else {
/* Get pointer to global option structure */
lo = LDAP_INT_GLOBAL_OPT();
if ( lo == NULL ) {
return LDAP_NO_MEMORY;
}
}
switch( option ) {
case LDAP_OPT_X_TLS:
if ( !arg ) return -1;
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_NEVER:
case LDAP_OPT_X_TLS_DEMAND:
case LDAP_OPT_X_TLS_ALLOW:
case LDAP_OPT_X_TLS_TRY:
case LDAP_OPT_X_TLS_HARD:
if (lo != NULL) {
lo->ldo_tls_mode = *(int *)arg;
}
return 0;
}
return -1;
case LDAP_OPT_X_TLS_CTX:
if ( lo->ldo_tls_ctx )
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = arg;
tls_ctx_ref( lo->ldo_tls_ctx );
return 0;
case LDAP_OPT_X_TLS_CONNECT_CB:
lo->ldo_tls_connect_cb = (LDAP_TLS_CONNECT_CB *)arg;
return 0;
case LDAP_OPT_X_TLS_CONNECT_ARG:
lo->ldo_tls_connect_arg = arg;
return 0;
case LDAP_OPT_X_TLS_CACERTFILE:
if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_CACERTDIR:
if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir );
lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_CERTFILE:
if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile );
lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_KEYFILE:
if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile );
lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_DHFILE:
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_REQUIRE_CERT:
if ( !arg ) return -1;
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_NEVER:
case LDAP_OPT_X_TLS_DEMAND:
case LDAP_OPT_X_TLS_ALLOW:
case LDAP_OPT_X_TLS_TRY:
case LDAP_OPT_X_TLS_HARD:
lo->ldo_tls_require_cert = * (int *) arg;
return 0;
}
return -1;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1;
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_CRL_NONE:
case LDAP_OPT_X_TLS_CRL_PEER:
case LDAP_OPT_X_TLS_CRL_ALL:
lo->ldo_tls_crlcheck = * (int *) arg;
return 0;
}
return -1;
#endif
case LDAP_OPT_X_TLS_CIPHER_SUITE:
if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite );
lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
if ( !arg ) return -1;
lo->ldo_tls_protocol_min = *(int *)arg;
return 0;
case LDAP_OPT_X_TLS_RANDOM_FILE:
if ( ld != NULL )
return -1;
if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile );
lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
break;
case LDAP_OPT_X_TLS_NEWCTX:
if ( !arg ) return -1;
if ( lo->ldo_tls_ctx )
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
return ldap_int_tls_init_ctx( lo, *(int *)arg );
default:
return -1;
}
return 0;
}
int
ldap_create( LDAP **ldp )
{
LDAP *ld;
struct ldapoptions *gopts;
#if defined(__APPLE__) && defined(LDAP_R_COMPILE)
/* Init the global options in a nice thread-safe manner. */
dispatch_once_f(&ldap_global_opts_initialized, NULL, ldap_int_init_global_opts);
#endif
*ldp = NULL;
/* Get pointer to global option structure */
if ( (gopts = LDAP_INT_GLOBAL_OPT()) == NULL) {
return LDAP_NO_MEMORY;
}
#if defined(__APPLE__) && defined(LDAP_R_COMPILE)
/* Global options should have been initialized by pthread_once() */
if( gopts->ldo_valid != LDAP_INITIALIZED ) {
return LDAP_LOCAL_ERROR;
}
#else
/* Initialize the global options, if not already done. */
if( gopts->ldo_valid != LDAP_INITIALIZED ) {
ldap_int_initialize(gopts, NULL);
if ( gopts->ldo_valid != LDAP_INITIALIZED )
return LDAP_LOCAL_ERROR;
}
#endif
Debug( LDAP_DEBUG_TRACE, "ldap_create\n", 0, 0, 0 );
if ( (ld = (LDAP *) LDAP_CALLOC( 1, sizeof(LDAP) )) == NULL ) {
return( LDAP_NO_MEMORY );
}
if ( (ld->ldc = (struct ldap_common *) LDAP_CALLOC( 1,
sizeof(struct ldap_common) )) == NULL ) {
LDAP_FREE( (char *)ld );
return( LDAP_NO_MEMORY );
}
/* copy the global options */
LDAP_MUTEX_LOCK( &gopts->ldo_mutex );
AC_MEMCPY(&ld->ld_options, gopts, sizeof(ld->ld_options));
#ifdef LDAP_R_COMPILE
/* Properly initialize the structs mutex */
ldap_pvt_thread_mutex_init( &(ld->ld_ldopts_mutex) );
#endif
LDAP_MUTEX_UNLOCK( &gopts->ldo_mutex );
ld->ld_valid = LDAP_VALID_SESSION;
/* but not pointers to malloc'ed items */
ld->ld_options.ldo_sctrls = NULL;
ld->ld_options.ldo_cctrls = NULL;
ld->ld_options.ldo_defludp = NULL;
ld->ld_options.ldo_conn_cbs = NULL;
ld->ld_options.ldo_noaddr_option = 0;
ld->ld_options.ldo_sasl_fqdn = NULL;
#ifdef HAVE_CYRUS_SASL
ld->ld_options.ldo_def_sasl_mech = gopts->ldo_def_sasl_mech
? LDAP_STRDUP( gopts->ldo_def_sasl_mech ) : NULL;
ld->ld_options.ldo_def_sasl_realm = gopts->ldo_def_sasl_realm
? LDAP_STRDUP( gopts->ldo_def_sasl_realm ) : NULL;
ld->ld_options.ldo_def_sasl_authcid = gopts->ldo_def_sasl_authcid
? LDAP_STRDUP( gopts->ldo_def_sasl_authcid ) : NULL;
ld->ld_options.ldo_def_sasl_authzid = gopts->ldo_def_sasl_authzid
? LDAP_STRDUP( gopts->ldo_def_sasl_authzid ) : NULL;
#endif
#ifdef HAVE_TLS
/* We explicitly inherit the SSL_CTX, don't need the names/paths. Leave
* them empty to allow new SSL_CTX's to be created from scratch.
*/
memset( &ld->ld_options.ldo_tls_info, 0,
sizeof( ld->ld_options.ldo_tls_info ));
ld->ld_options.ldo_tls_ctx = NULL;
#endif
if ( gopts->ldo_defludp ) {
ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
if ( ld->ld_options.ldo_defludp == NULL ) goto nomem;
}
if (( ld->ld_selectinfo = ldap_new_select_info()) == NULL ) goto nomem;
ld->ld_lberoptions = LBER_USE_DER;
ld->ld_sb = ber_sockbuf_alloc( );
if ( ld->ld_sb == NULL ) goto nomem;
#ifdef LDAP_RESPONSE_RB_TREE
ldap_resp_rbt_create( ld );
if ( ld->ld_rbt_responses == NULL ) {
goto nomem;
}
#endif
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ld->ld_msgid_mutex );
ldap_pvt_thread_mutex_init( &ld->ld_conn_mutex );
ldap_pvt_thread_mutex_init( &ld->ld_req_mutex );
ldap_pvt_thread_mutex_init( &ld->ld_res_mutex );
ldap_pvt_thread_mutex_init( &ld->ld_abandon_mutex );
ldap_pvt_thread_mutex_init( &ld->ld_ldcmutex );
#endif
ld->ld_ldcrefcnt = 1;
*ldp = ld;
return LDAP_SUCCESS;
nomem:
ldap_free_select_info( ld->ld_selectinfo );
ldap_free_urllist( ld->ld_options.ldo_defludp );
#ifdef HAVE_CYRUS_SASL
LDAP_FREE( ld->ld_options.ldo_def_sasl_authzid );
LDAP_FREE( ld->ld_options.ldo_def_sasl_authcid );
LDAP_FREE( ld->ld_options.ldo_def_sasl_realm );
LDAP_FREE( ld->ld_options.ldo_def_sasl_mech );
#endif
LDAP_FREE( (char *)ld );
return LDAP_NO_MEMORY;
}
static int
put_vrFilter( BerElement *ber, const char *str_in )
{
int rc;
char *freeme;
char *str;
char *next;
int parens, balance, escape;
/*
* A ValuesReturnFilter looks like this:
*
* ValuesReturnFilter ::= SEQUENCE OF SimpleFilterItem
* SimpleFilterItem ::= CHOICE {
* equalityMatch [3] AttributeValueAssertion,
* substrings [4] SubstringFilter,
* greaterOrEqual [5] AttributeValueAssertion,
* lessOrEqual [6] AttributeValueAssertion,
* present [7] AttributeType,
* approxMatch [8] AttributeValueAssertion,
* extensibleMatch [9] SimpleMatchingAssertion -- LDAPv3
* }
*
* SubstringFilter ::= SEQUENCE {
* type AttributeType,
* SEQUENCE OF CHOICE {
* initial [0] IA5String,
* any [1] IA5String,
* final [2] IA5String
* }
* }
*
* SimpleMatchingAssertion ::= SEQUENCE { -- LDAPv3
* matchingRule [1] MatchingRuleId OPTIONAL,
* type [2] AttributeDescription OPTIONAL,
* matchValue [3] AssertionValue }
*
* (Source: RFC 3876)
*/
Debug( LDAP_DEBUG_TRACE, "put_vrFilter: \"%s\"\n", str_in, 0, 0 );
freeme = LDAP_STRDUP( str_in );
if( freeme == NULL ) return LDAP_NO_MEMORY;
str = freeme;
parens = 0;
while ( *str ) {
switch ( *str ) {
case '(': /*')'*/
str++;
parens++;
/* skip spaces */
while( LDAP_SPACE( *str ) ) str++;
switch ( *str ) {
case '(':
if ( (next = find_right_paren( str )) == NULL ) {
rc = -1;
goto done;
}
*next = '\0';
if ( put_vrFilter_list( ber, str ) == -1 ) {
rc = -1;
goto done;
}
/* close the '(' */
*next++ = ')';
str = next;
parens--;
break;
default:
Debug( LDAP_DEBUG_TRACE, "put_vrFilter: simple\n",
0, 0, 0 );
balance = 1;
escape = 0;
next = str;
while ( *next && balance ) {
if ( escape == 0 ) {
if ( *next == '(' ) {
balance++;
} else if ( *next == ')' ) {
balance--;
}
}
if ( *next == '\\' && ! escape ) {
escape = 1;
} else {
escape = 0;
}
if ( balance ) next++;
}
if ( balance != 0 ) {
rc = -1;
goto done;
}
*next = '\0';
if ( put_simple_vrFilter( ber, str ) == -1 ) {
rc = -1;
goto done;
}
*next++ = /*'('*/ ')';
str = next;
parens--;
break;
}
break;
case /*'('*/ ')':
Debug( LDAP_DEBUG_TRACE, "put_vrFilter: end\n",
0, 0, 0 );
if ( ber_printf( ber, /*"["*/ "]" ) == -1 ) {
rc = -1;
goto done;
}
str++;
parens--;
break;
case ' ':
str++;
break;
default: /* assume it's a simple type=value filter */
Debug( LDAP_DEBUG_TRACE, "put_vrFilter: default\n",
0, 0, 0 );
next = strchr( str, '\0' );
if ( put_simple_vrFilter( ber, str ) == -1 ) {
rc = -1;
goto done;
}
str = next;
break;
}
}
rc = parens ? -1 : 0;
done:
LDAP_FREE( freeme );
return rc;
}
/*
* XXX merging of errors in this routine needs to be improved
* Protected by res_mutex, conn_mutex and req_mutex (try_read1msg)
*/
int
ldap_chase_referrals( LDAP *ld,
LDAPRequest *lr,
char **errstrp,
int sref,
int *hadrefp )
{
int rc, count, id;
unsigned len;
char *p, *ref, *unfollowed;
LDAPRequest *origreq;
LDAPURLDesc *srv;
BerElement *ber;
LDAPreqinfo rinfo;
LDAPConn *lc;
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_res_mutex );
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_conn_mutex );
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_req_mutex );
Debug( LDAP_DEBUG_TRACE, "ldap_chase_referrals\n", 0, 0, 0 );
ld->ld_errno = LDAP_SUCCESS; /* optimistic */
*hadrefp = 0;
if ( *errstrp == NULL ) {
return( 0 );
}
len = strlen( *errstrp );
for ( p = *errstrp; len >= LDAP_REF_STR_LEN; ++p, --len ) {
if ( strncasecmp( p, LDAP_REF_STR, LDAP_REF_STR_LEN ) == 0 ) {
*p = '\0';
p += LDAP_REF_STR_LEN;
break;
}
}
if ( len < LDAP_REF_STR_LEN ) {
return( 0 );
}
if ( lr->lr_parentcnt >= ld->ld_refhoplimit ) {
Debug( LDAP_DEBUG_ANY,
"more than %d referral hops (dropping)\n",
ld->ld_refhoplimit, 0, 0 );
/* XXX report as error in ld->ld_errno? */
return( 0 );
}
/* find original request */
for ( origreq = lr; origreq->lr_parent != NULL;
origreq = origreq->lr_parent ) {
/* empty */;
}
unfollowed = NULL;
rc = count = 0;
/* parse out & follow referrals */
for ( ref = p; rc == 0 && ref != NULL; ref = p ) {
p = strchr( ref, '\n' );
if ( p != NULL ) {
*p++ = '\0';
}
rc = ldap_url_parse_ext( ref, &srv, LDAP_PVT_URL_PARSE_NOEMPTY_DN );
if ( rc != LDAP_URL_SUCCESS ) {
Debug( LDAP_DEBUG_TRACE,
"ignoring %s referral <%s>\n",
ref, rc == LDAP_URL_ERR_BADSCHEME ? "unknown" : "incorrect", 0 );
rc = ldap_append_referral( ld, &unfollowed, ref );
*hadrefp = 1;
continue;
}
Debug( LDAP_DEBUG_TRACE,
"chasing LDAP referral: <%s>\n", ref, 0, 0 );
*hadrefp = 1;
/* See if we've already been here */
if (( lc = find_connection( ld, srv, 1 )) != NULL ) {
LDAPRequest *lp;
int looped = 0;
ber_len_t len = srv->lud_dn ? strlen( srv->lud_dn ) : 0;
for ( lp = lr; lp; lp = lp->lr_parent ) {
if ( lp->lr_conn == lc
&& len == lp->lr_dn.bv_len )
{
if ( len && strncmp( srv->lud_dn, lp->lr_dn.bv_val, len ) )
continue;
looped = 1;
break;
}
}
if ( looped ) {
ldap_free_urllist( srv );
ld->ld_errno = LDAP_CLIENT_LOOP;
rc = -1;
continue;
}
}
LDAP_NEXT_MSGID( ld, id );
ber = re_encode_request( ld, origreq->lr_ber,
id, sref, srv, &rinfo.ri_request );
if ( ber == NULL ) {
return -1 ;
}
/* copy the complete referral for rebind process */
rinfo.ri_url = LDAP_STRDUP( ref );
rinfo.ri_msgid = origreq->lr_origid;
rc = ldap_send_server_request( ld, ber, id,
lr, &srv, NULL, &rinfo, 0, 1 );
LDAP_FREE( rinfo.ri_url );
if( rc >= 0 ) {
++count;
} else {
Debug( LDAP_DEBUG_ANY,
"Unable to chase referral \"%s\" (%d: %s)\n",
ref, ld->ld_errno, ldap_err2string( ld->ld_errno ) );
rc = ldap_append_referral( ld, &unfollowed, ref );
}
ldap_free_urllist(srv);
}
LDAP_FREE( *errstrp );
*errstrp = unfollowed;
return(( rc == 0 ) ? count : rc );
}
int
ldap_get_option(
LDAP *ld,
int option,
void *outvalue)
{
struct ldapoptions *lo;
int rc = LDAP_OPT_ERROR;
/* Get pointer to global option structure */
lo = LDAP_INT_GLOBAL_OPT();
if (NULL == lo) {
return LDAP_NO_MEMORY;
}
if( lo->ldo_valid != LDAP_INITIALIZED ) {
ldap_int_initialize(lo, NULL);
if ( lo->ldo_valid != LDAP_INITIALIZED )
return LDAP_LOCAL_ERROR;
}
if(ld != NULL) {
assert( LDAP_VALID( ld ) );
if( !LDAP_VALID( ld ) ) {
return LDAP_OPT_ERROR;
}
lo = &ld->ld_options;
}
if(outvalue == NULL) {
/* no place to get to */
return LDAP_OPT_ERROR;
}
LDAP_MUTEX_LOCK( &lo->ldo_mutex );
switch(option) {
case LDAP_OPT_API_INFO: {
struct ldapapiinfo *info = (struct ldapapiinfo *) outvalue;
if(info == NULL) {
/* outvalue must point to an apiinfo structure */
break; /* LDAP_OPT_ERROR */
}
if(info->ldapai_info_version != LDAP_API_INFO_VERSION) {
/* api info version mismatch */
info->ldapai_info_version = LDAP_API_INFO_VERSION;
break; /* LDAP_OPT_ERROR */
}
info->ldapai_api_version = LDAP_API_VERSION;
info->ldapai_protocol_version = LDAP_VERSION_MAX;
if(features[0].ldapaif_name == NULL) {
info->ldapai_extensions = NULL;
} else {
int i;
info->ldapai_extensions = LDAP_MALLOC(sizeof(char *) *
sizeof(features)/sizeof(LDAPAPIFeatureInfo));
for(i=0; features[i].ldapaif_name != NULL; i++) {
info->ldapai_extensions[i] =
LDAP_STRDUP(features[i].ldapaif_name);
}
info->ldapai_extensions[i] = NULL;
}
info->ldapai_vendor_name = LDAP_STRDUP(LDAP_VENDOR_NAME);
info->ldapai_vendor_version = LDAP_VENDOR_VERSION;
rc = LDAP_OPT_SUCCESS;
break;
} break;
case LDAP_OPT_DESC:
if( ld == NULL || ld->ld_sb == NULL ) {
/* bad param */
break;
}
ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, outvalue );
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_SOCKBUF:
if( ld == NULL ) break;
*(Sockbuf **)outvalue = ld->ld_sb;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_TIMEOUT:
/* the caller has to free outvalue ! */
if ( lo->ldo_tm_api.tv_sec < 0 ) {
*(void **)outvalue = NULL;
} else if ( ldap_int_timeval_dup( outvalue, &lo->ldo_tm_api ) != 0 ) {
break; /* LDAP_OPT_ERROR */
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_NETWORK_TIMEOUT:
/* the caller has to free outvalue ! */
if ( lo->ldo_tm_net.tv_sec < 0 ) {
*(void **)outvalue = NULL;
} else if ( ldap_int_timeval_dup( outvalue, &lo->ldo_tm_net ) != 0 ) {
break; /* LDAP_OPT_ERROR */
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_DEREF:
* (int *) outvalue = lo->ldo_deref;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_SIZELIMIT:
* (int *) outvalue = lo->ldo_sizelimit;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_TIMELIMIT:
* (int *) outvalue = lo->ldo_timelimit;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_REFERRALS:
* (int *) outvalue = (int) LDAP_BOOL_GET(lo, LDAP_BOOL_REFERRALS);
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_RESTART:
* (int *) outvalue = (int) LDAP_BOOL_GET(lo, LDAP_BOOL_RESTART);
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_PROTOCOL_VERSION:
* (int *) outvalue = lo->ldo_version;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_SERVER_CONTROLS:
* (LDAPControl ***) outvalue =
ldap_controls_dup( lo->ldo_sctrls );
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_CLIENT_CONTROLS:
* (LDAPControl ***) outvalue =
ldap_controls_dup( lo->ldo_cctrls );
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_HOST_NAME:
* (char **) outvalue = ldap_url_list2hosts(lo->ldo_defludp);
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_URI:
* (char **) outvalue = ldap_url_list2urls(lo->ldo_defludp);
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_DEFBASE:
if( lo->ldo_defbase == NULL ) {
* (char **) outvalue = NULL;
} else {
* (char **) outvalue = LDAP_STRDUP(lo->ldo_defbase);
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_CONNECT_ASYNC:
* (int *) outvalue = (int) LDAP_BOOL_GET(lo, LDAP_BOOL_CONNECT_ASYNC);
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_CONNECT_CB:
{
/* Getting deletes the specified callback */
ldaplist **ll = &lo->ldo_conn_cbs;
for (;*ll;ll = &(*ll)->ll_next) {
if ((*ll)->ll_data == outvalue) {
ldaplist *lc = *ll;
*ll = lc->ll_next;
LDAP_FREE(lc);
break;
}
}
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_RESULT_CODE:
if(ld == NULL) {
/* bad param */
break;
}
* (int *) outvalue = ld->ld_errno;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_DIAGNOSTIC_MESSAGE:
if(ld == NULL) {
/* bad param */
break;
}
if( ld->ld_error == NULL ) {
* (char **) outvalue = NULL;
} else {
* (char **) outvalue = LDAP_STRDUP(ld->ld_error);
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_MATCHED_DN:
if(ld == NULL) {
/* bad param */
break;
}
if( ld->ld_matched == NULL ) {
* (char **) outvalue = NULL;
} else {
* (char **) outvalue = LDAP_STRDUP( ld->ld_matched );
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_REFERRAL_URLS:
if(ld == NULL) {
/* bad param */
break;
}
if( ld->ld_referrals == NULL ) {
* (char ***) outvalue = NULL;
} else {
* (char ***) outvalue = ldap_value_dup(ld->ld_referrals);
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_API_FEATURE_INFO: {
LDAPAPIFeatureInfo *info = (LDAPAPIFeatureInfo *) outvalue;
int i;
if(info == NULL)
break; /* LDAP_OPT_ERROR */
if(info->ldapaif_info_version != LDAP_FEATURE_INFO_VERSION) {
/* api info version mismatch */
info->ldapaif_info_version = LDAP_FEATURE_INFO_VERSION;
break; /* LDAP_OPT_ERROR */
}
if(info->ldapaif_name == NULL)
break; /* LDAP_OPT_ERROR */
for(i=0; features[i].ldapaif_name != NULL; i++) {
if(!strcmp(info->ldapaif_name, features[i].ldapaif_name)) {
info->ldapaif_version =
features[i].ldapaif_version;
rc = LDAP_OPT_SUCCESS;
break;
}
}
}
break;
case LDAP_OPT_DEBUG_LEVEL:
* (int *) outvalue = lo->ldo_debug;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_SESSION_REFCNT:
if(ld == NULL) {
/* bad param */
break;
}
LDAP_MUTEX_LOCK( &ld->ld_ldcmutex );
* (int *) outvalue = ld->ld_ldcrefcnt;
LDAP_MUTEX_UNLOCK( &ld->ld_ldcmutex );
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_X_KEEPALIVE_IDLE:
* (int *) outvalue = lo->ldo_keepalive_idle;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_X_KEEPALIVE_PROBES:
* (int *) outvalue = lo->ldo_keepalive_probes;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_X_KEEPALIVE_INTERVAL:
* (int *) outvalue = lo->ldo_keepalive_interval;
rc = LDAP_OPT_SUCCESS;
break;
default:
#ifdef HAVE_TLS
if ( ldap_pvt_tls_get_option( ld, option, outvalue ) == 0 ) {
rc = LDAP_OPT_SUCCESS;
break;
}
#endif
#ifdef HAVE_CYRUS_SASL
if ( ldap_int_sasl_get_option( ld, option, outvalue ) == 0 ) {
rc = LDAP_OPT_SUCCESS;
break;
}
#endif
#ifdef HAVE_GSSAPI
if ( ldap_int_gssapi_get_option( ld, option, outvalue ) == 0 ) {
rc = LDAP_OPT_SUCCESS;
break;
}
#endif
/* bad param */
break;
}
LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
return ( rc );
}
/*
* Parse LDAPResult Messages:
*
* LDAPResult ::= SEQUENCE {
* resultCode ENUMERATED,
* matchedDN LDAPDN,
* errorMessage LDAPString,
* referral [3] Referral OPTIONAL }
*
* including Bind results:
*
* BindResponse ::= [APPLICATION 1] SEQUENCE {
* COMPONENTS OF LDAPResult,
* serverSaslCreds [7] OCTET STRING OPTIONAL }
*
* and ExtendedOp results:
*
* ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
* COMPONENTS OF LDAPResult,
* responseName [10] LDAPOID OPTIONAL,
* response [11] OCTET STRING OPTIONAL }
*
*/
int
ldap_parse_result(
LDAP *ld,
LDAPMessage *r,
int *errcodep,
char **matcheddnp,
char **errmsgp,
char ***referralsp,
LDAPControl ***serverctrls,
int freeit )
{
LDAPMessage *lm;
ber_int_t errcode = LDAP_SUCCESS;
ber_tag_t tag;
BerElement *ber;
#ifdef NEW_LOGGING
LDAP_LOG ( OPERATION, ENTRY, "ldap_parse_result\n", 0,0,0 );
#else
Debug( LDAP_DEBUG_TRACE, "ldap_parse_result\n", 0, 0, 0 );
#endif
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
assert( r != NULL );
if(errcodep != NULL) *errcodep = LDAP_SUCCESS;
if(matcheddnp != NULL) *matcheddnp = NULL;
if(errmsgp != NULL) *errmsgp = NULL;
if(referralsp != NULL) *referralsp = NULL;
if(serverctrls != NULL) *serverctrls = NULL;
/* Find the next result... */
for ( lm = r; lm != NULL; lm = lm->lm_chain ) {
/* skip over entries and references */
if( lm->lm_msgtype != LDAP_RES_SEARCH_ENTRY &&
lm->lm_msgtype != LDAP_RES_SEARCH_REFERENCE &&
lm->lm_msgtype != LDAP_RES_EXTENDED_PARTIAL )
{
break;
}
}
if( lm == NULL ) {
ld->ld_errno = LDAP_NO_RESULTS_RETURNED;
return ld->ld_errno;
}
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
ld->ld_error = NULL;
}
if ( ld->ld_matched ) {
LDAP_FREE( ld->ld_matched );
ld->ld_matched = NULL;
}
if ( ld->ld_referrals ) {
LDAP_VFREE( ld->ld_referrals );
ld->ld_referrals = NULL;
}
/* parse results */
ber = ber_dup( lm->lm_ber );
if ( ld->ld_version < LDAP_VERSION2 ) {
tag = ber_scanf( ber, "{ia}",
&ld->ld_errno, &ld->ld_error );
} else {
ber_len_t len;
tag = ber_scanf( ber, "{iaa" /*}*/,
&ld->ld_errno, &ld->ld_matched, &ld->ld_error );
if( tag != LBER_ERROR ) {
/* peek for referrals */
if( ber_peek_tag(ber, &len) == LDAP_TAG_REFERRAL ) {
tag = ber_scanf( ber, "v", &ld->ld_referrals );
}
}
/* need to clean out misc items */
if( tag != LBER_ERROR ) {
if( lm->lm_msgtype == LDAP_RES_BIND ) {
/* look for sasl result creditials */
if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SASL_RES_CREDS ) {
/* skip 'em */
tag = ber_scanf( ber, "x" );
}
} else if( lm->lm_msgtype == LDAP_RES_EXTENDED ) {
/* look for exop result oid or value */
if ( ber_peek_tag( ber, &len ) == LDAP_TAG_EXOP_RES_OID ) {
/* skip 'em */
tag = ber_scanf( ber, "x" );
}
if ( tag != LBER_ERROR &&
ber_peek_tag( ber, &len ) == LDAP_TAG_EXOP_RES_VALUE )
{
/* skip 'em */
tag = ber_scanf( ber, "x" );
}
}
}
if( tag != LBER_ERROR ) {
int rc = ldap_int_get_controls( ber, serverctrls );
if( rc != LDAP_SUCCESS ) {
tag = LBER_ERROR;
}
}
if( tag != LBER_ERROR ) {
tag = ber_scanf( ber, /*{*/"}" );
}
}
if ( tag == LBER_ERROR ) {
ld->ld_errno = errcode = LDAP_DECODING_ERROR;
}
if( ber != NULL ) {
ber_free( ber, 0 );
}
/* return */
if( errcodep != NULL ) {
*errcodep = ld->ld_errno;
}
if ( errcode == LDAP_SUCCESS ) {
if( matcheddnp != NULL ) {
*matcheddnp = LDAP_STRDUP( ld->ld_matched );
}
if( errmsgp != NULL ) {
*errmsgp = LDAP_STRDUP( ld->ld_error );
}
if( referralsp != NULL) {
*referralsp = ldap_value_dup( ld->ld_referrals );
}
/* Find the next result... */
for ( lm = lm->lm_chain; lm != NULL; lm = lm->lm_chain ) {
/* skip over entries and references */
if( lm->lm_msgtype != LDAP_RES_SEARCH_ENTRY &&
lm->lm_msgtype != LDAP_RES_SEARCH_REFERENCE &&
lm->lm_msgtype != LDAP_RES_EXTENDED_PARTIAL )
{
/* more results to return */
errcode = LDAP_MORE_RESULTS_TO_RETURN;
break;
}
}
}
if ( freeit ) {
ldap_msgfree( r );
}
return( errcode );
}
static int
tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session *s = (tlso_session *)sess;
int i, ret = LDAP_LOCAL_ERROR;
X509 *x;
const char *name;
char *ptr;
int ntype = IS_DNS, nlen;
#ifdef LDAP_PF_INET6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
{
name = ldap_int_hostname;
} else {
name = name_in;
}
nlen = strlen(name);
x = tlso_get_cert(s);
if (!x) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get peer certificate.\n",
0, 0, 0 );
/* If this was a fatal condition, things would have
* aborted long before now.
*/
return LDAP_SUCCESS;
}
#ifdef LDAP_PF_INET6
if (inet_pton(AF_INET6, name, &addr)) {
ntype = IS_IP6;
} else
#endif
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
if (i >= 0) {
X509_EXTENSION *ex;
STACK_OF(GENERAL_NAME) *alt;
ex = X509_get_ext(x, i);
alt = X509V3_EXT_d2i(ex);
if (alt) {
int n, len2 = 0;
char *domain = NULL;
GENERAL_NAME *gn;
if (ntype == IS_DNS) {
domain = strchr(name, '.');
if (domain) {
len2 = nlen - (domain-name);
}
}
n = sk_GENERAL_NAME_num(alt);
for (i=0; i<n; i++) {
char *sn;
int sl;
gn = sk_GENERAL_NAME_value(alt, i);
if (gn->type == GEN_DNS) {
if (ntype != IS_DNS) continue;
sn = (char *) ASN1_STRING_data(gn->d.ia5);
sl = ASN1_STRING_length(gn->d.ia5);
/* ignore empty */
if (sl == 0) continue;
/* Is this an exact match? */
if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
break;
}
/* Is this a wildcard match? */
if (domain && (sn[0] == '*') && (sn[1] == '.') &&
(len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
{
break;
}
} else if (gn->type == GEN_IPADD) {
if (ntype == IS_DNS) continue;
sn = (char *) ASN1_STRING_data(gn->d.ia5);
sl = ASN1_STRING_length(gn->d.ia5);
#ifdef LDAP_PF_INET6
if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) {
continue;
} else
#endif
if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) {
continue;
}
if (!memcmp(sn, &addr, sl)) {
break;
}
}
}
GENERAL_NAMES_free(alt);
if (i < n) { /* Found a match */
ret = LDAP_SUCCESS;
}
}
}
if (ret != LDAP_SUCCESS) {
X509_NAME *xn;
X509_NAME_ENTRY *ne;
ASN1_OBJECT *obj;
ASN1_STRING *cn = NULL;
int navas;
/* find the last CN */
obj = OBJ_nid2obj( NID_commonName );
if ( !obj ) goto no_cn; /* should never happen */
xn = X509_get_subject_name(x);
navas = X509_NAME_entry_count( xn );
for ( i=navas-1; i>=0; i-- ) {
ne = X509_NAME_get_entry( xn, i );
if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
cn = X509_NAME_ENTRY_get_data( ne );
break;
}
}
if( !cn )
{
no_cn:
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
} else if ( cn->length == nlen &&
strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
ret = LDAP_SUCCESS;
} else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
char *domain = strchr(name, '.');
if( domain ) {
int dlen;
dlen = nlen - (domain-name);
/* Is this a wildcard match? */
if ((dlen == cn->length-1) &&
!strncasecmp(domain, (char *) &cn->data[1], dlen)) {
ret = LDAP_SUCCESS;
}
}
}
if( ret == LDAP_LOCAL_ERROR ) {
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%.*s).\n",
name, cn->length, cn->data );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
}
}
X509_free(x);
return ret;
}
/* Derived from openssl/apps/s_cb.c */
static void
tlso_info_cb( const SSL *ssl, int where, int ret )
{
int w;
char *op;
char *state = (char *) SSL_state_string_long( (SSL *)ssl );
w = where & ~SSL_ST_MASK;
if ( w & SSL_ST_CONNECT ) {
op = "SSL_connect";
} else if ( w & SSL_ST_ACCEPT ) {
op = "SSL_accept";
} else {
op = "undefined";
}
#ifdef HAVE_EBCDIC
if ( state ) {
state = LDAP_STRDUP( state );
__etoa( state );
}
#endif
if ( where & SSL_CB_LOOP ) {
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:%s\n",
op, state, 0 );
} else if ( where & SSL_CB_ALERT ) {
char *atype = (char *) SSL_alert_type_string_long( ret );
char *adesc = (char *) SSL_alert_desc_string_long( ret );
op = ( where & SSL_CB_READ ) ? "read" : "write";
#ifdef HAVE_EBCDIC
if ( atype ) {
atype = LDAP_STRDUP( atype );
__etoa( atype );
}
if ( adesc ) {
adesc = LDAP_STRDUP( adesc );
__etoa( adesc );
}
#endif
Debug( LDAP_DEBUG_TRACE,
"TLS trace: SSL3 alert %s:%s:%s\n",
op, atype, adesc );
#ifdef HAVE_EBCDIC
if ( atype ) LDAP_FREE( atype );
if ( adesc ) LDAP_FREE( adesc );
#endif
} else if ( where & SSL_CB_EXIT ) {
if ( ret == 0 ) {
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:failed in %s\n",
op, state, 0 );
} else if ( ret < 0 ) {
Debug( LDAP_DEBUG_TRACE,
"TLS trace: %s:error in %s\n",
op, state, 0 );
}
}
#ifdef HAVE_EBCDIC
if ( state ) LDAP_FREE( state );
#endif
}
int
ldap_create( LDAP **ldp )
{
LDAP *ld;
struct ldapoptions *gopts;
*ldp = NULL;
/* Get pointer to global option structure */
if ( (gopts = LDAP_INT_GLOBAL_OPT()) == NULL) {
return LDAP_NO_MEMORY;
}
/* Initialize the global options, if not already done. */
if( gopts->ldo_valid != LDAP_INITIALIZED ) {
ldap_int_initialize(gopts, NULL);
if ( gopts->ldo_valid != LDAP_INITIALIZED )
return LDAP_LOCAL_ERROR;
}
Debug( LDAP_DEBUG_TRACE, "ldap_create\n", 0, 0, 0 );
if ( (ld = (LDAP *) LDAP_CALLOC( 1, sizeof(LDAP) )) == NULL ) {
return( LDAP_NO_MEMORY );
}
/* copy the global options */
AC_MEMCPY(&ld->ld_options, gopts, sizeof(ld->ld_options));
ld->ld_valid = LDAP_VALID_SESSION;
/* but not pointers to malloc'ed items */
ld->ld_options.ldo_sctrls = NULL;
ld->ld_options.ldo_cctrls = NULL;
ld->ld_options.ldo_defludp = NULL;
#ifdef HAVE_CYRUS_SASL
ld->ld_options.ldo_def_sasl_mech = gopts->ldo_def_sasl_mech
? LDAP_STRDUP( gopts->ldo_def_sasl_mech ) : NULL;
ld->ld_options.ldo_def_sasl_realm = gopts->ldo_def_sasl_realm
? LDAP_STRDUP( gopts->ldo_def_sasl_realm ) : NULL;
ld->ld_options.ldo_def_sasl_authcid = gopts->ldo_def_sasl_authcid
? LDAP_STRDUP( gopts->ldo_def_sasl_authcid ) : NULL;
ld->ld_options.ldo_def_sasl_authzid = gopts->ldo_def_sasl_authzid
? LDAP_STRDUP( gopts->ldo_def_sasl_authzid ) : NULL;
#endif
#ifdef HAVE_TLS
/* We explicitly inherit the SSL_CTX, don't need the names/paths. Leave
* them empty to allow new SSL_CTX's to be created from scratch.
*/
memset( &ld->ld_options.ldo_tls_info, 0,
sizeof( ld->ld_options.ldo_tls_info ));
ld->ld_options.ldo_tls_ctx = NULL;
#endif
if ( gopts->ldo_defludp ) {
ld->ld_options.ldo_defludp = ldap_url_duplist(gopts->ldo_defludp);
if ( ld->ld_options.ldo_defludp == NULL ) goto nomem;
}
if (( ld->ld_selectinfo = ldap_new_select_info()) == NULL ) goto nomem;
ld->ld_lberoptions = LBER_USE_DER;
ld->ld_sb = ber_sockbuf_alloc( );
if ( ld->ld_sb == NULL ) goto nomem;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ld->ld_req_mutex );
ldap_pvt_thread_mutex_init( &ld->ld_res_mutex );
ldap_pvt_thread_mutex_init( &ld->ld_conn_mutex );
#endif
*ldp = ld;
return LDAP_SUCCESS;
nomem:
ldap_free_select_info( ld->ld_selectinfo );
ldap_free_urllist( ld->ld_options.ldo_defludp );
#ifdef HAVE_CYRUS_SASL
LDAP_FREE( ld->ld_options.ldo_def_sasl_authzid );
LDAP_FREE( ld->ld_options.ldo_def_sasl_authcid );
LDAP_FREE( ld->ld_options.ldo_def_sasl_realm );
LDAP_FREE( ld->ld_options.ldo_def_sasl_mech );
#endif
LDAP_FREE( (char *)ld );
return LDAP_NO_MEMORY;
}
/*
* Parse LDAPResult Messages:
*
* LDAPResult ::= SEQUENCE {
* resultCode ENUMERATED,
* matchedDN LDAPDN,
* errorMessage LDAPString,
* referral [3] Referral OPTIONAL }
*
* including Bind results:
*
* BindResponse ::= [APPLICATION 1] SEQUENCE {
* COMPONENTS OF LDAPResult,
* serverSaslCreds [7] OCTET STRING OPTIONAL }
*
* and ExtendedOp results:
*
* ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
* COMPONENTS OF LDAPResult,
* responseName [10] LDAPOID OPTIONAL,
* response [11] OCTET STRING OPTIONAL }
*
*/
int
ldap_parse_result(
LDAP *ld,
LDAPMessage *r,
int *errcodep,
char **matcheddnp,
char **errmsgp,
char ***referralsp,
LDAPControl ***serverctrls,
int freeit )
{
LDAPMessage *lm;
ber_int_t errcode = LDAP_SUCCESS;
ber_tag_t tag;
BerElement *ber;
Debug( LDAP_DEBUG_TRACE, "ldap_parse_result\n", 0, 0, 0 );
assert( ld != NULL );
assert( LDAP_VALID( ld ) );
assert( r != NULL );
if(errcodep != NULL) *errcodep = LDAP_SUCCESS;
if(matcheddnp != NULL) *matcheddnp = NULL;
if(errmsgp != NULL) *errmsgp = NULL;
if(referralsp != NULL) *referralsp = NULL;
if(serverctrls != NULL) *serverctrls = NULL;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &ld->ld_res_mutex );
#endif
/* Find the result, last msg in chain... */
lm = r->lm_chain_tail;
/* FIXME: either this is not possible (assert?)
* or it should be handled */
if ( lm != NULL ) {
switch ( lm->lm_msgtype ) {
case LDAP_RES_SEARCH_ENTRY:
case LDAP_RES_SEARCH_REFERENCE:
case LDAP_RES_INTERMEDIATE:
lm = NULL;
break;
default:
break;
}
}
if( lm == NULL ) {
errcode = ld->ld_errno = LDAP_NO_RESULTS_RETURNED;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &ld->ld_res_mutex );
#endif
goto done;
}
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
ld->ld_error = NULL;
}
if ( ld->ld_matched ) {
LDAP_FREE( ld->ld_matched );
ld->ld_matched = NULL;
}
if ( ld->ld_referrals ) {
LDAP_VFREE( ld->ld_referrals );
ld->ld_referrals = NULL;
}
/* parse results */
ber = ber_dup( lm->lm_ber );
if ( ld->ld_version < LDAP_VERSION2 ) {
tag = ber_scanf( ber, "{iA}",
&ld->ld_errno, &ld->ld_error );
} else {
ber_len_t len;
tag = ber_scanf( ber, "{iAA" /*}*/,
&ld->ld_errno, &ld->ld_matched, &ld->ld_error );
if( tag != LBER_ERROR ) {
/* peek for referrals */
if( ber_peek_tag(ber, &len) == LDAP_TAG_REFERRAL ) {
tag = ber_scanf( ber, "v", &ld->ld_referrals );
}
}
/* need to clean out misc items */
if( tag != LBER_ERROR ) {
if( lm->lm_msgtype == LDAP_RES_BIND ) {
/* look for sasl result creditials */
if ( ber_peek_tag( ber, &len ) == LDAP_TAG_SASL_RES_CREDS ) {
/* skip 'em */
tag = ber_scanf( ber, "x" );
}
} else if( lm->lm_msgtype == LDAP_RES_EXTENDED ) {
/* look for exop result oid or value */
if ( ber_peek_tag( ber, &len ) == LDAP_TAG_EXOP_RES_OID ) {
/* skip 'em */
tag = ber_scanf( ber, "x" );
}
if ( tag != LBER_ERROR &&
ber_peek_tag( ber, &len ) == LDAP_TAG_EXOP_RES_VALUE )
{
/* skip 'em */
tag = ber_scanf( ber, "x" );
}
}
}
if( tag != LBER_ERROR ) {
int rc = ldap_pvt_get_controls( ber, serverctrls );
if( rc != LDAP_SUCCESS ) {
tag = LBER_ERROR;
}
}
if( tag != LBER_ERROR ) {
tag = ber_scanf( ber, /*{*/"}" );
}
}
if ( tag == LBER_ERROR ) {
ld->ld_errno = errcode = LDAP_DECODING_ERROR;
}
if( ber != NULL ) {
ber_free( ber, 0 );
}
/* return */
if( errcodep != NULL ) {
*errcodep = ld->ld_errno;
}
if ( errcode == LDAP_SUCCESS ) {
if( matcheddnp != NULL ) {
if ( ld->ld_matched )
{
*matcheddnp = LDAP_STRDUP( ld->ld_matched );
}
}
if( errmsgp != NULL ) {
if ( ld->ld_error )
{
*errmsgp = LDAP_STRDUP( ld->ld_error );
}
}
if( referralsp != NULL) {
*referralsp = ldap_value_dup( ld->ld_referrals );
}
}
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &ld->ld_res_mutex );
#endif
done:
if ( freeit ) {
ldap_msgfree( r );
}
return errcode;
}
int
ldap_set_option(
LDAP *ld,
int option,
LDAP_CONST void *invalue)
{
struct ldapoptions *lo;
int *dbglvl = NULL;
int rc = LDAP_OPT_ERROR;
/* Get pointer to global option structure */
lo = LDAP_INT_GLOBAL_OPT();
if (lo == NULL) {
return LDAP_NO_MEMORY;
}
/*
* The architecture to turn on debugging has a chicken and egg
* problem. Thus, we introduce a fix here.
*/
if (option == LDAP_OPT_DEBUG_LEVEL) {
dbglvl = (int *) invalue;
}
if( lo->ldo_valid != LDAP_INITIALIZED ) {
ldap_int_initialize(lo, dbglvl);
if ( lo->ldo_valid != LDAP_INITIALIZED )
return LDAP_LOCAL_ERROR;
}
if(ld != NULL) {
assert( LDAP_VALID( ld ) );
if( !LDAP_VALID( ld ) ) {
return LDAP_OPT_ERROR;
}
lo = &ld->ld_options;
}
LDAP_MUTEX_LOCK( &lo->ldo_mutex );
switch ( option ) {
/* options with boolean values */
case LDAP_OPT_REFERRALS:
if(invalue == LDAP_OPT_OFF) {
LDAP_BOOL_CLR(lo, LDAP_BOOL_REFERRALS);
} else {
LDAP_BOOL_SET(lo, LDAP_BOOL_REFERRALS);
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_RESTART:
if(invalue == LDAP_OPT_OFF) {
LDAP_BOOL_CLR(lo, LDAP_BOOL_RESTART);
} else {
LDAP_BOOL_SET(lo, LDAP_BOOL_RESTART);
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_CONNECT_ASYNC:
if(invalue == LDAP_OPT_OFF) {
LDAP_BOOL_CLR(lo, LDAP_BOOL_CONNECT_ASYNC);
} else {
LDAP_BOOL_SET(lo, LDAP_BOOL_CONNECT_ASYNC);
}
rc = LDAP_OPT_SUCCESS;
break;
/* options which can withstand invalue == NULL */
case LDAP_OPT_SERVER_CONTROLS: {
LDAPControl *const *controls =
(LDAPControl *const *) invalue;
if( lo->ldo_sctrls )
ldap_controls_free( lo->ldo_sctrls );
if( controls == NULL || *controls == NULL ) {
lo->ldo_sctrls = NULL;
rc = LDAP_OPT_SUCCESS;
break;
}
lo->ldo_sctrls = ldap_controls_dup( controls );
if(lo->ldo_sctrls == NULL) {
/* memory allocation error ? */
break; /* LDAP_OPT_ERROR */
}
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_CLIENT_CONTROLS: {
LDAPControl *const *controls =
(LDAPControl *const *) invalue;
if( lo->ldo_cctrls )
ldap_controls_free( lo->ldo_cctrls );
if( controls == NULL || *controls == NULL ) {
lo->ldo_cctrls = NULL;
rc = LDAP_OPT_SUCCESS;
break;
}
lo->ldo_cctrls = ldap_controls_dup( controls );
if(lo->ldo_cctrls == NULL) {
/* memory allocation error ? */
break; /* LDAP_OPT_ERROR */
}
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_HOST_NAME: {
const char *host = (const char *) invalue;
LDAPURLDesc *ludlist = NULL;
rc = LDAP_OPT_SUCCESS;
if(host != NULL) {
rc = ldap_url_parsehosts( &ludlist, host,
lo->ldo_defport ? lo->ldo_defport : LDAP_PORT );
} else if(ld == NULL) {
/*
* must want global default returned
* to initial condition.
*/
rc = ldap_url_parselist_ext(&ludlist, "ldap://localhost/", NULL,
LDAP_PVT_URL_PARSE_NOEMPTY_HOST
| LDAP_PVT_URL_PARSE_DEF_PORT );
} else {
/*
* must want the session default
* updated to the current global default
*/
ludlist = ldap_url_duplist(
ldap_int_global_options.ldo_defludp);
if (ludlist == NULL)
rc = LDAP_NO_MEMORY;
}
if (rc == LDAP_OPT_SUCCESS) {
if (lo->ldo_defludp != NULL)
ldap_free_urllist(lo->ldo_defludp);
lo->ldo_defludp = ludlist;
}
break;
}
case LDAP_OPT_URI: {
const char *urls = (const char *) invalue;
LDAPURLDesc *ludlist = NULL;
rc = LDAP_OPT_SUCCESS;
if(urls != NULL) {
rc = ldap_url_parselist_ext(&ludlist, urls, NULL,
LDAP_PVT_URL_PARSE_NOEMPTY_HOST
| LDAP_PVT_URL_PARSE_DEF_PORT );
} else if(ld == NULL) {
/*
* must want global default returned
* to initial condition.
*/
rc = ldap_url_parselist_ext(&ludlist, "ldap://localhost/", NULL,
LDAP_PVT_URL_PARSE_NOEMPTY_HOST
| LDAP_PVT_URL_PARSE_DEF_PORT );
} else {
/*
* must want the session default
* updated to the current global default
*/
ludlist = ldap_url_duplist(
ldap_int_global_options.ldo_defludp);
if (ludlist == NULL)
rc = LDAP_URL_ERR_MEM;
}
switch (rc) {
case LDAP_URL_SUCCESS: /* Success */
rc = LDAP_SUCCESS;
break;
case LDAP_URL_ERR_MEM: /* can't allocate memory space */
rc = LDAP_NO_MEMORY;
break;
case LDAP_URL_ERR_PARAM: /* parameter is bad */
case LDAP_URL_ERR_BADSCHEME: /* URL doesn't begin with "ldap[si]://" */
case LDAP_URL_ERR_BADENCLOSURE: /* URL is missing trailing ">" */
case LDAP_URL_ERR_BADURL: /* URL is bad */
case LDAP_URL_ERR_BADHOST: /* host port is bad */
case LDAP_URL_ERR_BADATTRS: /* bad (or missing) attributes */
case LDAP_URL_ERR_BADSCOPE: /* scope string is invalid (or missing) */
case LDAP_URL_ERR_BADFILTER: /* bad or missing filter */
case LDAP_URL_ERR_BADEXTS: /* bad or missing extensions */
rc = LDAP_PARAM_ERROR;
break;
}
if (rc == LDAP_SUCCESS) {
if (lo->ldo_defludp != NULL)
ldap_free_urllist(lo->ldo_defludp);
lo->ldo_defludp = ludlist;
}
break;
}
case LDAP_OPT_DEFBASE: {
const char *newbase = (const char *) invalue;
char *defbase = NULL;
if ( newbase != NULL ) {
defbase = LDAP_STRDUP( newbase );
if ( defbase == NULL ) {
rc = LDAP_NO_MEMORY;
break;
}
} else if ( ld != NULL ) {
defbase = LDAP_STRDUP( ldap_int_global_options.ldo_defbase );
if ( defbase == NULL ) {
rc = LDAP_NO_MEMORY;
break;
}
}
if ( lo->ldo_defbase != NULL )
LDAP_FREE( lo->ldo_defbase );
lo->ldo_defbase = defbase;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_DIAGNOSTIC_MESSAGE: {
const char *err = (const char *) invalue;
if(ld == NULL) {
/* need a struct ldap */
break; /* LDAP_OPT_ERROR */
}
if( ld->ld_error ) {
LDAP_FREE(ld->ld_error);
ld->ld_error = NULL;
}
if ( err ) {
ld->ld_error = LDAP_STRDUP(err);
}
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_MATCHED_DN: {
const char *matched = (const char *) invalue;
if (ld == NULL) {
/* need a struct ldap */
break; /* LDAP_OPT_ERROR */
}
if( ld->ld_matched ) {
LDAP_FREE(ld->ld_matched);
ld->ld_matched = NULL;
}
if ( matched ) {
ld->ld_matched = LDAP_STRDUP( matched );
}
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_REFERRAL_URLS: {
char *const *referrals = (char *const *) invalue;
if(ld == NULL) {
/* need a struct ldap */
break; /* LDAP_OPT_ERROR */
}
if( ld->ld_referrals ) {
LDAP_VFREE(ld->ld_referrals);
}
if ( referrals ) {
ld->ld_referrals = ldap_value_dup(referrals);
}
}
rc = LDAP_OPT_SUCCESS;
break;
/* Only accessed from inside this function by ldap_set_rebind_proc() */
case LDAP_OPT_REBIND_PROC: {
lo->ldo_rebind_proc = (LDAP_REBIND_PROC *)invalue;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_REBIND_PARAMS: {
lo->ldo_rebind_params = (void *)invalue;
}
rc = LDAP_OPT_SUCCESS;
break;
/* Only accessed from inside this function by ldap_set_nextref_proc() */
case LDAP_OPT_NEXTREF_PROC: {
lo->ldo_nextref_proc = (LDAP_NEXTREF_PROC *)invalue;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_NEXTREF_PARAMS: {
lo->ldo_nextref_params = (void *)invalue;
}
rc = LDAP_OPT_SUCCESS;
break;
/* Only accessed from inside this function by ldap_set_urllist_proc() */
case LDAP_OPT_URLLIST_PROC: {
lo->ldo_urllist_proc = (LDAP_URLLIST_PROC *)invalue;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_URLLIST_PARAMS: {
lo->ldo_urllist_params = (void *)invalue;
}
rc = LDAP_OPT_SUCCESS;
break;
/* read-only options */
case LDAP_OPT_API_INFO:
case LDAP_OPT_DESC:
case LDAP_OPT_SOCKBUF:
case LDAP_OPT_API_FEATURE_INFO:
break; /* LDAP_OPT_ERROR */
/* options which cannot withstand invalue == NULL */
case LDAP_OPT_DEREF:
case LDAP_OPT_SIZELIMIT:
case LDAP_OPT_TIMELIMIT:
case LDAP_OPT_PROTOCOL_VERSION:
case LDAP_OPT_RESULT_CODE:
case LDAP_OPT_DEBUG_LEVEL:
case LDAP_OPT_TIMEOUT:
case LDAP_OPT_NETWORK_TIMEOUT:
case LDAP_OPT_CONNECT_CB:
case LDAP_OPT_X_KEEPALIVE_IDLE:
case LDAP_OPT_X_KEEPALIVE_PROBES :
case LDAP_OPT_X_KEEPALIVE_INTERVAL :
if(invalue == NULL) {
/* no place to set from */
LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
return ( LDAP_OPT_ERROR );
}
break;
default:
#ifdef HAVE_TLS
if ( ldap_pvt_tls_set_option( ld, option, (void *)invalue ) == 0 ) {
LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
return ( LDAP_OPT_SUCCESS );
}
#endif
#ifdef HAVE_CYRUS_SASL
if ( ldap_int_sasl_set_option( ld, option, (void *)invalue ) == 0 ) {
LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
return ( LDAP_OPT_SUCCESS );
}
#endif
#ifdef HAVE_GSSAPI
if ( ldap_int_gssapi_set_option( ld, option, (void *)invalue ) == 0 ) {
LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
return ( LDAP_OPT_SUCCESS );
}
#endif
/* bad param */
break; /* LDAP_OPT_ERROR */
}
/* options which cannot withstand invalue == NULL */
switch(option) {
case LDAP_OPT_DEREF:
/* FIXME: check value for protocol compliance? */
lo->ldo_deref = * (const int *) invalue;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_SIZELIMIT:
/* FIXME: check value for protocol compliance? */
lo->ldo_sizelimit = * (const int *) invalue;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_TIMELIMIT:
/* FIXME: check value for protocol compliance? */
lo->ldo_timelimit = * (const int *) invalue;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_TIMEOUT: {
const struct timeval *tv =
(const struct timeval *) invalue;
lo->ldo_tm_api = *tv;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_NETWORK_TIMEOUT: {
const struct timeval *tv =
(const struct timeval *) invalue;
lo->ldo_tm_net = *tv;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_PROTOCOL_VERSION: {
int vers = * (const int *) invalue;
if (vers < LDAP_VERSION_MIN || vers > LDAP_VERSION_MAX) {
/* not supported */
break;
}
lo->ldo_version = vers;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_RESULT_CODE: {
int err = * (const int *) invalue;
if(ld == NULL) {
/* need a struct ldap */
break;
}
ld->ld_errno = err;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_DEBUG_LEVEL:
lo->ldo_debug = * (const int *) invalue;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_CONNECT_CB:
{
/* setting pushes the callback */
ldaplist *ll;
ll = LDAP_MALLOC( sizeof( *ll ));
ll->ll_data = (void *)invalue;
ll->ll_next = lo->ldo_conn_cbs;
lo->ldo_conn_cbs = ll;
}
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_X_KEEPALIVE_IDLE:
lo->ldo_keepalive_idle = * (const int *) invalue;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_X_KEEPALIVE_PROBES :
lo->ldo_keepalive_probes = * (const int *) invalue;
rc = LDAP_OPT_SUCCESS;
break;
case LDAP_OPT_X_KEEPALIVE_INTERVAL :
lo->ldo_keepalive_interval = * (const int *) invalue;
rc = LDAP_OPT_SUCCESS;
break;
}
LDAP_MUTEX_UNLOCK( &lo->ldo_mutex );
return ( rc );
}
static int
tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{
tlsg_session *s = (tlsg_session *)session;
int i, ret;
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
char altname[NI_MAXHOST];
size_t altnamesize;
gnutls_x509_crt_t cert;
const char *name;
char *ptr;
char *domain = NULL;
#ifdef LDAP_PF_INET6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
int len1 = 0, len2 = 0;
int ntype = IS_DNS;
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
{
name = ldap_int_hostname;
} else {
name = name_in;
}
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
if ( !peer_cert_list ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get peer certificate.\n",
0, 0, 0 );
/* If this was a fatal condition, things would have
* aborted long before now.
*/
return LDAP_SUCCESS;
}
ret = gnutls_x509_crt_init( &cert );
if ( ret < 0 )
return LDAP_LOCAL_ERROR;
ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
if ( ret ) {
gnutls_x509_crt_deinit( cert );
return LDAP_LOCAL_ERROR;
}
#ifdef LDAP_PF_INET6
if (name[0] == '[' && strchr(name, ']')) {
char *n2 = ldap_strdup(name+1);
*strchr(n2, ']') = 0;
if (inet_pton(AF_INET6, n2, &addr))
ntype = IS_IP6;
LDAP_FREE(n2);
} else
#endif
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
if (ntype == IS_DNS) {
len1 = strlen(name);
domain = strchr(name, '.');
if (domain) {
len2 = len1 - (domain-name);
}
}
for ( i=0, ret=0; ret >= 0; i++ ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
altname, &altnamesize, NULL );
if ( ret < 0 ) break;
/* ignore empty */
if ( altnamesize == 0 ) continue;
if ( ret == GNUTLS_SAN_DNSNAME ) {
if (ntype != IS_DNS) continue;
/* Is this an exact match? */
if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
break;
}
/* Is this a wildcard match? */
if (domain && (altname[0] == '*') && (altname[1] == '.') &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
{
break;
}
} else if ( ret == GNUTLS_SAN_IPADDRESS ) {
if (ntype == IS_DNS) continue;
#ifdef LDAP_PF_INET6
if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
continue;
} else
#endif
if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
continue;
}
if (!memcmp(altname, &addr, altnamesize)) {
break;
}
}
}
if ( ret >= 0 ) {
ret = LDAP_SUCCESS;
} else {
/* find the last CN */
i=0;
do {
altnamesize = 0;
ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
i, 1, altname, &altnamesize );
if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER )
i++;
else
break;
} while ( 1 );
if ( i ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
i-1, 0, altname, &altnamesize );
}
if ( ret < 0 ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
} else {
ret = LDAP_LOCAL_ERROR;
if ( !len1 ) len1 = strlen( name );
if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
ret = LDAP_SUCCESS;
} else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
/* Is this a wildcard match? */
if( domain &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
ret = LDAP_SUCCESS;
}
}
}
if( ret == LDAP_LOCAL_ERROR ) {
altname[altnamesize] = '\0';
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%s).\n",
name, altname, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
}
}
gnutls_x509_crt_deinit( cert );
return ret;
}
/*
* Chase v3 referrals
*
* Parameters:
* (IN) ld = LDAP connection handle
* (IN) lr = LDAP Request structure
* (IN) refs = array of pointers to referral strings that we will chase
* The array will be free'd by this function when no longer needed
* (IN) sref != 0 if following search reference
* (OUT) errstrp = Place to return a string of referrals which could not be followed
* (OUT) hadrefp = 1 if sucessfully followed referral
*
* Return value - number of referrals followed
*
* Protected by res_mutex, conn_mutex and req_mutex (try_read1msg)
*/
int
ldap_chase_v3referrals( LDAP *ld, LDAPRequest *lr, char **refs, int sref, char **errstrp, int *hadrefp )
{
char *unfollowed;
int unfollowedcnt = 0;
LDAPRequest *origreq;
LDAPURLDesc *srv = NULL;
BerElement *ber;
char **refarray = NULL;
LDAPConn *lc;
int rc, count, i, j, id;
LDAPreqinfo rinfo;
LDAP_NEXTREF_PROC *nextref_proc = ld->ld_nextref_proc ? ld->ld_nextref_proc : ldap_int_nextref;
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_res_mutex );
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_conn_mutex );
LDAP_ASSERT_MUTEX_OWNER( &ld->ld_req_mutex );
Debug( LDAP_DEBUG_TRACE, "ldap_chase_v3referrals\n", 0, 0, 0 );
ld->ld_errno = LDAP_SUCCESS; /* optimistic */
*hadrefp = 0;
unfollowed = NULL;
rc = count = 0;
/* If no referrals in array, return */
if ( (refs == NULL) || ( (refs)[0] == NULL) ) {
rc = 0;
goto done;
}
/* Check for hop limit exceeded */
if ( lr->lr_parentcnt >= ld->ld_refhoplimit ) {
Debug( LDAP_DEBUG_ANY,
"more than %d referral hops (dropping)\n", ld->ld_refhoplimit, 0, 0 );
ld->ld_errno = LDAP_REFERRAL_LIMIT_EXCEEDED;
rc = -1;
goto done;
}
/* find original request */
for ( origreq = lr;
origreq->lr_parent != NULL;
origreq = origreq->lr_parent )
{
/* empty */ ;
}
refarray = refs;
refs = NULL;
/* parse out & follow referrals */
/* NOTE: if nextref_proc == ldap_int_nextref, params is ignored */
i = -1;
for ( nextref_proc( ld, &refarray, &i, ld->ld_nextref_params );
i != -1;
nextref_proc( ld, &refarray, &i, ld->ld_nextref_params ) )
{
/* Parse the referral URL */
rc = ldap_url_parse_ext( refarray[i], &srv, LDAP_PVT_URL_PARSE_NOEMPTY_DN );
if ( rc != LDAP_URL_SUCCESS ) {
/* ldap_url_parse_ext() returns LDAP_URL_* errors
* which do not map on API errors */
ld->ld_errno = LDAP_PARAM_ERROR;
rc = -1;
goto done;
}
if( srv->lud_crit_exts ) {
int ok = 0;
#ifdef HAVE_TLS
/* If StartTLS is the only critical ext, OK. */
if ( find_tls_ext( srv ) == 2 && srv->lud_crit_exts == 1 )
ok = 1;
#endif
if ( !ok ) {
/* we do not support any other extensions */
ld->ld_errno = LDAP_NOT_SUPPORTED;
rc = -1;
goto done;
}
}
/* check connection for re-bind in progress */
if (( lc = find_connection( ld, srv, 1 )) != NULL ) {
/* See if we've already requested this DN with this conn */
LDAPRequest *lp;
int looped = 0;
ber_len_t len = srv->lud_dn ? strlen( srv->lud_dn ) : 0;
for ( lp = origreq; lp; ) {
if ( lp->lr_conn == lc
&& len == lp->lr_dn.bv_len
&& len
&& strncmp( srv->lud_dn, lp->lr_dn.bv_val, len ) == 0 )
{
looped = 1;
break;
}
if ( lp == origreq ) {
lp = lp->lr_child;
} else {
lp = lp->lr_refnext;
}
}
if ( looped ) {
ldap_free_urllist( srv );
srv = NULL;
ld->ld_errno = LDAP_CLIENT_LOOP;
rc = -1;
continue;
}
if ( lc->lconn_rebind_inprogress ) {
/* We are already chasing a referral or search reference and a
* bind on that connection is in progress. We must queue
* referrals on that connection, so we don't get a request
* going out before the bind operation completes. This happens
* if two search references come in one behind the other
* for the same server with different contexts.
*/
Debug( LDAP_DEBUG_TRACE,
"ldap_chase_v3referrals: queue referral \"%s\"\n",
refarray[i], 0, 0);
if( lc->lconn_rebind_queue == NULL ) {
/* Create a referral list */
lc->lconn_rebind_queue =
(char ***) LDAP_MALLOC( sizeof(void *) * 2);
if( lc->lconn_rebind_queue == NULL) {
ld->ld_errno = LDAP_NO_MEMORY;
rc = -1;
goto done;
}
lc->lconn_rebind_queue[0] = refarray;
lc->lconn_rebind_queue[1] = NULL;
refarray = NULL;
} else {
/* Count how many referral arrays we already have */
for( j = 0; lc->lconn_rebind_queue[j] != NULL; j++) {
/* empty */;
}
/* Add the new referral to the list */
lc->lconn_rebind_queue = (char ***) LDAP_REALLOC(
lc->lconn_rebind_queue, sizeof(void *) * (j + 2));
if( lc->lconn_rebind_queue == NULL ) {
ld->ld_errno = LDAP_NO_MEMORY;
rc = -1;
goto done;
}
lc->lconn_rebind_queue[j] = refarray;
lc->lconn_rebind_queue[j+1] = NULL;
refarray = NULL;
}
/* We have queued the referral/reference, now just return */
rc = 0;
*hadrefp = 1;
count = 1; /* Pretend we already followed referral */
goto done;
}
}
/* Re-encode the request with the new starting point of the search.
* Note: In the future we also need to replace the filter if one
* was provided with the search reference
*/
/* For references we don't want old dn if new dn empty */
if ( sref && srv->lud_dn == NULL ) {
srv->lud_dn = LDAP_STRDUP( "" );
}
LDAP_NEXT_MSGID( ld, id );
ber = re_encode_request( ld, origreq->lr_ber, id,
sref, srv, &rinfo.ri_request );
if( ber == NULL ) {
ld->ld_errno = LDAP_ENCODING_ERROR;
rc = -1;
goto done;
}
Debug( LDAP_DEBUG_TRACE,
"ldap_chase_v3referral: msgid %d, url \"%s\"\n",
lr->lr_msgid, refarray[i], 0);
/* Send the new request to the server - may require a bind */
rinfo.ri_msgid = origreq->lr_origid;
rinfo.ri_url = refarray[i];
rc = ldap_send_server_request( ld, ber, id,
origreq, &srv, NULL, &rinfo, 0, 1 );
if ( rc < 0 ) {
/* Failure, try next referral in the list */
Debug( LDAP_DEBUG_ANY, "Unable to chase referral \"%s\" (%d: %s)\n",
refarray[i], ld->ld_errno, ldap_err2string( ld->ld_errno ) );
unfollowedcnt += ldap_append_referral( ld, &unfollowed, refarray[i] );
ldap_free_urllist( srv );
srv = NULL;
ld->ld_errno = LDAP_REFERRAL;
} else {
/* Success, no need to try this referral list further */
rc = 0;
++count;
*hadrefp = 1;
/* check if there is a queue of referrals that came in during bind */
if ( lc == NULL) {
lc = find_connection( ld, srv, 1 );
if ( lc == NULL ) {
ld->ld_errno = LDAP_OPERATIONS_ERROR;
rc = -1;
LDAP_MUTEX_UNLOCK( &ld->ld_conn_mutex );
goto done;
}
}
if ( lc->lconn_rebind_queue != NULL ) {
/* Release resources of previous list */
LDAP_VFREE( refarray );
refarray = NULL;
ldap_free_urllist( srv );
srv = NULL;
/* Pull entries off end of queue so list always null terminated */
for( j = 0; lc->lconn_rebind_queue[j] != NULL; j++ )
;
refarray = lc->lconn_rebind_queue[j - 1];
lc->lconn_rebind_queue[j-1] = NULL;
/* we pulled off last entry from queue, free queue */
if ( j == 1 ) {
LDAP_FREE( lc->lconn_rebind_queue );
lc->lconn_rebind_queue = NULL;
}
/* restart the loop the with new referral list */
i = -1;
continue;
}
break; /* referral followed, break out of for loop */
}
} /* end for loop */
done:
LDAP_VFREE( refarray );
ldap_free_urllist( srv );
LDAP_FREE( *errstrp );
if( rc == 0 ) {
*errstrp = NULL;
LDAP_FREE( unfollowed );
return count;
} else {
*errstrp = unfollowed;
return rc;
}
}
/*
* initialize a new TLS context
*/
static int
ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
{
int rc = 0;
tls_impl *ti = tls_imp;
struct ldaptls lts = lo->ldo_tls_info;
if ( lo->ldo_tls_ctx )
return 0;
tls_init( ti );
if ( is_server && !lts.lt_certfile && !lts.lt_keyfile &&
!lts.lt_cacertfile && !lts.lt_cacertdir ) {
/* minimum configuration not provided */
return LDAP_NOT_SUPPORTED;
}
#ifdef HAVE_EBCDIC
/* This ASCII/EBCDIC handling is a real pain! */
if ( lts.lt_ciphersuite ) {
lts.lt_ciphersuite = LDAP_STRDUP( lts.lt_ciphersuite );
__atoe( lts.lt_ciphersuite );
}
if ( lts.lt_cacertfile ) {
lts.lt_cacertfile = LDAP_STRDUP( lts.lt_cacertfile );
__atoe( lts.lt_cacertfile );
}
if ( lts.lt_certfile ) {
lts.lt_certfile = LDAP_STRDUP( lts.lt_certfile );
__atoe( lts.lt_certfile );
}
if ( lts.lt_keyfile ) {
lts.lt_keyfile = LDAP_STRDUP( lts.lt_keyfile );
__atoe( lts.lt_keyfile );
}
if ( lts.lt_crlfile ) {
lts.lt_crlfile = LDAP_STRDUP( lts.lt_crlfile );
__atoe( lts.lt_crlfile );
}
if ( lts.lt_cacertdir ) {
lts.lt_cacertdir = LDAP_STRDUP( lts.lt_cacertdir );
__atoe( lts.lt_cacertdir );
}
if ( lts.lt_dhfile ) {
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not allocate default ctx.\n",
0,0,0);
rc = -1;
goto error_exit;
}
rc = ti->ti_ctx_init( lo, <s, is_server );
error_exit:
if ( rc < 0 && lo->ldo_tls_ctx != NULL ) {
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
}
#ifdef HAVE_EBCDIC
LDAP_FREE( lts.lt_ciphersuite );
LDAP_FREE( lts.lt_cacertfile );
LDAP_FREE( lts.lt_certfile );
LDAP_FREE( lts.lt_keyfile );
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
#endif
return rc;
}
int
ldap_pvt_put_filter( BerElement *ber, const char *str_in )
{
int rc;
char *freeme;
char *str;
char *next;
int parens, balance, escape;
/*
* A Filter looks like this (RFC 4511 as extended by RFC 4526):
* Filter ::= CHOICE {
* and [0] SET SIZE (0..MAX) OF filter Filter,
* or [1] SET SIZE (0..MAX) OF filter Filter,
* not [2] Filter,
* equalityMatch [3] AttributeValueAssertion,
* substrings [4] SubstringFilter,
* greaterOrEqual [5] AttributeValueAssertion,
* lessOrEqual [6] AttributeValueAssertion,
* present [7] AttributeDescription,
* approxMatch [8] AttributeValueAssertion,
* extensibleMatch [9] MatchingRuleAssertion,
* ... }
*
* SubstringFilter ::= SEQUENCE {
* type AttributeDescription,
* substrings SEQUENCE SIZE (1..MAX) OF substring CHOICE {
* initial [0] AssertionValue, -- only once
* any [1] AssertionValue,
* final [2] AssertionValue -- only once
* }
* }
*
* MatchingRuleAssertion ::= SEQUENCE {
* matchingRule [1] MatchingRuleId OPTIONAL,
* type [2] AttributeDescription OPTIONAL,
* matchValue [3] AssertionValue,
* dnAttributes [4] BOOLEAN DEFAULT FALSE }
*
* Note: tags in a CHOICE are always explicit
*/
Debug( LDAP_DEBUG_TRACE, "put_filter: \"%s\"\n", str_in, 0, 0 );
freeme = LDAP_STRDUP( str_in );
if( freeme == NULL ) return LDAP_NO_MEMORY;
str = freeme;
parens = 0;
while ( *str ) {
switch ( *str ) {
case '(': /*')'*/
str++;
parens++;
/* skip spaces */
while( LDAP_SPACE( *str ) ) str++;
switch ( *str ) {
case '&':
Debug( LDAP_DEBUG_TRACE, "put_filter: AND\n",
0, 0, 0 );
str = put_complex_filter( ber, str,
LDAP_FILTER_AND, 0 );
if( str == NULL ) {
rc = -1;
goto done;
}
parens--;
break;
case '|':
Debug( LDAP_DEBUG_TRACE, "put_filter: OR\n",
0, 0, 0 );
str = put_complex_filter( ber, str,
LDAP_FILTER_OR, 0 );
if( str == NULL ) {
rc = -1;
goto done;
}
parens--;
break;
case '!':
Debug( LDAP_DEBUG_TRACE, "put_filter: NOT\n",
0, 0, 0 );
str = put_complex_filter( ber, str,
LDAP_FILTER_NOT, 0 );
if( str == NULL ) {
rc = -1;
goto done;
}
parens--;
break;
case '(':
rc = -1;
goto done;
default:
Debug( LDAP_DEBUG_TRACE, "put_filter: simple\n",
0, 0, 0 );
balance = 1;
escape = 0;
next = str;
while ( *next && balance ) {
if ( escape == 0 ) {
if ( *next == '(' ) {
balance++;
} else if ( *next == ')' ) {
balance--;
}
}
if ( *next == '\\' && ! escape ) {
escape = 1;
} else {
escape = 0;
}
if ( balance ) next++;
}
if ( balance != 0 ) {
rc = -1;
goto done;
}
*next = '\0';
if ( put_simple_filter( ber, str ) == -1 ) {
rc = -1;
goto done;
}
*next++ = /*'('*/ ')';
str = next;
parens--;
break;
}
break;
case /*'('*/ ')':
Debug( LDAP_DEBUG_TRACE, "put_filter: end\n",
0, 0, 0 );
if ( ber_printf( ber, /*"["*/ "]" ) == -1 ) {
rc = -1;
goto done;
}
str++;
parens--;
break;
case ' ':
str++;
break;
default: /* assume it's a simple type=value filter */
Debug( LDAP_DEBUG_TRACE, "put_filter: default\n",
0, 0, 0 );
next = strchr( str, '\0' );
if ( put_simple_filter( ber, str ) == -1 ) {
rc = -1;
goto done;
}
str = next;
break;
}
if ( !parens )
break;
}
rc = ( parens || *str ) ? -1 : 0;
done:
LDAP_FREE( freeme );
return rc;
}
static int
ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
{
Sockbuf *sb = conn->lconn_sb;
int err;
tls_session *ssl = NULL;
if ( HAS_TLS( sb )) {
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
} else {
struct ldapoptions *lo;
tls_ctx *ctx;
ctx = ld->ld_options.ldo_tls_ctx;
ssl = alloc_handle( ctx, 0 );
if ( ssl == NULL ) return -1;
#ifdef LDAP_DEBUG
ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
#endif
ber_sockbuf_add_io( sb, tls_imp->ti_sbio,
LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
lo = LDAP_INT_GLOBAL_OPT();
if( ctx == NULL ) {
ctx = lo->ldo_tls_ctx;
ld->ld_options.ldo_tls_ctx = ctx;
tls_ctx_ref( ctx );
}
if ( ld->ld_options.ldo_tls_connect_cb )
ld->ld_options.ldo_tls_connect_cb( ld, ssl, ctx,
ld->ld_options.ldo_tls_connect_arg );
if ( lo && lo->ldo_tls_connect_cb && lo->ldo_tls_connect_cb !=
ld->ld_options.ldo_tls_connect_cb )
lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
}
err = tls_imp->ti_session_connect( ld, ssl );
#ifdef HAVE_WINSOCK
errno = WSAGetLastError();
#endif
if ( err < 0 )
{
char buf[256], *msg;
if ( update_flags( sb, ssl, err )) {
return 1;
}
msg = tls_imp->ti_session_errmsg( ssl, err, buf, sizeof(buf) );
if ( msg ) {
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP( msg );
#ifdef HAVE_EBCDIC
if ( ld->ld_error ) __etoa(ld->ld_error);
#endif
}
Debug( LDAP_DEBUG_ANY,"TLS: can't connect: %s.\n",
ld->ld_error ? ld->ld_error : "" ,0,0);
ber_sockbuf_remove_io( sb, tls_imp->ti_sbio,
LBER_SBIOD_LEVEL_TRANSPORT );
#ifdef LDAP_DEBUG
ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_TRANSPORT );
#endif
return -1;
}
return 0;
}
static int
put_simple_vrFilter(
BerElement *ber,
char *str )
{
char *s;
char *value;
ber_tag_t ftype;
int rc = -1;
Debug( LDAP_DEBUG_TRACE, "put_simple_vrFilter: \"%s\"\n",
str, 0, 0 );
str = LDAP_STRDUP( str );
if( str == NULL ) return -1;
if ( (s = strchr( str, '=' )) == NULL ) {
goto done;
}
value = s + 1;
*s-- = '\0';
switch ( *s ) {
case '<':
ftype = LDAP_FILTER_LE;
*s = '\0';
break;
case '>':
ftype = LDAP_FILTER_GE;
*s = '\0';
break;
case '~':
ftype = LDAP_FILTER_APPROX;
*s = '\0';
break;
case ':':
/* According to ValuesReturnFilter control definition
* extensible filters are off the form:
* type [:rule] := value
* or :rule := value
*/
ftype = LDAP_FILTER_EXT;
*s = '\0';
{
char *rule = strchr( str, ':' );
if( rule == NULL ) {
/* must have attribute */
if( !ldap_is_desc( str ) ) {
goto done;
}
rule = "";
} else {
*rule++ = '\0';
}
if ( *str == '\0' && ( !rule || *rule == '\0' ) ) {
/* must have either type or rule */
goto done;
}
if ( *str != '\0' && !ldap_is_desc( str ) ) {
goto done;
}
if ( rule && *rule != '\0' && !ldap_is_oid( rule ) ) {
goto done;
}
rc = ber_printf( ber, "t{" /*"}"*/, ftype );
if( rc != -1 && rule && *rule != '\0' ) {
rc = ber_printf( ber, "ts", LDAP_FILTER_EXT_OID, rule );
}
if( rc != -1 && *str != '\0' ) {
rc = ber_printf( ber, "ts", LDAP_FILTER_EXT_TYPE, str );
}
if( rc != -1 ) {
ber_slen_t len = ldap_pvt_filter_value_unescape( value );
if( len >= 0 ) {
rc = ber_printf( ber, "to",
LDAP_FILTER_EXT_VALUE, value, len );
} else {
rc = -1;
}
}
if( rc != -1 ) {
rc = ber_printf( ber, /*"{"*/ "N}" );
}
}
goto done;
default:
if( !ldap_is_desc( str ) ) {
goto done;
} else {
char *nextstar = ldap_pvt_find_wildcard( value );
if ( nextstar == NULL ) {
goto done;
} else if ( *nextstar == '\0' ) {
ftype = LDAP_FILTER_EQUALITY;
} else if ( strcmp( value, "*" ) == 0 ) {
ftype = LDAP_FILTER_PRESENT;
} else {
rc = put_substring_filter( ber, str, value, nextstar );
goto done;
}
} break;
}
if( !ldap_is_desc( str ) ) goto done;
if ( ftype == LDAP_FILTER_PRESENT ) {
rc = ber_printf( ber, "ts", ftype, str );
} else {
ber_slen_t len = ldap_pvt_filter_value_unescape( value );
if( len >= 0 ) {
rc = ber_printf( ber, "t{soN}",
ftype, str, value, len );
}
}
done:
if( rc != -1 ) rc = 0;
LDAP_FREE( str );
return rc;
}
int
ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
{
struct ldapoptions *lo;
if( option == LDAP_OPT_X_TLS_PACKAGE ) {
*(char **)arg = LDAP_STRDUP( tls_imp->ti_name );
return 0;
}
if( ld != NULL ) {
assert( LDAP_VALID( ld ) );
if( !LDAP_VALID( ld ) ) {
return LDAP_OPT_ERROR;
}
lo = &ld->ld_options;
} else {
/* Get pointer to global option structure */
lo = LDAP_INT_GLOBAL_OPT();
if ( lo == NULL ) {
return LDAP_NO_MEMORY;
}
}
switch( option ) {
case LDAP_OPT_X_TLS:
*(int *)arg = lo->ldo_tls_mode;
break;
case LDAP_OPT_X_TLS_CTX:
*(void **)arg = lo->ldo_tls_ctx;
if ( lo->ldo_tls_ctx ) {
tls_ctx_ref( lo->ldo_tls_ctx );
}
break;
case LDAP_OPT_X_TLS_CACERTFILE:
*(char **)arg = lo->ldo_tls_cacertfile ?
LDAP_STRDUP( lo->ldo_tls_cacertfile ) : NULL;
break;
case LDAP_OPT_X_TLS_CACERTDIR:
*(char **)arg = lo->ldo_tls_cacertdir ?
LDAP_STRDUP( lo->ldo_tls_cacertdir ) : NULL;
break;
case LDAP_OPT_X_TLS_CERTFILE:
*(char **)arg = lo->ldo_tls_certfile ?
LDAP_STRDUP( lo->ldo_tls_certfile ) : NULL;
break;
case LDAP_OPT_X_TLS_KEYFILE:
*(char **)arg = lo->ldo_tls_keyfile ?
LDAP_STRDUP( lo->ldo_tls_keyfile ) : NULL;
break;
case LDAP_OPT_X_TLS_DHFILE:
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
break;
case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = lo->ldo_tls_require_cert;
break;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck;
break;
#endif
case LDAP_OPT_X_TLS_CIPHER_SUITE:
*(char **)arg = lo->ldo_tls_ciphersuite ?
LDAP_STRDUP( lo->ldo_tls_ciphersuite ) : NULL;
break;
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
*(int *)arg = lo->ldo_tls_protocol_min;
break;
case LDAP_OPT_X_TLS_RANDOM_FILE:
*(char **)arg = lo->ldo_tls_randfile ?
LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL;
break;
case LDAP_OPT_X_TLS_SSL_CTX: {
void *retval = 0;
if ( ld != NULL ) {
LDAPConn *conn = ld->ld_defconn;
if ( conn != NULL ) {
Sockbuf *sb = conn->lconn_sb;
retval = ldap_pvt_tls_sb_ctx( sb );
}
}
*(void **)arg = retval;
break;
}
case LDAP_OPT_X_TLS_CONNECT_CB:
*(LDAP_TLS_CONNECT_CB **)arg = lo->ldo_tls_connect_cb;
break;
case LDAP_OPT_X_TLS_CONNECT_ARG:
*(void **)arg = lo->ldo_tls_connect_arg;
break;
default:
return -1;
}
return 0;
}
