xref: /onnv-gate/usr/src/lib/libldap5/sources/ldap/ssldap/ldapsinit.c (revision 0:68f95e015346)
1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
3*0Sstevel@tonic-gate  * Use is subject to license terms.
4*0Sstevel@tonic-gate  */
5*0Sstevel@tonic-gate 
6*0Sstevel@tonic-gate /*
7*0Sstevel@tonic-gate  * The contents of this file are subject to the Netscape Public
8*0Sstevel@tonic-gate  * License Version 1.1 (the "License"); you may not use this file
9*0Sstevel@tonic-gate  * except in compliance with the License. You may obtain a copy of
10*0Sstevel@tonic-gate  * the License at http://www.mozilla.org/NPL/
11*0Sstevel@tonic-gate  *
12*0Sstevel@tonic-gate  * Software distributed under the License is distributed on an "AS
13*0Sstevel@tonic-gate  * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
14*0Sstevel@tonic-gate  * implied. See the License for the specific language governing
15*0Sstevel@tonic-gate  * rights and limitations under the License.
16*0Sstevel@tonic-gate  *
17*0Sstevel@tonic-gate  * The Original Code is Mozilla Communicator client code, released
18*0Sstevel@tonic-gate  * March 31, 1998.
19*0Sstevel@tonic-gate  *
20*0Sstevel@tonic-gate  * The Initial Developer of the Original Code is Netscape
21*0Sstevel@tonic-gate  * Communications Corporation. Portions created by Netscape are
22*0Sstevel@tonic-gate  * Copyright (C) 1998-1999 Netscape Communications Corporation. All
23*0Sstevel@tonic-gate  * Rights Reserved.
24*0Sstevel@tonic-gate  *
25*0Sstevel@tonic-gate  * Contributor(s):
26*0Sstevel@tonic-gate  */
27*0Sstevel@tonic-gate 
28*0Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
29*0Sstevel@tonic-gate 
30*0Sstevel@tonic-gate /*
31*0Sstevel@tonic-gate  * ldapsinit.c
32*0Sstevel@tonic-gate  */
33*0Sstevel@tonic-gate 
34*0Sstevel@tonic-gate #if defined(NET_SSL)
35*0Sstevel@tonic-gate 
36*0Sstevel@tonic-gate #if defined( _WINDOWS )
37*0Sstevel@tonic-gate #include <windows.h>
38*0Sstevel@tonic-gate #endif
39*0Sstevel@tonic-gate 
40*0Sstevel@tonic-gate /* XXX:mhein The following is a workaround for the redefinition of */
41*0Sstevel@tonic-gate /*           const problem on OSF.  Fix to be provided by NSS */
42*0Sstevel@tonic-gate /*           This is a pretty benign workaround for us which */
43*0Sstevel@tonic-gate /*           should not cause problems in the future even if */
44*0Sstevel@tonic-gate /*           we forget to take it out :-) */
45*0Sstevel@tonic-gate 
46*0Sstevel@tonic-gate #ifdef OSF1V4D
47*0Sstevel@tonic-gate #ifndef __STDC__
48*0Sstevel@tonic-gate #  define __STDC__
49*0Sstevel@tonic-gate #endif /* __STDC__ */
50*0Sstevel@tonic-gate #endif /* OSF1V4D */
51*0Sstevel@tonic-gate 
52*0Sstevel@tonic-gate #include <errno.h>
53*0Sstevel@tonic-gate #include <nspr.h>
54*0Sstevel@tonic-gate #include <cert.h>
55*0Sstevel@tonic-gate #include <key.h>
56*0Sstevel@tonic-gate #include <ssl.h>
57*0Sstevel@tonic-gate #include <sslproto.h>
58*0Sstevel@tonic-gate #include <sslerr.h>
59*0Sstevel@tonic-gate #include <prnetdb.h>
60*0Sstevel@tonic-gate 
61*0Sstevel@tonic-gate #include <ldap.h>
62*0Sstevel@tonic-gate 
63*0Sstevel@tonic-gate #include <ldappr.h>
64*0Sstevel@tonic-gate #include <pk11func.h>
65*0Sstevel@tonic-gate 
66*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
67*0Sstevel@tonic-gate #include "solaris-int.h"
68*0Sstevel@tonic-gate #include <libintl.h>
69*0Sstevel@tonic-gate #include <syslog.h>
70*0Sstevel@tonic-gate #include <nsswitch.h>
71*0Sstevel@tonic-gate #include <synch.h>
72*0Sstevel@tonic-gate #include <nss_dbdefs.h>
73*0Sstevel@tonic-gate #include <netinet/in.h>
74*0Sstevel@tonic-gate 
75*0Sstevel@tonic-gate #define	HOST_BUF_SIZE	2048
76*0Sstevel@tonic-gate 
77*0Sstevel@tonic-gate #ifndef INADDR_NONE
78*0Sstevel@tonic-gate #define	INADDR_NONE (-1)
79*0Sstevel@tonic-gate #endif
80*0Sstevel@tonic-gate 
81*0Sstevel@tonic-gate extern int
82*0Sstevel@tonic-gate str2hostent(const char *instr, int lenstr, void *ent, char *buffer,
83*0Sstevel@tonic-gate 		int buflen);
84*0Sstevel@tonic-gate 
85*0Sstevel@tonic-gate extern int
86*0Sstevel@tonic-gate str2hostent6(const char *instr, int lenstr, void *ent, char *buffer,
87*0Sstevel@tonic-gate 		int buflen);
88*0Sstevel@tonic-gate 
89*0Sstevel@tonic-gate extern LDAPHostEnt *
90*0Sstevel@tonic-gate _ns_gethostbyaddr(LDAP *ld, const char *addr, int length, int type,
91*0Sstevel@tonic-gate 	LDAPHostEnt *result, char *buffer, int buflen, int *statusp,
92*0Sstevel@tonic-gate 	void *extradata);
93*0Sstevel@tonic-gate 
94*0Sstevel@tonic-gate static char *host_service = NULL;
95*0Sstevel@tonic-gate 
96*0Sstevel@tonic-gate static DEFINE_NSS_DB_ROOT(db_root_hosts);
97*0Sstevel@tonic-gate static DEFINE_NSS_DB_ROOT(db_root_ipnodes);
98*0Sstevel@tonic-gate #endif
99*0Sstevel@tonic-gate 
100*0Sstevel@tonic-gate /*
101*0Sstevel@tonic-gate  * Data structure to hold the standard NSPR I/O function pointers set by
102*0Sstevel@tonic-gate  * libprldap.   We save them in our session data structure so we can call
103*0Sstevel@tonic-gate  * them from our own I/O functions (we add functionality to support SSL
104*0Sstevel@tonic-gate  * while using libprldap's functions as much as possible).
105*0Sstevel@tonic-gate  */
106*0Sstevel@tonic-gate typedef struct ldapssl_std_functions {
107*0Sstevel@tonic-gate     LDAP_X_EXTIOF_CLOSE_CALLBACK		*lssf_close_fn;
108*0Sstevel@tonic-gate     LDAP_X_EXTIOF_CONNECT_CALLBACK		*lssf_connect_fn;
109*0Sstevel@tonic-gate     LDAP_X_EXTIOF_DISPOSEHANDLE_CALLBACK	*lssf_disposehdl_fn;
110*0Sstevel@tonic-gate } LDAPSSLStdFunctions;
111*0Sstevel@tonic-gate 
112*0Sstevel@tonic-gate 
113*0Sstevel@tonic-gate 
114*0Sstevel@tonic-gate /*
115*0Sstevel@tonic-gate  * LDAP session data structure.
116*0Sstevel@tonic-gate  */
117*0Sstevel@tonic-gate typedef struct ldapssl_session_info {
118*0Sstevel@tonic-gate     int                 lssei_using_pcks_fns;
119*0Sstevel@tonic-gate     int                 lssei_ssl_strength;
120*0Sstevel@tonic-gate     char                *lssei_certnickname;
121*0Sstevel@tonic-gate     char                *lssei_keypasswd;
122*0Sstevel@tonic-gate     LDAPSSLStdFunctions lssei_std_functions;
123*0Sstevel@tonic-gate     CERTCertDBHandle    *lssei_certdbh;
124*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
125*0Sstevel@tonic-gate 	/*
126*0Sstevel@tonic-gate 	 * This is a hack.
127*0Sstevel@tonic-gate 	 * ld is used so that we can use libldap's gethostbyaddr
128*0Sstevel@tonic-gate 	 * resolver. This is needed to prevent recursion with libsldap.
129*0Sstevel@tonic-gate 	 */
130*0Sstevel@tonic-gate     LDAP		*ld;
131*0Sstevel@tonic-gate #endif	/* _SOLARIS_SDK */
132*0Sstevel@tonic-gate } LDAPSSLSessionInfo;
133*0Sstevel@tonic-gate 
134*0Sstevel@tonic-gate 
135*0Sstevel@tonic-gate /*
136*0Sstevel@tonic-gate  * LDAP socket data structure.
137*0Sstevel@tonic-gate  */
138*0Sstevel@tonic-gate typedef struct ldapssl_socket_info {
139*0Sstevel@tonic-gate     LDAPSSLSessionInfo	*soi_sessioninfo;	/* session info */
140*0Sstevel@tonic-gate } LDAPSSLSocketInfo;
141*0Sstevel@tonic-gate 
142*0Sstevel@tonic-gate 
143*0Sstevel@tonic-gate /*
144*0Sstevel@tonic-gate  * XXXceb  This is a hack until the new IO functions are done.
145*0Sstevel@tonic-gate  * this function MUST be called before ldap_enable_clienauth.
146*0Sstevel@tonic-gate  * right now, this function is called in ldapssl_pkcs_init();
147*0Sstevel@tonic-gate  */
148*0Sstevel@tonic-gate 
149*0Sstevel@tonic-gate static int using_pkcs_functions = 0;
150*0Sstevel@tonic-gate 
set_using_pkcs_functions(int val)151*0Sstevel@tonic-gate void set_using_pkcs_functions( int val )
152*0Sstevel@tonic-gate {
153*0Sstevel@tonic-gate     using_pkcs_functions = val;
154*0Sstevel@tonic-gate }
155*0Sstevel@tonic-gate 
156*0Sstevel@tonic-gate 
157*0Sstevel@tonic-gate /*
158*0Sstevel@tonic-gate  * Utility functions:
159*0Sstevel@tonic-gate  */
160*0Sstevel@tonic-gate static void ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp );
161*0Sstevel@tonic-gate static void ldapssl_free_socket_info( LDAPSSLSocketInfo **soipp );
162*0Sstevel@tonic-gate 
163*0Sstevel@tonic-gate 
164*0Sstevel@tonic-gate /*
165*0Sstevel@tonic-gate  *  SSL Stuff
166*0Sstevel@tonic-gate  */
167*0Sstevel@tonic-gate 
168*0Sstevel@tonic-gate static int ldapssl_AuthCertificate(void *sessionarg, PRFileDesc *fd,
169*0Sstevel@tonic-gate         PRBool checkSig, PRBool isServer);
170*0Sstevel@tonic-gate 
171*0Sstevel@tonic-gate /*
172*0Sstevel@tonic-gate  * client auth stuff
173*0Sstevel@tonic-gate  */
174*0Sstevel@tonic-gate static int get_clientauth_data( void *sessionarg, PRFileDesc *prfd,
175*0Sstevel@tonic-gate 	CERTDistNames *caNames,  CERTCertificate **pRetCert,
176*0Sstevel@tonic-gate 	SECKEYPrivateKey **pRetKey );
177*0Sstevel@tonic-gate static int get_keyandcert( LDAPSSLSessionInfo *ssip,
178*0Sstevel@tonic-gate 	CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey,
179*0Sstevel@tonic-gate 	char **errmsgp );
180*0Sstevel@tonic-gate static int check_clientauth_nicknames_and_passwd( LDAP *ld,
181*0Sstevel@tonic-gate 	LDAPSSLSessionInfo *ssip );
182*0Sstevel@tonic-gate static char *get_keypassword( PK11SlotInfo *slot, PRBool retry,
183*0Sstevel@tonic-gate 	void *sessionarg );
184*0Sstevel@tonic-gate 
185*0Sstevel@tonic-gate /*
186*0Sstevel@tonic-gate  * Static variables.
187*0Sstevel@tonic-gate  */
188*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
189*0Sstevel@tonic-gate static int default_ssl_strength = LDAPSSL_AUTH_CNCHECK;
190*0Sstevel@tonic-gate #else
191*0Sstevel@tonic-gate static int default_ssl_strength = LDAPSSL_AUTH_CERT;
192*0Sstevel@tonic-gate #endif
193*0Sstevel@tonic-gate 
194*0Sstevel@tonic-gate /*
195*0Sstevel@tonic-gate  * Like ldap_init(), except also install I/O routines from libsec so we
196*0Sstevel@tonic-gate  * can support SSL.  If defsecure is non-zero, SSL is enabled for the
197*0Sstevel@tonic-gate  * default connection as well.
198*0Sstevel@tonic-gate  */
199*0Sstevel@tonic-gate LDAP *
200*0Sstevel@tonic-gate LDAP_CALL
ldapssl_init(const char * defhost,int defport,int defsecure)201*0Sstevel@tonic-gate ldapssl_init( const char *defhost, int defport, int defsecure )
202*0Sstevel@tonic-gate {
203*0Sstevel@tonic-gate     LDAP	*ld;
204*0Sstevel@tonic-gate 
205*0Sstevel@tonic-gate 
206*0Sstevel@tonic-gate #ifndef LDAP_SSLIO_HOOKS
207*0Sstevel@tonic-gate     return( NULL );
208*0Sstevel@tonic-gate #else
209*0Sstevel@tonic-gate     if (0 ==defport)
210*0Sstevel@tonic-gate 	defport = LDAPS_PORT;
211*0Sstevel@tonic-gate 
212*0Sstevel@tonic-gate     if (( ld = ldap_init( defhost, defport )) == NULL ) {
213*0Sstevel@tonic-gate 	return( NULL );
214*0Sstevel@tonic-gate     }
215*0Sstevel@tonic-gate 
216*0Sstevel@tonic-gate     if ( ldapssl_install_routines( ld ) < 0 || ldap_set_option( ld,
217*0Sstevel@tonic-gate 		LDAP_OPT_SSL, defsecure ? LDAP_OPT_ON : LDAP_OPT_OFF ) != 0 ) {
218*0Sstevel@tonic-gate 	PR_SetError( PR_UNKNOWN_ERROR, EINVAL );  /* XXXmcs: just a guess! */
219*0Sstevel@tonic-gate 	ldap_unbind( ld );
220*0Sstevel@tonic-gate 	return( NULL );
221*0Sstevel@tonic-gate     }
222*0Sstevel@tonic-gate 
223*0Sstevel@tonic-gate     return( ld );
224*0Sstevel@tonic-gate #endif
225*0Sstevel@tonic-gate }
226*0Sstevel@tonic-gate 
227*0Sstevel@tonic-gate 
228*0Sstevel@tonic-gate static int
ldapssl_close(int s,struct lextiof_socket_private * socketarg)229*0Sstevel@tonic-gate ldapssl_close(int s, struct lextiof_socket_private *socketarg)
230*0Sstevel@tonic-gate {
231*0Sstevel@tonic-gate     PRLDAPSocketInfo	soi;
232*0Sstevel@tonic-gate     LDAPSSLSocketInfo	*ssoip;
233*0Sstevel@tonic-gate     LDAPSSLSessionInfo	*sseip;
234*0Sstevel@tonic-gate 
235*0Sstevel@tonic-gate     memset( &soi, 0, sizeof(soi));
236*0Sstevel@tonic-gate     soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
237*0Sstevel@tonic-gate     if ( prldap_get_socket_info( s, socketarg, &soi ) != LDAP_SUCCESS ) {
238*0Sstevel@tonic-gate 	return( -1 );
239*0Sstevel@tonic-gate     }
240*0Sstevel@tonic-gate 
241*0Sstevel@tonic-gate     ssoip = (LDAPSSLSocketInfo *)soi.soinfo_appdata;
242*0Sstevel@tonic-gate     sseip = ssoip->soi_sessioninfo;
243*0Sstevel@tonic-gate 
244*0Sstevel@tonic-gate     ldapssl_free_socket_info( (LDAPSSLSocketInfo **)&soi.soinfo_appdata );
245*0Sstevel@tonic-gate 
246*0Sstevel@tonic-gate     return( (*(sseip->lssei_std_functions.lssf_close_fn))( s, socketarg ));
247*0Sstevel@tonic-gate }
248*0Sstevel@tonic-gate 
249*0Sstevel@tonic-gate static int
do_ldapssl_connect(const char * hostlist,int defport,int timeout,unsigned long options,struct lextiof_session_private * sessionarg,struct lextiof_socket_private ** socketargp,int clientauth)250*0Sstevel@tonic-gate do_ldapssl_connect(const char *hostlist, int defport, int timeout,
251*0Sstevel@tonic-gate 	unsigned long options, struct lextiof_session_private *sessionarg,
252*0Sstevel@tonic-gate 	struct lextiof_socket_private **socketargp, int clientauth )
253*0Sstevel@tonic-gate {
254*0Sstevel@tonic-gate     int			intfd = -1;
255*0Sstevel@tonic-gate     PRBool		secure;
256*0Sstevel@tonic-gate     PRLDAPSessionInfo	sei;
257*0Sstevel@tonic-gate     PRLDAPSocketInfo	soi;
258*0Sstevel@tonic-gate     LDAPSSLSocketInfo	*ssoip = NULL;
259*0Sstevel@tonic-gate     LDAPSSLSessionInfo	*sseip;
260*0Sstevel@tonic-gate     PRFileDesc		*sslfd = NULL;
261*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
262*0Sstevel@tonic-gate     int			port;
263*0Sstevel@tonic-gate     int			parse_err;
264*0Sstevel@tonic-gate     char		*host = NULL;
265*0Sstevel@tonic-gate     char		*name;
266*0Sstevel@tonic-gate     struct ldap_x_hostlist_status
267*0Sstevel@tonic-gate 			*status = NULL;
268*0Sstevel@tonic-gate     in_addr_t		addr_ipv4;
269*0Sstevel@tonic-gate     in6_addr_t		addr_ipv6;
270*0Sstevel@tonic-gate     char		*host_buf;
271*0Sstevel@tonic-gate     LDAPHostEnt		*hent;
272*0Sstevel@tonic-gate     LDAPHostEnt		host_ent;
273*0Sstevel@tonic-gate     int			stat;
274*0Sstevel@tonic-gate     int			type;
275*0Sstevel@tonic-gate #endif	/* _SOLARIS_SDK */
276*0Sstevel@tonic-gate 
277*0Sstevel@tonic-gate     /*
278*0Sstevel@tonic-gate      * Determine if secure option is set.  Also, clear secure bit in options
279*0Sstevel@tonic-gate      * the we pass to the standard connect() function (since it doesn't know
280*0Sstevel@tonic-gate      * how to handle the secure option).
281*0Sstevel@tonic-gate      */
282*0Sstevel@tonic-gate     if ( 0 != ( options & LDAP_X_EXTIOF_OPT_SECURE )) {
283*0Sstevel@tonic-gate 	secure = PR_TRUE;
284*0Sstevel@tonic-gate 	options &= ~LDAP_X_EXTIOF_OPT_SECURE;
285*0Sstevel@tonic-gate     } else {
286*0Sstevel@tonic-gate 	secure = PR_FALSE;
287*0Sstevel@tonic-gate     }
288*0Sstevel@tonic-gate 
289*0Sstevel@tonic-gate     /*
290*0Sstevel@tonic-gate      * Retrieve session info. so we can store a pointer to our session info.
291*0Sstevel@tonic-gate      * in our socket info. later.
292*0Sstevel@tonic-gate      */
293*0Sstevel@tonic-gate     memset( &sei, 0, sizeof(sei));
294*0Sstevel@tonic-gate     sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
295*0Sstevel@tonic-gate     if ( prldap_get_session_info( NULL, sessionarg, &sei ) != LDAP_SUCCESS ) {
296*0Sstevel@tonic-gate 	return( -1 );
297*0Sstevel@tonic-gate     }
298*0Sstevel@tonic-gate     sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
299*0Sstevel@tonic-gate 
300*0Sstevel@tonic-gate     /*
301*0Sstevel@tonic-gate      * Call the standard connect() callback to make the TCP connection.
302*0Sstevel@tonic-gate      * If it succeeds, *socketargp is set.
303*0Sstevel@tonic-gate      */
304*0Sstevel@tonic-gate 
305*0Sstevel@tonic-gate     intfd = (*(sseip->lssei_std_functions.lssf_connect_fn))( hostlist, defport,
306*0Sstevel@tonic-gate 		timeout, options, sessionarg, socketargp
307*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
308*0Sstevel@tonic-gate 		, &host );
309*0Sstevel@tonic-gate #else
310*0Sstevel@tonic-gate 		);
311*0Sstevel@tonic-gate #endif	/* _SOLARIS_SDK */
312*0Sstevel@tonic-gate 
313*0Sstevel@tonic-gate     if ( intfd < 0 ) {
314*0Sstevel@tonic-gate 	return( intfd );
315*0Sstevel@tonic-gate     }
316*0Sstevel@tonic-gate 
317*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
318*0Sstevel@tonic-gate         /*
319*0Sstevel@tonic-gate          * Determine if the "host name" is an ip address. If so,
320*0Sstevel@tonic-gate          * we must look up the actual host name corresponding to
321*0Sstevel@tonic-gate          * it.
322*0Sstevel@tonic-gate          */
323*0Sstevel@tonic-gate 	if ( NULL == host ) {
324*0Sstevel@tonic-gate 		goto close_socket_and_exit_with_error;
325*0Sstevel@tonic-gate 	}
326*0Sstevel@tonic-gate         type = AF_UNSPEC;
327*0Sstevel@tonic-gate         if (strlen(host) < INET6_ADDRSTRLEN &&
328*0Sstevel@tonic-gate                         inet_pton(AF_INET6, host, &addr_ipv6) == 1) {
329*0Sstevel@tonic-gate                 type = AF_INET6;
330*0Sstevel@tonic-gate         } else if (strlen(host) < INET_ADDRSTRLEN &&
331*0Sstevel@tonic-gate                         inet_pton(AF_INET, host, &addr_ipv4) == 1) {
332*0Sstevel@tonic-gate                 type = AF_INET;
333*0Sstevel@tonic-gate         }
334*0Sstevel@tonic-gate         if (type == AF_INET || type == AF_INET6) {
335*0Sstevel@tonic-gate                 host_buf = malloc(HOST_BUF_SIZE);
336*0Sstevel@tonic-gate                 if (host_buf == NULL) {
337*0Sstevel@tonic-gate 			/* will free host in close_socket_and_exit_with_error */
338*0Sstevel@tonic-gate                         goto close_socket_and_exit_with_error;
339*0Sstevel@tonic-gate 		}
340*0Sstevel@tonic-gate 
341*0Sstevel@tonic-gate                 /* Call ldap layer's gethostbyaddr resolver */
342*0Sstevel@tonic-gate                 hent = _ns_gethostbyaddr(sseip->ld, host, strlen(host), type,
343*0Sstevel@tonic-gate                         &host_ent, host_buf, HOST_BUF_SIZE, &stat, NULL);
344*0Sstevel@tonic-gate 
345*0Sstevel@tonic-gate                 /* If we are unable to lookup the host addr, we fail! */
346*0Sstevel@tonic-gate                 if (hent == NULL) {
347*0Sstevel@tonic-gate                         syslog(LOG_WARNING,
348*0Sstevel@tonic-gate                                 "libldap: do_ldapssl_connect: "
349*0Sstevel@tonic-gate                                 "Unable to resolve '%s'", host);
350*0Sstevel@tonic-gate                         free(host_buf);
351*0Sstevel@tonic-gate 			/* will free host in close_socket_and_exit_with_error */
352*0Sstevel@tonic-gate 			goto close_socket_and_exit_with_error;
353*0Sstevel@tonic-gate                 }
354*0Sstevel@tonic-gate                 /* We support only the primary host name */
355*0Sstevel@tonic-gate                 else {
356*0Sstevel@tonic-gate 			if (hent->ldaphe_name != NULL)
357*0Sstevel@tonic-gate                         	name = strdup(hent->ldaphe_name);
358*0Sstevel@tonic-gate                 	free(host_buf);
359*0Sstevel@tonic-gate                 	if (name == NULL)
360*0Sstevel@tonic-gate                         	goto close_socket_and_exit_with_error;
361*0Sstevel@tonic-gate 			else
362*0Sstevel@tonic-gate                 		ldap_memfree(host); host = NULL;
363*0Sstevel@tonic-gate                 	host = name;
364*0Sstevel@tonic-gate 		}
365*0Sstevel@tonic-gate         }
366*0Sstevel@tonic-gate #endif	/* _SOLARIS_SDK */
367*0Sstevel@tonic-gate 
368*0Sstevel@tonic-gate     /*
369*0Sstevel@tonic-gate      * Retrieve socket info. so we have the PRFileDesc.
370*0Sstevel@tonic-gate      */
371*0Sstevel@tonic-gate     memset( &soi, 0, sizeof(soi));
372*0Sstevel@tonic-gate     soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
373*0Sstevel@tonic-gate     if ( prldap_get_socket_info( intfd, *socketargp, &soi ) != LDAP_SUCCESS ) {
374*0Sstevel@tonic-gate 	goto close_socket_and_exit_with_error;
375*0Sstevel@tonic-gate     }
376*0Sstevel@tonic-gate 
377*0Sstevel@tonic-gate     /*
378*0Sstevel@tonic-gate      * Allocate a structure to hold our socket-specific data.
379*0Sstevel@tonic-gate      */
380*0Sstevel@tonic-gate     if ( NULL == ( ssoip = PR_Calloc( 1, sizeof( LDAPSSLSocketInfo )))) {
381*0Sstevel@tonic-gate 	goto close_socket_and_exit_with_error;
382*0Sstevel@tonic-gate     }
383*0Sstevel@tonic-gate     ssoip->soi_sessioninfo = sseip;
384*0Sstevel@tonic-gate 
385*0Sstevel@tonic-gate     /*
386*0Sstevel@tonic-gate      * Add SSL layer and let the standard NSPR to LDAP layer and enable SSL.
387*0Sstevel@tonic-gate      */
388*0Sstevel@tonic-gate     if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
389*0Sstevel@tonic-gate 	goto close_socket_and_exit_with_error;
390*0Sstevel@tonic-gate     }
391*0Sstevel@tonic-gate 
392*0Sstevel@tonic-gate     if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
393*0Sstevel@tonic-gate 		SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
394*0Sstevel@tonic-gate 		!= SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
395*0Sstevel@tonic-gate 		PR_FALSE ) != SECSuccess )) {
396*0Sstevel@tonic-gate 	goto close_socket_and_exit_with_error;
397*0Sstevel@tonic-gate     }
398*0Sstevel@tonic-gate 
399*0Sstevel@tonic-gate     /*
400*0Sstevel@tonic-gate      * Let the standard NSPR to LDAP layer know about the new socket and
401*0Sstevel@tonic-gate      * our own socket-specific data.
402*0Sstevel@tonic-gate      */
403*0Sstevel@tonic-gate     soi.soinfo_prfd = sslfd;
404*0Sstevel@tonic-gate     soi.soinfo_appdata = (void *)ssoip;
405*0Sstevel@tonic-gate     if ( prldap_set_socket_info( intfd, *socketargp, &soi ) != LDAP_SUCCESS ) {
406*0Sstevel@tonic-gate 	goto close_socket_and_exit_with_error;
407*0Sstevel@tonic-gate     }
408*0Sstevel@tonic-gate 
409*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
410*0Sstevel@tonic-gate     /*
411*0Sstevel@tonic-gate      * Set hostname which will be retrieved (depending on ssl strength) when
412*0Sstevel@tonic-gate      * using client or server auth.
413*0Sstevel@tonic-gate      */
414*0Sstevel@tonic-gate     if (SSL_SetURL(sslfd, host) != SECSuccess)
415*0Sstevel@tonic-gate 	goto close_socket_and_exit_with_error;
416*0Sstevel@tonic-gate     ldap_memfree(host);
417*0Sstevel@tonic-gate     host = NULL;
418*0Sstevel@tonic-gate #endif /* _SOLARIS_SDK */
419*0Sstevel@tonic-gate 
420*0Sstevel@tonic-gate     sslfd = NULL;	/* so we don't close the socket twice upon error */
421*0Sstevel@tonic-gate 
422*0Sstevel@tonic-gate     /*
423*0Sstevel@tonic-gate      * Install certificate hook function.
424*0Sstevel@tonic-gate      */
425*0Sstevel@tonic-gate     SSL_AuthCertificateHook( soi.soinfo_prfd,
426*0Sstevel@tonic-gate 			     (SSLAuthCertificate)ldapssl_AuthCertificate,
427*0Sstevel@tonic-gate                              (void *)sseip);
428*0Sstevel@tonic-gate 
429*0Sstevel@tonic-gate     if ( SSL_GetClientAuthDataHook( soi.soinfo_prfd,
430*0Sstevel@tonic-gate 		get_clientauth_data, clientauth ? sseip : NULL ) != 0 ) {
431*0Sstevel@tonic-gate 	goto close_socket_and_exit_with_error;
432*0Sstevel@tonic-gate     }
433*0Sstevel@tonic-gate 
434*0Sstevel@tonic-gate     return( intfd );	/* success */
435*0Sstevel@tonic-gate 
436*0Sstevel@tonic-gate close_socket_and_exit_with_error:
437*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
438*0Sstevel@tonic-gate     if ( NULL != host ) ldap_memfree(host);
439*0Sstevel@tonic-gate #endif /* _SOLARIS_SDK */
440*0Sstevel@tonic-gate     if ( NULL != sslfd ) {
441*0Sstevel@tonic-gate 	PR_Close( sslfd );
442*0Sstevel@tonic-gate     }
443*0Sstevel@tonic-gate     if ( NULL != ssoip ) {
444*0Sstevel@tonic-gate 	ldapssl_free_socket_info( &ssoip );
445*0Sstevel@tonic-gate     }
446*0Sstevel@tonic-gate     if ( intfd >= 0 && NULL != *socketargp ) {
447*0Sstevel@tonic-gate 	(*(sseip->lssei_std_functions.lssf_close_fn))( intfd, *socketargp );
448*0Sstevel@tonic-gate     }
449*0Sstevel@tonic-gate     return( -1 );
450*0Sstevel@tonic-gate }
451*0Sstevel@tonic-gate 
452*0Sstevel@tonic-gate 
453*0Sstevel@tonic-gate static int
ldapssl_connect(const char * hostlist,int defport,int timeout,unsigned long options,struct lextiof_session_private * sessionarg,struct lextiof_socket_private ** socketargp)454*0Sstevel@tonic-gate ldapssl_connect(const char *hostlist, int defport, int timeout,
455*0Sstevel@tonic-gate 	unsigned long options, struct lextiof_session_private *sessionarg,
456*0Sstevel@tonic-gate 	struct lextiof_socket_private **socketargp )
457*0Sstevel@tonic-gate {
458*0Sstevel@tonic-gate     return( do_ldapssl_connect( hostlist, defport, timeout, options,
459*0Sstevel@tonic-gate 		sessionarg, socketargp, 0 ));
460*0Sstevel@tonic-gate }
461*0Sstevel@tonic-gate 
462*0Sstevel@tonic-gate 
463*0Sstevel@tonic-gate static int
ldapssl_clientauth_connect(const char * hostlist,int defport,int timeout,unsigned long options,struct lextiof_session_private * sessionarg,struct lextiof_socket_private ** socketargp)464*0Sstevel@tonic-gate ldapssl_clientauth_connect(const char *hostlist, int defport, int timeout,
465*0Sstevel@tonic-gate 	unsigned long options, struct lextiof_session_private *sessionarg,
466*0Sstevel@tonic-gate 	struct lextiof_socket_private **socketargp )
467*0Sstevel@tonic-gate {
468*0Sstevel@tonic-gate     return( do_ldapssl_connect( hostlist, defport, timeout, options,
469*0Sstevel@tonic-gate 		sessionarg, socketargp, 1 ));
470*0Sstevel@tonic-gate }
471*0Sstevel@tonic-gate 
472*0Sstevel@tonic-gate 
473*0Sstevel@tonic-gate static void
ldapssl_disposehandle(LDAP * ld,struct lextiof_session_private * sessionarg)474*0Sstevel@tonic-gate ldapssl_disposehandle(LDAP *ld, struct lextiof_session_private *sessionarg)
475*0Sstevel@tonic-gate {
476*0Sstevel@tonic-gate     PRLDAPSessionInfo				sei;
477*0Sstevel@tonic-gate     LDAPSSLSessionInfo				*sseip;
478*0Sstevel@tonic-gate     LDAP_X_EXTIOF_DISPOSEHANDLE_CALLBACK	*disposehdl_fn;
479*0Sstevel@tonic-gate 
480*0Sstevel@tonic-gate     memset( &sei, 0, sizeof( sei ));
481*0Sstevel@tonic-gate     sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
482*0Sstevel@tonic-gate     if ( prldap_get_session_info( ld, NULL, &sei ) == LDAP_SUCCESS ) {
483*0Sstevel@tonic-gate 	sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
484*0Sstevel@tonic-gate 	disposehdl_fn = sseip->lssei_std_functions.lssf_disposehdl_fn;
485*0Sstevel@tonic-gate 	ldapssl_free_session_info( &sseip );
486*0Sstevel@tonic-gate 	(*disposehdl_fn)( ld, sessionarg );
487*0Sstevel@tonic-gate     }
488*0Sstevel@tonic-gate }
489*0Sstevel@tonic-gate 
490*0Sstevel@tonic-gate 
491*0Sstevel@tonic-gate /*
492*0Sstevel@tonic-gate  * Install I/O routines from libsec and NSPR into libldap to allow libldap
493*0Sstevel@tonic-gate  * to do SSL.
494*0Sstevel@tonic-gate  *
495*0Sstevel@tonic-gate  * We rely on libprldap to provide most of the functions, and then we override
496*0Sstevel@tonic-gate  * a few of them to support SSL.
497*0Sstevel@tonic-gate  */
498*0Sstevel@tonic-gate int
499*0Sstevel@tonic-gate LDAP_CALL
ldapssl_install_routines(LDAP * ld)500*0Sstevel@tonic-gate ldapssl_install_routines( LDAP *ld )
501*0Sstevel@tonic-gate {
502*0Sstevel@tonic-gate #ifndef LDAP_SSLIO_HOOKS
503*0Sstevel@tonic-gate     ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
504*0Sstevel@tonic-gate     return( -1 );
505*0Sstevel@tonic-gate #else
506*0Sstevel@tonic-gate     struct ldap_x_ext_io_fns	iofns;
507*0Sstevel@tonic-gate     LDAPSSLSessionInfo		*ssip;
508*0Sstevel@tonic-gate     PRLDAPSessionInfo		sei;
509*0Sstevel@tonic-gate 
510*0Sstevel@tonic-gate /*
511*0Sstevel@tonic-gate  * This is done within ldap_init() and
512*0Sstevel@tonic-gate  * ldap_init() is called from ldapssl_init()
513*0Sstevel@tonic-gate  */
514*0Sstevel@tonic-gate #ifndef _SOLARIS_SDK
515*0Sstevel@tonic-gate     if ( prldap_install_routines(
516*0Sstevel@tonic-gate 		ld,
517*0Sstevel@tonic-gate 		1 /* shared -- we have to assume it is */ )
518*0Sstevel@tonic-gate 		!= LDAP_SUCCESS ) {
519*0Sstevel@tonic-gate 	return( -1 );
520*0Sstevel@tonic-gate     }
521*0Sstevel@tonic-gate #endif /*_SOLARIS_SDK*/
522*0Sstevel@tonic-gate 
523*0Sstevel@tonic-gate     /*
524*0Sstevel@tonic-gate      * Allocate our own session information.
525*0Sstevel@tonic-gate      */
526*0Sstevel@tonic-gate     if ( NULL == ( ssip = (LDAPSSLSessionInfo *)PR_Calloc( 1,
527*0Sstevel@tonic-gate 		sizeof( LDAPSSLSessionInfo )))) {
528*0Sstevel@tonic-gate 	ldap_set_lderrno( ld, LDAP_NO_MEMORY, NULL, NULL );
529*0Sstevel@tonic-gate 	return( -1 );
530*0Sstevel@tonic-gate     }
531*0Sstevel@tonic-gate     /*
532*0Sstevel@tonic-gate      * Initialize session info.
533*0Sstevel@tonic-gate      * XXX: it would be nice to be able to set these on a per-session basis:
534*0Sstevel@tonic-gate      *          lssei_using_pcks_fns
535*0Sstevel@tonic-gate      *          lssei_certdbh
536*0Sstevel@tonic-gate      */
537*0Sstevel@tonic-gate     ssip->lssei_ssl_strength = default_ssl_strength;
538*0Sstevel@tonic-gate     ssip->lssei_using_pcks_fns = using_pkcs_functions;
539*0Sstevel@tonic-gate     ssip->lssei_certdbh = CERT_GetDefaultCertDB();
540*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
541*0Sstevel@tonic-gate     /*
542*0Sstevel@tonic-gate      * This is part of a hack to allow the ssl portion of the
543*0Sstevel@tonic-gate      * library to call the ldap library gethostbyaddr resolver.
544*0Sstevel@tonic-gate      */
545*0Sstevel@tonic-gate     ssip->ld = ld;
546*0Sstevel@tonic-gate #endif	/* _SOLARIS_SDK */
547*0Sstevel@tonic-gate 
548*0Sstevel@tonic-gate     /*
549*0Sstevel@tonic-gate      * override a few functions, saving a pointer to the standard function
550*0Sstevel@tonic-gate      * in each case so we can call it from our SSL savvy functions.
551*0Sstevel@tonic-gate      */
552*0Sstevel@tonic-gate     memset( &iofns, 0, sizeof(iofns));
553*0Sstevel@tonic-gate     iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
554*0Sstevel@tonic-gate     if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns ) < 0 ) {
555*0Sstevel@tonic-gate 	ldapssl_free_session_info( &ssip );
556*0Sstevel@tonic-gate 	return( -1 );
557*0Sstevel@tonic-gate     }
558*0Sstevel@tonic-gate 
559*0Sstevel@tonic-gate     /* override socket, connect, and ioctl */
560*0Sstevel@tonic-gate     ssip->lssei_std_functions.lssf_connect_fn = iofns.lextiof_connect;
561*0Sstevel@tonic-gate     iofns.lextiof_connect = ldapssl_connect;
562*0Sstevel@tonic-gate     ssip->lssei_std_functions.lssf_close_fn = iofns.lextiof_close;
563*0Sstevel@tonic-gate     iofns.lextiof_close = ldapssl_close;
564*0Sstevel@tonic-gate     ssip->lssei_std_functions.lssf_disposehdl_fn = iofns.lextiof_disposehandle;
565*0Sstevel@tonic-gate     iofns.lextiof_disposehandle = ldapssl_disposehandle;
566*0Sstevel@tonic-gate 
567*0Sstevel@tonic-gate     if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns ) < 0 ) {
568*0Sstevel@tonic-gate 	ldapssl_free_session_info( &ssip );
569*0Sstevel@tonic-gate 	return( -1 );
570*0Sstevel@tonic-gate     }
571*0Sstevel@tonic-gate 
572*0Sstevel@tonic-gate     /*
573*0Sstevel@tonic-gate      * Store session info. for later retrieval.
574*0Sstevel@tonic-gate      */
575*0Sstevel@tonic-gate     sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
576*0Sstevel@tonic-gate     sei.seinfo_appdata = (void *)ssip;
577*0Sstevel@tonic-gate     if ( prldap_set_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
578*0Sstevel@tonic-gate 	return( -1 );
579*0Sstevel@tonic-gate     }
580*0Sstevel@tonic-gate 
581*0Sstevel@tonic-gate     return( 0 );
582*0Sstevel@tonic-gate #endif
583*0Sstevel@tonic-gate }
584*0Sstevel@tonic-gate 
585*0Sstevel@tonic-gate 
586*0Sstevel@tonic-gate /*
587*0Sstevel@tonic-gate  * Set the SSL strength for an existing SSL-enabled LDAP session handle.
588*0Sstevel@tonic-gate  *
589*0Sstevel@tonic-gate  * See the description of ldapssl_serverauth_init() above for valid
590*0Sstevel@tonic-gate  * sslstrength values. If ld is NULL, the default for new LDAP session
591*0Sstevel@tonic-gate  * handles is set.
592*0Sstevel@tonic-gate  *
593*0Sstevel@tonic-gate  * Returns 0 if all goes well and -1 if an error occurs.
594*0Sstevel@tonic-gate  */
595*0Sstevel@tonic-gate int
596*0Sstevel@tonic-gate LDAP_CALL
ldapssl_set_strength(LDAP * ld,int sslstrength)597*0Sstevel@tonic-gate ldapssl_set_strength( LDAP *ld, int sslstrength )
598*0Sstevel@tonic-gate {
599*0Sstevel@tonic-gate     int                 rc = 0; /* assume success */
600*0Sstevel@tonic-gate 
601*0Sstevel@tonic-gate     if ( sslstrength != LDAPSSL_AUTH_WEAK &&
602*0Sstevel@tonic-gate                 sslstrength != LDAPSSL_AUTH_CERT &&
603*0Sstevel@tonic-gate                 sslstrength != LDAPSSL_AUTH_CNCHECK ) {
604*0Sstevel@tonic-gate         rc = -1;
605*0Sstevel@tonic-gate     } else {
606*0Sstevel@tonic-gate         if ( NULL == ld ) {     /* set default strength */
607*0Sstevel@tonic-gate             default_ssl_strength = sslstrength;
608*0Sstevel@tonic-gate         } else {                /* set session-specific strength */
609*0Sstevel@tonic-gate             PRLDAPSessionInfo   sei;
610*0Sstevel@tonic-gate             LDAPSSLSessionInfo  *sseip;
611*0Sstevel@tonic-gate 
612*0Sstevel@tonic-gate             memset( &sei, 0, sizeof( sei ));
613*0Sstevel@tonic-gate             sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
614*0Sstevel@tonic-gate             if ( prldap_get_session_info( ld, NULL, &sei ) == LDAP_SUCCESS )
615*0Sstevel@tonic-gate {
616*0Sstevel@tonic-gate                 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
617*0Sstevel@tonic-gate                 sseip->lssei_ssl_strength = sslstrength;
618*0Sstevel@tonic-gate             } else {
619*0Sstevel@tonic-gate                 rc = -1;
620*0Sstevel@tonic-gate             }
621*0Sstevel@tonic-gate         }
622*0Sstevel@tonic-gate     }
623*0Sstevel@tonic-gate 
624*0Sstevel@tonic-gate     return( rc );
625*0Sstevel@tonic-gate }
626*0Sstevel@tonic-gate 
627*0Sstevel@tonic-gate int
628*0Sstevel@tonic-gate LDAP_CALL
ldapssl_enable_clientauth(LDAP * ld,char * keynickname,char * keypasswd,char * certnickname)629*0Sstevel@tonic-gate ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
630*0Sstevel@tonic-gate         char *keypasswd, char *certnickname )
631*0Sstevel@tonic-gate {
632*0Sstevel@tonic-gate #ifndef LDAP_SSLIO_HOOKS
633*0Sstevel@tonic-gate     ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
634*0Sstevel@tonic-gate     return( -1 );
635*0Sstevel@tonic-gate #else
636*0Sstevel@tonic-gate     struct ldap_x_ext_io_fns	iofns;
637*0Sstevel@tonic-gate     LDAPSSLSessionInfo		*ssip;
638*0Sstevel@tonic-gate     PRLDAPSessionInfo		sei;
639*0Sstevel@tonic-gate 
640*0Sstevel@tonic-gate     /*
641*0Sstevel@tonic-gate      * Check parameters
642*0Sstevel@tonic-gate      */
643*0Sstevel@tonic-gate     if ( certnickname == NULL || keypasswd == NULL ) {
644*0Sstevel@tonic-gate 	ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
645*0Sstevel@tonic-gate 	return( -1 );
646*0Sstevel@tonic-gate     }
647*0Sstevel@tonic-gate 
648*0Sstevel@tonic-gate     /*
649*0Sstevel@tonic-gate      * Update session info. data structure.
650*0Sstevel@tonic-gate      */
651*0Sstevel@tonic-gate     sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
652*0Sstevel@tonic-gate     if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
653*0Sstevel@tonic-gate 	return( -1 );
654*0Sstevel@tonic-gate     }
655*0Sstevel@tonic-gate     ssip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
656*0Sstevel@tonic-gate     if ( NULL == ssip ) {
657*0Sstevel@tonic-gate 	ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
658*0Sstevel@tonic-gate 	return( -1 );
659*0Sstevel@tonic-gate     }
660*0Sstevel@tonic-gate     ssip->lssei_certnickname = PL_strdup( certnickname );
661*0Sstevel@tonic-gate     ssip->lssei_keypasswd = PL_strdup( keypasswd );
662*0Sstevel@tonic-gate 
663*0Sstevel@tonic-gate     if ( NULL == ssip->lssei_certnickname || NULL == ssip->lssei_keypasswd ) {
664*0Sstevel@tonic-gate 	ldap_set_lderrno( ld, LDAP_NO_MEMORY, NULL, NULL );
665*0Sstevel@tonic-gate 	return( -1 );
666*0Sstevel@tonic-gate     }
667*0Sstevel@tonic-gate 
668*0Sstevel@tonic-gate     if ( check_clientauth_nicknames_and_passwd( ld, ssip ) != 0 ) {
669*0Sstevel@tonic-gate 	return( -1 );
670*0Sstevel@tonic-gate     }
671*0Sstevel@tonic-gate 
672*0Sstevel@tonic-gate     /*
673*0Sstevel@tonic-gate      * replace standard SSL CONNECT function with client auth aware one
674*0Sstevel@tonic-gate      */
675*0Sstevel@tonic-gate     memset( &iofns, 0, sizeof(iofns));
676*0Sstevel@tonic-gate     iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
677*0Sstevel@tonic-gate     if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
678*0Sstevel@tonic-gate 		!= 0 ) {
679*0Sstevel@tonic-gate 	return( -1 );
680*0Sstevel@tonic-gate     }
681*0Sstevel@tonic-gate 
682*0Sstevel@tonic-gate     if ( iofns.lextiof_connect != ldapssl_connect ) {
683*0Sstevel@tonic-gate 	/* standard SSL setup has not done */
684*0Sstevel@tonic-gate 	ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
685*0Sstevel@tonic-gate 	return( -1 );
686*0Sstevel@tonic-gate     }
687*0Sstevel@tonic-gate 
688*0Sstevel@tonic-gate     iofns.lextiof_connect = ldapssl_clientauth_connect;
689*0Sstevel@tonic-gate 
690*0Sstevel@tonic-gate     if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
691*0Sstevel@tonic-gate 		!= 0 ) {
692*0Sstevel@tonic-gate 	return( -1 );
693*0Sstevel@tonic-gate     }
694*0Sstevel@tonic-gate 
695*0Sstevel@tonic-gate     return( 0 );
696*0Sstevel@tonic-gate #endif
697*0Sstevel@tonic-gate }
698*0Sstevel@tonic-gate 
699*0Sstevel@tonic-gate 
700*0Sstevel@tonic-gate static void
ldapssl_free_session_info(LDAPSSLSessionInfo ** ssipp)701*0Sstevel@tonic-gate ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp )
702*0Sstevel@tonic-gate {
703*0Sstevel@tonic-gate     if ( NULL != ssipp && NULL != *ssipp ) {
704*0Sstevel@tonic-gate 	if ( NULL != (*ssipp)->lssei_certnickname ) {
705*0Sstevel@tonic-gate 	    PL_strfree( (*ssipp)->lssei_certnickname );
706*0Sstevel@tonic-gate 	    (*ssipp)->lssei_certnickname = NULL;
707*0Sstevel@tonic-gate 	}
708*0Sstevel@tonic-gate 	if ( NULL != (*ssipp)->lssei_keypasswd ) {
709*0Sstevel@tonic-gate 	    PL_strfree( (*ssipp)->lssei_keypasswd );
710*0Sstevel@tonic-gate 	    (*ssipp)->lssei_keypasswd = NULL;
711*0Sstevel@tonic-gate 	}
712*0Sstevel@tonic-gate 	PR_Free( *ssipp );
713*0Sstevel@tonic-gate 	*ssipp = NULL;
714*0Sstevel@tonic-gate     }
715*0Sstevel@tonic-gate }
716*0Sstevel@tonic-gate 
717*0Sstevel@tonic-gate 
718*0Sstevel@tonic-gate static void
ldapssl_free_socket_info(LDAPSSLSocketInfo ** soipp)719*0Sstevel@tonic-gate ldapssl_free_socket_info( LDAPSSLSocketInfo **soipp )
720*0Sstevel@tonic-gate {
721*0Sstevel@tonic-gate     if ( NULL != soipp && NULL != *soipp ) {
722*0Sstevel@tonic-gate 	PR_Free( *soipp );
723*0Sstevel@tonic-gate 	*soipp = NULL;
724*0Sstevel@tonic-gate     }
725*0Sstevel@tonic-gate }
726*0Sstevel@tonic-gate 
727*0Sstevel@tonic-gate 
728*0Sstevel@tonic-gate /* this function provides cert authentication.  This is called during
729*0Sstevel@tonic-gate  * the SSL_Handshake process.  Once the cert has been retrieved from
730*0Sstevel@tonic-gate  * the server, the it is checked, using VerifyCertNow(), then
731*0Sstevel@tonic-gate  * the cn is checked against the host name, set with SSL_SetURL()
732*0Sstevel@tonic-gate  */
733*0Sstevel@tonic-gate 
734*0Sstevel@tonic-gate static int
ldapssl_AuthCertificate(void * sessionarg,PRFileDesc * fd,PRBool checkSig,PRBool isServer)735*0Sstevel@tonic-gate ldapssl_AuthCertificate(void *sessionarg, PRFileDesc *fd, PRBool checkSig,
736*0Sstevel@tonic-gate 	PRBool isServer)
737*0Sstevel@tonic-gate {
738*0Sstevel@tonic-gate     SECStatus		rv = SECFailure;
739*0Sstevel@tonic-gate     LDAPSSLSessionInfo	*sseip;
740*0Sstevel@tonic-gate     CERTCertificate	*cert;
741*0Sstevel@tonic-gate     SECCertUsage	certUsage;
742*0Sstevel@tonic-gate     char		*hostname = (char *)0;
743*0Sstevel@tonic-gate 
744*0Sstevel@tonic-gate     if (!sessionarg || !socket)
745*0Sstevel@tonic-gate 	return rv;
746*0Sstevel@tonic-gate 
747*0Sstevel@tonic-gate     sseip = (LDAPSSLSessionInfo *)sessionarg;
748*0Sstevel@tonic-gate 
749*0Sstevel@tonic-gate     if (LDAPSSL_AUTH_WEAK == sseip->lssei_ssl_strength ) { /* no check */
750*0Sstevel@tonic-gate         return SECSuccess;
751*0Sstevel@tonic-gate     }
752*0Sstevel@tonic-gate 
753*0Sstevel@tonic-gate     if ( isServer ) {
754*0Sstevel@tonic-gate 	certUsage = certUsageSSLClient;
755*0Sstevel@tonic-gate     } else {
756*0Sstevel@tonic-gate 	certUsage = certUsageSSLServer;
757*0Sstevel@tonic-gate     }
758*0Sstevel@tonic-gate     cert = SSL_PeerCertificate( fd );
759*0Sstevel@tonic-gate 
760*0Sstevel@tonic-gate     rv = CERT_VerifyCertNow(sseip->lssei_certdbh, cert, checkSig,
761*0Sstevel@tonic-gate 			certUsage, NULL);
762*0Sstevel@tonic-gate 
763*0Sstevel@tonic-gate     if ( rv != SECSuccess || isServer )
764*0Sstevel@tonic-gate 	return rv;
765*0Sstevel@tonic-gate 
766*0Sstevel@tonic-gate     if ( LDAPSSL_AUTH_CNCHECK == sseip->lssei_ssl_strength )
767*0Sstevel@tonic-gate       {
768*0Sstevel@tonic-gate 	/* cert is OK.  This is the client side of an SSL connection.
769*0Sstevel@tonic-gate 	 * Now check the name field in the cert against the desired hostname.
770*0Sstevel@tonic-gate 	 * NB: This is our only defense against Man-In-The-Middle (MITM)
771*0Sstevel@tonic-gate 	 * attacks!
772*0Sstevel@tonic-gate 	 */
773*0Sstevel@tonic-gate 
774*0Sstevel@tonic-gate 	hostname = SSL_RevealURL( fd );
775*0Sstevel@tonic-gate 
776*0Sstevel@tonic-gate 	if (hostname && hostname[0]) {
777*0Sstevel@tonic-gate 	  rv = CERT_VerifyCertName(cert, hostname);
778*0Sstevel@tonic-gate 	} else  {
779*0Sstevel@tonic-gate 	  rv = SECFailure;
780*0Sstevel@tonic-gate      	}
781*0Sstevel@tonic-gate 	if (hostname)
782*0Sstevel@tonic-gate 		PORT_Free(hostname);
783*0Sstevel@tonic-gate 	if (rv != SECSuccess)
784*0Sstevel@tonic-gate 	  PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
785*0Sstevel@tonic-gate       }
786*0Sstevel@tonic-gate 
787*0Sstevel@tonic-gate     return((int)rv);
788*0Sstevel@tonic-gate }
789*0Sstevel@tonic-gate 
790*0Sstevel@tonic-gate 
791*0Sstevel@tonic-gate /*
792*0Sstevel@tonic-gate  * called during SSL client auth. when server wants our cert and key.
793*0Sstevel@tonic-gate  * return 0 if we succeeded and set *pRetCert and *pRetKey, -1 otherwise.
794*0Sstevel@tonic-gate  * if -1 is returned SSL will proceed without sending a cert.
795*0Sstevel@tonic-gate  */
796*0Sstevel@tonic-gate 
797*0Sstevel@tonic-gate static int
get_clientauth_data(void * sessionarg,PRFileDesc * prfd,CERTDistNames * caNames,CERTCertificate ** pRetCert,SECKEYPrivateKey ** pRetKey)798*0Sstevel@tonic-gate get_clientauth_data( void *sessionarg, PRFileDesc *prfd,
799*0Sstevel@tonic-gate         CERTDistNames *caNames,  CERTCertificate **pRetCert,
800*0Sstevel@tonic-gate         SECKEYPrivateKey **pRetKey )
801*0Sstevel@tonic-gate 
802*0Sstevel@tonic-gate {
803*0Sstevel@tonic-gate     LDAPSSLSessionInfo	*ssip;
804*0Sstevel@tonic-gate 
805*0Sstevel@tonic-gate     if (( ssip = (LDAPSSLSessionInfo *)sessionarg ) == NULL ) {
806*0Sstevel@tonic-gate 	return( -1 );       /* client auth. not enabled */
807*0Sstevel@tonic-gate     }
808*0Sstevel@tonic-gate 
809*0Sstevel@tonic-gate     return( get_keyandcert( ssip, pRetCert, pRetKey, NULL ));
810*0Sstevel@tonic-gate }
811*0Sstevel@tonic-gate 
812*0Sstevel@tonic-gate static int
get_keyandcert(LDAPSSLSessionInfo * ssip,CERTCertificate ** pRetCert,SECKEYPrivateKey ** pRetKey,char ** errmsgp)813*0Sstevel@tonic-gate get_keyandcert( LDAPSSLSessionInfo *ssip,
814*0Sstevel@tonic-gate 	CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey,
815*0Sstevel@tonic-gate 	char **errmsgp )
816*0Sstevel@tonic-gate {
817*0Sstevel@tonic-gate     CERTCertificate	*cert;
818*0Sstevel@tonic-gate     SECKEYPrivateKey	*key;
819*0Sstevel@tonic-gate 
820*0Sstevel@tonic-gate     if (( cert = PK11_FindCertFromNickname( ssip->lssei_certnickname, NULL ))
821*0Sstevel@tonic-gate 		== NULL ) {
822*0Sstevel@tonic-gate 	if ( errmsgp != NULL ) {
823*0Sstevel@tonic-gate 	    *errmsgp = dgettext(TEXT_DOMAIN, "unable to find certificate");
824*0Sstevel@tonic-gate 	}
825*0Sstevel@tonic-gate 	return( -1 );
826*0Sstevel@tonic-gate     }
827*0Sstevel@tonic-gate 
828*0Sstevel@tonic-gate     {
829*0Sstevel@tonic-gate 	PK11_SetPasswordFunc( get_keypassword );
830*0Sstevel@tonic-gate     }
831*0Sstevel@tonic-gate 
832*0Sstevel@tonic-gate 
833*0Sstevel@tonic-gate 
834*0Sstevel@tonic-gate     if (( key = PK11_FindKeyByAnyCert( cert, (void *)ssip )) == NULL ) {
835*0Sstevel@tonic-gate 	CERT_DestroyCertificate( cert );
836*0Sstevel@tonic-gate 	if ( errmsgp != NULL ) {
837*0Sstevel@tonic-gate 	    *errmsgp = dgettext(TEXT_DOMAIN, "bad key or key password");
838*0Sstevel@tonic-gate 	}
839*0Sstevel@tonic-gate 	return( -1 );
840*0Sstevel@tonic-gate     }
841*0Sstevel@tonic-gate 
842*0Sstevel@tonic-gate     *pRetCert = cert;
843*0Sstevel@tonic-gate     *pRetKey = key;
844*0Sstevel@tonic-gate     return( 0 );
845*0Sstevel@tonic-gate }
846*0Sstevel@tonic-gate 
847*0Sstevel@tonic-gate 
848*0Sstevel@tonic-gate /*
849*0Sstevel@tonic-gate  * This function returns the password to NSS.
850*0Sstevel@tonic-gate  * This function is enable through PK11_SetPasswordFunc
851*0Sstevel@tonic-gate  * only if pkcs functions are not being used.
852*0Sstevel@tonic-gate  */
853*0Sstevel@tonic-gate 
854*0Sstevel@tonic-gate static char *
get_keypassword(PK11SlotInfo * slot,PRBool retry,void * sessionarg)855*0Sstevel@tonic-gate get_keypassword( PK11SlotInfo *slot, PRBool retry, void *sessionarg )
856*0Sstevel@tonic-gate {
857*0Sstevel@tonic-gate     LDAPSSLSessionInfo	*ssip;
858*0Sstevel@tonic-gate 
859*0Sstevel@tonic-gate     if ( retry)
860*0Sstevel@tonic-gate       return (NULL);
861*0Sstevel@tonic-gate 
862*0Sstevel@tonic-gate     ssip = (LDAPSSLSessionInfo *)sessionarg;
863*0Sstevel@tonic-gate     if ( NULL == ssip ) {
864*0Sstevel@tonic-gate 	return( NULL );
865*0Sstevel@tonic-gate     }
866*0Sstevel@tonic-gate 
867*0Sstevel@tonic-gate     return( ssip->lssei_keypasswd );
868*0Sstevel@tonic-gate }
869*0Sstevel@tonic-gate 
870*0Sstevel@tonic-gate 
871*0Sstevel@tonic-gate /*
872*0Sstevel@tonic-gate  * performs some basic checks on clientauth cert and key/password
873*0Sstevel@tonic-gate  *
874*0Sstevel@tonic-gate  * XXXmcs: could perform additional checks... see servers/slapd/ssl.c
875*0Sstevel@tonic-gate  *	1) check expiration
876*0Sstevel@tonic-gate  *	2) check that public key in cert matches private key
877*0Sstevel@tonic-gate  * see ns/netsite/ldap/servers/slapd/ssl.c:slapd_ssl_init() for example code.
878*0Sstevel@tonic-gate  */
879*0Sstevel@tonic-gate static int
check_clientauth_nicknames_and_passwd(LDAP * ld,LDAPSSLSessionInfo * ssip)880*0Sstevel@tonic-gate check_clientauth_nicknames_and_passwd( LDAP *ld, LDAPSSLSessionInfo *ssip )
881*0Sstevel@tonic-gate {
882*0Sstevel@tonic-gate     char		*errmsg = NULL;
883*0Sstevel@tonic-gate     CERTCertificate	*cert = NULL;
884*0Sstevel@tonic-gate     SECKEYPrivateKey	*key = NULL;
885*0Sstevel@tonic-gate     int rv;
886*0Sstevel@tonic-gate 
887*0Sstevel@tonic-gate     rv = get_keyandcert( ssip, &cert, &key, &errmsg );
888*0Sstevel@tonic-gate 
889*0Sstevel@tonic-gate     if ( rv != 0 ) {
890*0Sstevel@tonic-gate     	if ( errmsg != NULL ) {
891*0Sstevel@tonic-gate 	    errmsg = strdup( errmsg );
892*0Sstevel@tonic-gate 	}
893*0Sstevel@tonic-gate 	ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, errmsg );
894*0Sstevel@tonic-gate 	return( -1 );
895*0Sstevel@tonic-gate     }
896*0Sstevel@tonic-gate 
897*0Sstevel@tonic-gate     if ( cert != NULL ) {
898*0Sstevel@tonic-gate 	CERT_DestroyCertificate( cert );
899*0Sstevel@tonic-gate     }
900*0Sstevel@tonic-gate     if ( key != NULL ) {
901*0Sstevel@tonic-gate 	SECKEY_DestroyPrivateKey( key );
902*0Sstevel@tonic-gate     }
903*0Sstevel@tonic-gate     return( 0 );
904*0Sstevel@tonic-gate }
905*0Sstevel@tonic-gate 
906*0Sstevel@tonic-gate 
907*0Sstevel@tonic-gate #if 0	/* NOT_NEEDED_IN_LIBLDAP */
908*0Sstevel@tonic-gate /* there are patches and kludges.  this is both.  force some linkers to
909*0Sstevel@tonic-gate  * link this stuff in
910*0Sstevel@tonic-gate  */
911*0Sstevel@tonic-gate int stubs_o_stuff( void )
912*0Sstevel@tonic-gate {
913*0Sstevel@tonic-gate     PRExplodedTime exploded;
914*0Sstevel@tonic-gate     PLArenaPool pool;
915*0Sstevel@tonic-gate 
916*0Sstevel@tonic-gate     const char *name ="t";
917*0Sstevel@tonic-gate     PRUint32 size = 0, align = 0;
918*0Sstevel@tonic-gate 
919*0Sstevel@tonic-gate     PR_ImplodeTime( &exploded );
920*0Sstevel@tonic-gate     PL_InitArenaPool( &pool, name, size, align);
921*0Sstevel@tonic-gate     PR_Cleanup();
922*0Sstevel@tonic-gate     PR_fprintf((PRFileDesc*)stderr, "Bad IDEA!!");
923*0Sstevel@tonic-gate 
924*0Sstevel@tonic-gate     return 0;
925*0Sstevel@tonic-gate 
926*0Sstevel@tonic-gate }
927*0Sstevel@tonic-gate #endif	/* NOT_NEEDED_IN_LIBLDAP */
928*0Sstevel@tonic-gate 
929*0Sstevel@tonic-gate 
930*0Sstevel@tonic-gate /*
931*0Sstevel@tonic-gate  * Import the file descriptor corresponding to the socket of an already
932*0Sstevel@tonic-gate  * open LDAP connection into SSL, and update the socket and session
933*0Sstevel@tonic-gate  * information accordingly.
934*0Sstevel@tonic-gate  */
ldapssl_import_fd(LDAP * ld,int secure)935*0Sstevel@tonic-gate int ldapssl_import_fd ( LDAP *ld, int secure )
936*0Sstevel@tonic-gate {
937*0Sstevel@tonic-gate     PRLDAPSessionInfo   sei;
938*0Sstevel@tonic-gate     PRLDAPSocketInfo    soi;
939*0Sstevel@tonic-gate     LDAPSSLSocketInfo   *ssoip = NULL;
940*0Sstevel@tonic-gate     LDAPSSLSessionInfo  *sseip;
941*0Sstevel@tonic-gate     PRFileDesc          *sslfd = NULL;
942*0Sstevel@tonic-gate 
943*0Sstevel@tonic-gate 
944*0Sstevel@tonic-gate     /*
945*0Sstevel@tonic-gate      * Retrieve session info. so we can store a pointer to our session info.
946*0Sstevel@tonic-gate      * in our socket info. later.
947*0Sstevel@tonic-gate      */
948*0Sstevel@tonic-gate     memset( &sei, 0, sizeof(sei));
949*0Sstevel@tonic-gate     sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
950*0Sstevel@tonic-gate     if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
951*0Sstevel@tonic-gate         return( -1 );
952*0Sstevel@tonic-gate     }
953*0Sstevel@tonic-gate     sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
954*0Sstevel@tonic-gate 
955*0Sstevel@tonic-gate 
956*0Sstevel@tonic-gate     /*
957*0Sstevel@tonic-gate      * Retrieve socket info. so we have the PRFileDesc.
958*0Sstevel@tonic-gate      */
959*0Sstevel@tonic-gate     memset( &soi, 0, sizeof(soi));
960*0Sstevel@tonic-gate     soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
961*0Sstevel@tonic-gate     if ( prldap_get_default_socket_info( ld, &soi ) != LDAP_SUCCESS ) {
962*0Sstevel@tonic-gate         return( -1 );
963*0Sstevel@tonic-gate     }
964*0Sstevel@tonic-gate 
965*0Sstevel@tonic-gate     /*
966*0Sstevel@tonic-gate      * Allocate a structure to hold our socket-specific data.
967*0Sstevel@tonic-gate      */
968*0Sstevel@tonic-gate     if ( NULL == ( ssoip = PR_Calloc( 1, sizeof( LDAPSSLSocketInfo )))) {
969*0Sstevel@tonic-gate         goto reset_socket_and_exit_with_error;
970*0Sstevel@tonic-gate     }
971*0Sstevel@tonic-gate     ssoip->soi_sessioninfo = sseip;
972*0Sstevel@tonic-gate 
973*0Sstevel@tonic-gate     /*
974*0Sstevel@tonic-gate      * Add SSL layer and let the standard NSPR to LDAP layer and enable SSL.
975*0Sstevel@tonic-gate      */
976*0Sstevel@tonic-gate     if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
977*0Sstevel@tonic-gate         goto reset_socket_and_exit_with_error;
978*0Sstevel@tonic-gate     }
979*0Sstevel@tonic-gate 
980*0Sstevel@tonic-gate     if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
981*0Sstevel@tonic-gate                 SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
982*0Sstevel@tonic-gate                 != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
983*0Sstevel@tonic-gate                 PR_FALSE ) != SECSuccess )) {
984*0Sstevel@tonic-gate         goto reset_socket_and_exit_with_error;
985*0Sstevel@tonic-gate     }
986*0Sstevel@tonic-gate 
987*0Sstevel@tonic-gate     /*
988*0Sstevel@tonic-gate      * Let the standard NSPR to LDAP layer know about the new socket and
989*0Sstevel@tonic-gate      * our own socket-specific data.
990*0Sstevel@tonic-gate      */
991*0Sstevel@tonic-gate     soi.soinfo_prfd = sslfd;
992*0Sstevel@tonic-gate     soi.soinfo_appdata = (void *)ssoip;
993*0Sstevel@tonic-gate     if ( prldap_set_default_socket_info( ld, &soi ) != LDAP_SUCCESS ) {
994*0Sstevel@tonic-gate         goto reset_socket_and_exit_with_error;
995*0Sstevel@tonic-gate     }
996*0Sstevel@tonic-gate 
997*0Sstevel@tonic-gate     /*
998*0Sstevel@tonic-gate      * Install certificate hook function.
999*0Sstevel@tonic-gate      */
1000*0Sstevel@tonic-gate     if ( SSL_AuthCertificateHook( soi.soinfo_prfd,
1001*0Sstevel@tonic-gate                                   (SSLAuthCertificate)ldapssl_AuthCertificate,
1002*0Sstevel@tonic-gate                                   (void *)CERT_GetDefaultCertDB()) != 0 ) {
1003*0Sstevel@tonic-gate         goto reset_socket_and_exit_with_error;
1004*0Sstevel@tonic-gate     }
1005*0Sstevel@tonic-gate 
1006*0Sstevel@tonic-gate     if ( SSL_GetClientAuthDataHook( soi.soinfo_prfd,
1007*0Sstevel@tonic-gate                 get_clientauth_data, sseip->lssei_certnickname ? sseip : NULL )
1008*0Sstevel@tonic-gate 		!= 0 ) {
1009*0Sstevel@tonic-gate         goto reset_socket_and_exit_with_error;
1010*0Sstevel@tonic-gate     }
1011*0Sstevel@tonic-gate 
1012*0Sstevel@tonic-gate     return 0;
1013*0Sstevel@tonic-gate 
1014*0Sstevel@tonic-gate  reset_socket_and_exit_with_error:
1015*0Sstevel@tonic-gate     if ( NULL != sslfd ) {
1016*0Sstevel@tonic-gate         /*
1017*0Sstevel@tonic-gate          * "Unimport" the socket from SSL, i.e. get rid of the upper layer of
1018*0Sstevel@tonic-gate          * the file descriptor stack, which represents SSL.
1019*0Sstevel@tonic-gate          */
1020*0Sstevel@tonic-gate         soi.soinfo_prfd = sslfd;
1021*0Sstevel@tonic-gate         sslfd = PR_PopIOLayer( soi.soinfo_prfd, PR_TOP_IO_LAYER );
1022*0Sstevel@tonic-gate         sslfd->dtor( sslfd );
1023*0Sstevel@tonic-gate     }
1024*0Sstevel@tonic-gate     if ( NULL != ssoip ) {
1025*0Sstevel@tonic-gate         ldapssl_free_socket_info( &ssoip );
1026*0Sstevel@tonic-gate         soi.soinfo_appdata = NULL;
1027*0Sstevel@tonic-gate     }
1028*0Sstevel@tonic-gate     prldap_set_default_socket_info( ld, &soi );
1029*0Sstevel@tonic-gate 
1030*0Sstevel@tonic-gate     return( -1 );
1031*0Sstevel@tonic-gate }
1032*0Sstevel@tonic-gate 
1033*0Sstevel@tonic-gate 
1034*0Sstevel@tonic-gate /*
1035*0Sstevel@tonic-gate  * Reset an LDAP session from SSL to a non-secure status.
1036*0Sstevel@tonic-gate  * Basically, this function undoes the work done by ldapssl_install_routines.
1037*0Sstevel@tonic-gate  */
ldapssl_reset_to_nonsecure(LDAP * ld)1038*0Sstevel@tonic-gate int ldapssl_reset_to_nonsecure ( LDAP *ld )
1039*0Sstevel@tonic-gate {
1040*0Sstevel@tonic-gate     PRLDAPSessionInfo   sei;
1041*0Sstevel@tonic-gate     LDAPSSLSessionInfo  *sseip;
1042*0Sstevel@tonic-gate 
1043*0Sstevel@tonic-gate     struct ldap_x_ext_io_fns    iofns;
1044*0Sstevel@tonic-gate     int rc = 0;
1045*0Sstevel@tonic-gate 
1046*0Sstevel@tonic-gate     /*
1047*0Sstevel@tonic-gate      * Retrieve session info.
1048*0Sstevel@tonic-gate      */
1049*0Sstevel@tonic-gate     memset( &sei, 0, sizeof(sei));
1050*0Sstevel@tonic-gate     sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
1051*0Sstevel@tonic-gate     if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
1052*0Sstevel@tonic-gate         return( -1 );
1053*0Sstevel@tonic-gate     }
1054*0Sstevel@tonic-gate     sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
1055*0Sstevel@tonic-gate 
1056*0Sstevel@tonic-gate     if ( sseip != NULL ) {
1057*0Sstevel@tonic-gate         /*
1058*0Sstevel@tonic-gate          * Reset the standard extended io functions.
1059*0Sstevel@tonic-gate          */
1060*0Sstevel@tonic-gate         memset( &iofns, 0, sizeof(iofns));
1061*0Sstevel@tonic-gate         iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
1062*0Sstevel@tonic-gate         if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
1063*0Sstevel@tonic-gate 		< 0) {
1064*0Sstevel@tonic-gate             rc = -1;
1065*0Sstevel@tonic-gate             goto free_session_info;
1066*0Sstevel@tonic-gate         }
1067*0Sstevel@tonic-gate 
1068*0Sstevel@tonic-gate         /* reset socket, connect, and ioctl */
1069*0Sstevel@tonic-gate         iofns.lextiof_connect = sseip->lssei_std_functions.lssf_connect_fn;
1070*0Sstevel@tonic-gate         iofns.lextiof_close = sseip->lssei_std_functions.lssf_close_fn;
1071*0Sstevel@tonic-gate         iofns.lextiof_disposehandle =
1072*0Sstevel@tonic-gate 			sseip->lssei_std_functions.lssf_disposehdl_fn;
1073*0Sstevel@tonic-gate 
1074*0Sstevel@tonic-gate         if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
1075*0Sstevel@tonic-gate 		< 0) {
1076*0Sstevel@tonic-gate             rc = -1;
1077*0Sstevel@tonic-gate             goto free_session_info;
1078*0Sstevel@tonic-gate         }
1079*0Sstevel@tonic-gate 
1080*0Sstevel@tonic-gate free_session_info:
1081*0Sstevel@tonic-gate         ldapssl_free_session_info( &sseip );
1082*0Sstevel@tonic-gate         sei.seinfo_appdata = NULL;
1083*0Sstevel@tonic-gate         if ( prldap_set_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
1084*0Sstevel@tonic-gate             rc = -1;
1085*0Sstevel@tonic-gate         }
1086*0Sstevel@tonic-gate     } /* if ( sseip && *sseip ) */
1087*0Sstevel@tonic-gate 
1088*0Sstevel@tonic-gate     if ( ldap_set_option( ld, LDAP_OPT_SSL, LDAP_OPT_OFF ) < 0 ) {
1089*0Sstevel@tonic-gate         return (-1);
1090*0Sstevel@tonic-gate     }
1091*0Sstevel@tonic-gate 
1092*0Sstevel@tonic-gate     return rc;
1093*0Sstevel@tonic-gate }
1094*0Sstevel@tonic-gate 
1095*0Sstevel@tonic-gate 
1096*0Sstevel@tonic-gate #ifdef _SOLARIS_SDK
1097*0Sstevel@tonic-gate static void
_nss_initf_ipnodes(nss_db_params_t * p)1098*0Sstevel@tonic-gate _nss_initf_ipnodes(nss_db_params_t *p)
1099*0Sstevel@tonic-gate {
1100*0Sstevel@tonic-gate 	static char *no_service = "";
1101*0Sstevel@tonic-gate 
1102*0Sstevel@tonic-gate 	p->name = NSS_DBNAM_IPNODES;
1103*0Sstevel@tonic-gate         p->flags |= NSS_USE_DEFAULT_CONFIG;
1104*0Sstevel@tonic-gate         p->default_config = host_service == NULL ? no_service : host_service;
1105*0Sstevel@tonic-gate }
1106*0Sstevel@tonic-gate 
1107*0Sstevel@tonic-gate static void
_nss_initf_hosts(nss_db_params_t * p)1108*0Sstevel@tonic-gate _nss_initf_hosts(nss_db_params_t *p)
1109*0Sstevel@tonic-gate {
1110*0Sstevel@tonic-gate 	static char *no_service = "";
1111*0Sstevel@tonic-gate 
1112*0Sstevel@tonic-gate 	p->name = NSS_DBNAM_HOSTS;
1113*0Sstevel@tonic-gate         p->flags |= NSS_USE_DEFAULT_CONFIG;
1114*0Sstevel@tonic-gate         p->default_config = host_service == NULL ? no_service : host_service;
1115*0Sstevel@tonic-gate }
1116*0Sstevel@tonic-gate 
1117*0Sstevel@tonic-gate static struct hostent *
_switch_gethostbyaddr_r(const char * addr,int len,int type,struct hostent * result,char * buffer,int buflen,int * h_errnop)1118*0Sstevel@tonic-gate _switch_gethostbyaddr_r(const char *addr, int len, int type,
1119*0Sstevel@tonic-gate 	struct hostent *result, char *buffer, int buflen,
1120*0Sstevel@tonic-gate 	int *h_errnop)
1121*0Sstevel@tonic-gate {
1122*0Sstevel@tonic-gate         nss_XbyY_args_t arg;
1123*0Sstevel@tonic-gate         nss_status_t    res;
1124*0Sstevel@tonic-gate 	int		(*str2ent)();
1125*0Sstevel@tonic-gate 	void		(*nss_initf)();
1126*0Sstevel@tonic-gate 	nss_db_root_t	*nss_db_root;
1127*0Sstevel@tonic-gate 
1128*0Sstevel@tonic-gate 	if (AF_INET == type) {
1129*0Sstevel@tonic-gate 		str2ent		= str2hostent;
1130*0Sstevel@tonic-gate 		nss_initf	= _nss_initf_hosts;
1131*0Sstevel@tonic-gate 		nss_db_root	= &db_root_hosts;
1132*0Sstevel@tonic-gate 	} else if (AF_INET6 == type) {
1133*0Sstevel@tonic-gate 		str2ent		= str2hostent6;
1134*0Sstevel@tonic-gate 		nss_initf	= _nss_initf_ipnodes;
1135*0Sstevel@tonic-gate 		nss_db_root	= &db_root_ipnodes;
1136*0Sstevel@tonic-gate 	} else {
1137*0Sstevel@tonic-gate 		return NULL;
1138*0Sstevel@tonic-gate 	}
1139*0Sstevel@tonic-gate 
1140*0Sstevel@tonic-gate 	NSS_XbyY_INIT(&arg, result, buffer, buflen, str2ent);
1141*0Sstevel@tonic-gate 
1142*0Sstevel@tonic-gate         arg.key.hostaddr.addr	= addr;
1143*0Sstevel@tonic-gate         arg.key.hostaddr.len	= len;
1144*0Sstevel@tonic-gate         arg.key.hostaddr.type	= type;
1145*0Sstevel@tonic-gate         arg.stayopen		= 0;
1146*0Sstevel@tonic-gate 
1147*0Sstevel@tonic-gate         res = nss_search(nss_db_root, nss_initf,
1148*0Sstevel@tonic-gate         	NSS_DBOP_HOSTS_BYADDR, &arg);
1149*0Sstevel@tonic-gate         arg.status = res;
1150*0Sstevel@tonic-gate         *h_errnop = arg.h_errno;
1151*0Sstevel@tonic-gate         return (struct hostent *)NSS_XbyY_FINI(&arg);
1152*0Sstevel@tonic-gate }
1153*0Sstevel@tonic-gate 
1154*0Sstevel@tonic-gate /*
1155*0Sstevel@tonic-gate  * ns_gethostbyaddr is used to be a substitute gethostbyaddr for
1156*0Sstevel@tonic-gate  * libldap when ssl will need to determine the fully qualified
1157*0Sstevel@tonic-gate  * host name from an address when it is unsafe to use the normal
1158*0Sstevel@tonic-gate  * nameservice functions.
1159*0Sstevel@tonic-gate  *
1160*0Sstevel@tonic-gate  * Note that the ldap name service resolver calls this with the address as
1161*0Sstevel@tonic-gate  * a character string - which we must convert into address form.
1162*0Sstevel@tonic-gate  */
1163*0Sstevel@tonic-gate 
1164*0Sstevel@tonic-gate /*ARGSUSED*/
1165*0Sstevel@tonic-gate static LDAPHostEnt *
ns_gethostbyaddr(const char * addr,int len,int type,LDAPHostEnt * result,char * buffer,int buflen,int * statusp,void * extradata)1166*0Sstevel@tonic-gate ns_gethostbyaddr(const char *addr, int len, int type,
1167*0Sstevel@tonic-gate 	LDAPHostEnt *result, char *buffer, int buflen, int *statusp,
1168*0Sstevel@tonic-gate 	void *extradata)
1169*0Sstevel@tonic-gate {
1170*0Sstevel@tonic-gate 	LDAPHostEnt	*ldap_hent;
1171*0Sstevel@tonic-gate 	int		h_errno;
1172*0Sstevel@tonic-gate 	struct hostent	h_ent;
1173*0Sstevel@tonic-gate 	struct hostent	*h_e = NULL;
1174*0Sstevel@tonic-gate 	struct in_addr	a;
1175*0Sstevel@tonic-gate 	struct in6_addr	a6;
1176*0Sstevel@tonic-gate 	int		inet_error;	/* error returned by inet_pton */
1177*0Sstevel@tonic-gate 
1178*0Sstevel@tonic-gate 
1179*0Sstevel@tonic-gate 	if (addr == NULL || result == NULL || buffer == NULL ||
1180*0Sstevel@tonic-gate 			(type != AF_INET && type != AF_INET6))
1181*0Sstevel@tonic-gate 		return (NULL);
1182*0Sstevel@tonic-gate 
1183*0Sstevel@tonic-gate 
1184*0Sstevel@tonic-gate 	(void) memset(&h_ent, 0, sizeof (h_ent));
1185*0Sstevel@tonic-gate 
1186*0Sstevel@tonic-gate 	if (AF_INET == type) {
1187*0Sstevel@tonic-gate 		if (inet_pton(type, addr, &a.s_addr) == 1) {
1188*0Sstevel@tonic-gate 			h_e = _switch_gethostbyaddr_r((char *)&a,
1189*0Sstevel@tonic-gate 				sizeof (a.s_addr), type, &h_ent,
1190*0Sstevel@tonic-gate 				buffer, buflen, &h_errno);
1191*0Sstevel@tonic-gate 		}
1192*0Sstevel@tonic-gate 	} else if (AF_INET6 == type) {
1193*0Sstevel@tonic-gate 		if (inet_pton(type, addr, &a6.s6_addr) == 1) {
1194*0Sstevel@tonic-gate 			h_e = _switch_gethostbyaddr_r((char *)&a6,
1195*0Sstevel@tonic-gate 				sizeof (a6.s6_addr), type, &h_ent,
1196*0Sstevel@tonic-gate 				buffer, buflen, &h_errno);
1197*0Sstevel@tonic-gate 		}
1198*0Sstevel@tonic-gate 	}
1199*0Sstevel@tonic-gate 
1200*0Sstevel@tonic-gate 	if (h_e == NULL) {
1201*0Sstevel@tonic-gate 		ldap_hent = NULL;
1202*0Sstevel@tonic-gate 	} else {
1203*0Sstevel@tonic-gate 		(void) memset(result, 0, sizeof (LDAPHostEnt));
1204*0Sstevel@tonic-gate 		ldap_hent = result;
1205*0Sstevel@tonic-gate 		result->ldaphe_name = h_e->h_name;
1206*0Sstevel@tonic-gate  		result->ldaphe_aliases = h_e->h_aliases;
1207*0Sstevel@tonic-gate  		result->ldaphe_addrtype = h_e->h_addrtype;
1208*0Sstevel@tonic-gate  		result->ldaphe_length = h_e->h_length;
1209*0Sstevel@tonic-gate  		result->ldaphe_addr_list = h_e->h_addr_list;
1210*0Sstevel@tonic-gate 	}
1211*0Sstevel@tonic-gate 	return (ldap_hent);
1212*0Sstevel@tonic-gate }
1213*0Sstevel@tonic-gate 
1214*0Sstevel@tonic-gate /*
1215*0Sstevel@tonic-gate  * ldapssl_install_gethostbyaddr attempts to prevent recursion in
1216*0Sstevel@tonic-gate  * gethostbyaddr calls when an ip address is given to ssl. This ip address
1217*0Sstevel@tonic-gate  * must be resolved to a host name.
1218*0Sstevel@tonic-gate  *
1219*0Sstevel@tonic-gate  * For example, libsldap cannot use LDAP to resolve this address to a
1220*0Sstevel@tonic-gate  * name because of recursion. The caller is instructing libldap to skip
1221*0Sstevel@tonic-gate  * the specified name service when resolving addresses for the specified
1222*0Sstevel@tonic-gate  * ldap connection.
1223*0Sstevel@tonic-gate  *
1224*0Sstevel@tonic-gate  * Currently only ldap and dns name services always return fully qualified
1225*0Sstevel@tonic-gate  * names. The other name services (files, nis, and nisplus) will returned
1226*0Sstevel@tonic-gate  * fully qualified names if the host names are stored as fully qualified names
1227*0Sstevel@tonic-gate  * in these name services.
1228*0Sstevel@tonic-gate  *
1229*0Sstevel@tonic-gate  * Note:
1230*0Sstevel@tonic-gate  *
1231*0Sstevel@tonic-gate  *	Since host_service applies to all connections, calling
1232*0Sstevel@tonic-gate  *	ldapssl_install_gethostbyaddr with different name services to
1233*0Sstevel@tonic-gate  *	skip will lead to unpredictable results.
1234*0Sstevel@tonic-gate  *
1235*0Sstevel@tonic-gate  * Returns:
1236*0Sstevel@tonic-gate  *	0	if success
1237*0Sstevel@tonic-gate  *	-1	if failure
1238*0Sstevel@tonic-gate  */
1239*0Sstevel@tonic-gate 
1240*0Sstevel@tonic-gate int
ldapssl_install_gethostbyaddr(LDAP * ld,const char * skip)1241*0Sstevel@tonic-gate ldapssl_install_gethostbyaddr(LDAP *ld, const char *skip)
1242*0Sstevel@tonic-gate {
1243*0Sstevel@tonic-gate 	enum __nsw_parse_err		pserr;
1244*0Sstevel@tonic-gate 	struct __nsw_switchconfig	*conf;
1245*0Sstevel@tonic-gate 	struct __nsw_lookup		*lkp;
1246*0Sstevel@tonic-gate 	struct ldap_dns_fns		dns_fns;
1247*0Sstevel@tonic-gate 	char				*name_list = NULL;
1248*0Sstevel@tonic-gate 	char				*tmp;
1249*0Sstevel@tonic-gate 	const char			*name;
1250*0Sstevel@tonic-gate 	int				len;
1251*0Sstevel@tonic-gate 	boolean_t			got_skip = B_FALSE;
1252*0Sstevel@tonic-gate 
1253*0Sstevel@tonic-gate 	/*
1254*0Sstevel@tonic-gate 	 * db_root_hosts.lock mutex is used to ensure that the name list
1255*0Sstevel@tonic-gate 	 * is not in use by the name service switch while we are updating
1256*0Sstevel@tonic-gate 	 * the host_service
1257*0Sstevel@tonic-gate 	 */
1258*0Sstevel@tonic-gate 
1259*0Sstevel@tonic-gate 	(void) mutex_lock(&db_root_hosts.lock);
1260*0Sstevel@tonic-gate 	conf = __nsw_getconfig("hosts", &pserr);
1261*0Sstevel@tonic-gate 	if (conf == NULL) {
1262*0Sstevel@tonic-gate 		(void) mutex_unlock(&db_root_hosts.lock);
1263*0Sstevel@tonic-gate 		return (0);
1264*0Sstevel@tonic-gate 	}
1265*0Sstevel@tonic-gate 
1266*0Sstevel@tonic-gate 	/* check for ldap and count other backends */
1267*0Sstevel@tonic-gate 	for (lkp = conf->lookups; lkp != NULL; lkp = lkp->next) {
1268*0Sstevel@tonic-gate 		name = lkp->service_name;
1269*0Sstevel@tonic-gate 		if (strcmp(name, skip) == 0) {
1270*0Sstevel@tonic-gate 			got_skip = B_TRUE;
1271*0Sstevel@tonic-gate 			continue;
1272*0Sstevel@tonic-gate 		}
1273*0Sstevel@tonic-gate 		if (name_list == NULL)
1274*0Sstevel@tonic-gate 			name_list = strdup(name);
1275*0Sstevel@tonic-gate 		else {
1276*0Sstevel@tonic-gate 			len = strlen(name_list);
1277*0Sstevel@tonic-gate 			tmp = realloc(name_list, len + strlen(name) + 2);
1278*0Sstevel@tonic-gate 			if (tmp == NULL) {
1279*0Sstevel@tonic-gate 				free(name_list);
1280*0Sstevel@tonic-gate 				name_list = NULL;
1281*0Sstevel@tonic-gate 			} else {
1282*0Sstevel@tonic-gate 				name_list = tmp;
1283*0Sstevel@tonic-gate 				name_list[len++] = ' ';
1284*0Sstevel@tonic-gate 				(void) strcpy(name_list+len, name);
1285*0Sstevel@tonic-gate 			}
1286*0Sstevel@tonic-gate 		}
1287*0Sstevel@tonic-gate 		if (name_list == NULL) {	/* alloc error */
1288*0Sstevel@tonic-gate 			(void) mutex_unlock(&db_root_hosts.lock);
1289*0Sstevel@tonic-gate 			__nsw_freeconfig(conf);
1290*0Sstevel@tonic-gate 			return (-1);
1291*0Sstevel@tonic-gate 		}
1292*0Sstevel@tonic-gate 	}
1293*0Sstevel@tonic-gate 	__nsw_freeconfig(conf);
1294*0Sstevel@tonic-gate 	if (!got_skip) {
1295*0Sstevel@tonic-gate 		/*
1296*0Sstevel@tonic-gate 		 * Since skip name service not used for hosts, we do not need
1297*0Sstevel@tonic-gate 		 * to install our private address resolution function
1298*0Sstevel@tonic-gate 		 */
1299*0Sstevel@tonic-gate 		(void) mutex_unlock(&db_root_hosts.lock);
1300*0Sstevel@tonic-gate 		if (name_list != NULL)
1301*0Sstevel@tonic-gate 			free(name_list);
1302*0Sstevel@tonic-gate 		return (0);
1303*0Sstevel@tonic-gate 	}
1304*0Sstevel@tonic-gate 	if (host_service != NULL)
1305*0Sstevel@tonic-gate 		free(host_service);
1306*0Sstevel@tonic-gate 	host_service = name_list;
1307*0Sstevel@tonic-gate 	(void) mutex_unlock(&db_root_hosts.lock);
1308*0Sstevel@tonic-gate 
1309*0Sstevel@tonic-gate 	if (ldap_get_option(ld, LDAP_OPT_DNS_FN_PTRS, &dns_fns) != 0)
1310*0Sstevel@tonic-gate 		return (-1);
1311*0Sstevel@tonic-gate 	dns_fns.lddnsfn_gethostbyaddr = ns_gethostbyaddr;
1312*0Sstevel@tonic-gate 	if (ldap_set_option(ld, LDAP_OPT_DNS_FN_PTRS, &dns_fns) != 0)
1313*0Sstevel@tonic-gate 		return (-1);
1314*0Sstevel@tonic-gate 	return (0);
1315*0Sstevel@tonic-gate }
1316*0Sstevel@tonic-gate #endif	/* _SOLARIS_SDK */
1317*0Sstevel@tonic-gate #endif /* NET_SSL */
1318