1 /* $NetBSD: tls2.c,v 1.4 2021/09/06 17:34:33 rillig Exp $ */ 2 3 /* tls.c - Handle tls/ssl. */ 4 /* $OpenLDAP$ */ 5 /* This work is part of OpenLDAP Software <http://www.openldap.org/>. 6 * 7 * Copyright 1998-2021 The OpenLDAP Foundation. 8 * All rights reserved. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted only as authorized by the OpenLDAP 12 * Public License. 13 * 14 * A copy of this license is available in the file LICENSE in the 15 * top-level directory of the distribution or, alternatively, at 16 * <http://www.OpenLDAP.org/license.html>. 17 */ 18 /* ACKNOWLEDGEMENTS: restructured by Howard Chu. 19 */ 20 21 #include <sys/cdefs.h> 22 __RCSID("$NetBSD: tls2.c,v 1.4 2021/09/06 17:34:33 rillig Exp $"); 23 24 #include "portable.h" 25 #include "ldap_config.h" 26 27 #include <stdio.h> 28 29 #include <ac/stdlib.h> 30 #include <ac/errno.h> 31 #include <ac/socket.h> 32 #include <ac/string.h> 33 #include <ac/ctype.h> 34 #include <ac/time.h> 35 #include <ac/unistd.h> 36 #include <ac/param.h> 37 #include <ac/dirent.h> 38 39 #include "ldap-int.h" 40 41 #ifdef HAVE_TLS 42 43 #include "ldap-tls.h" 44 45 static tls_impl *tls_imp = &ldap_int_tls_impl; 46 #define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \ 47 (void *)tls_imp->ti_sbio ) 48 49 #endif /* HAVE_TLS */ 50 51 /* RFC2459 minimum required set of supported attribute types 52 * in a certificate DN 53 */ 54 typedef struct oid_name { 55 struct berval oid; 56 struct berval name; 57 } oid_name; 58 59 static oid_name oids[] = { 60 { BER_BVC("2.5.4.3"), BER_BVC("cn") }, 61 { BER_BVC("2.5.4.4"), BER_BVC("sn") }, 62 { BER_BVC("2.5.4.6"), BER_BVC("c") }, 63 { BER_BVC("2.5.4.7"), BER_BVC("l") }, 64 { BER_BVC("2.5.4.8"), BER_BVC("st") }, 65 { BER_BVC("2.5.4.10"), BER_BVC("o") }, 66 { BER_BVC("2.5.4.11"), BER_BVC("ou") }, 67 { BER_BVC("2.5.4.12"), BER_BVC("title") }, 68 { BER_BVC("2.5.4.41"), BER_BVC("name") }, 69 { BER_BVC("2.5.4.42"), BER_BVC("givenName") }, 70 { BER_BVC("2.5.4.43"), BER_BVC("initials") }, 71 { BER_BVC("2.5.4.44"), BER_BVC("generationQualifier") }, 72 { BER_BVC("2.5.4.46"), BER_BVC("dnQualifier") }, 73 { BER_BVC("1.2.840.113549.1.9.1"), BER_BVC("email") }, 74 { BER_BVC("0.9.2342.19200300.100.1.25"), BER_BVC("dc") }, 75 { BER_BVNULL, BER_BVNULL } 76 }; 77 78 #ifdef HAVE_TLS 79 80 LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in )); 81 LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der )); 82 83 void 84 ldap_pvt_tls_ctx_free ( void *c ) 85 { 86 if ( !c ) return; 87 tls_imp->ti_ctx_free( c ); 88 } 89 90 static void 91 tls_ctx_ref( tls_ctx *ctx ) 92 { 93 if ( !ctx ) return; 94 95 tls_imp->ti_ctx_ref( ctx ); 96 } 97 98 #ifdef LDAP_R_COMPILE 99 /* 100 * an extra mutex for the default ctx. 101 */ 102 static ldap_pvt_thread_mutex_t tls_def_ctx_mutex; 103 #endif 104 105 void 106 ldap_int_tls_destroy( struct ldapoptions *lo ) 107 { 108 if ( lo->ldo_tls_ctx ) { 109 ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); 110 lo->ldo_tls_ctx = NULL; 111 } 112 113 if ( lo->ldo_tls_certfile ) { 114 LDAP_FREE( lo->ldo_tls_certfile ); 115 lo->ldo_tls_certfile = NULL; 116 } 117 if ( lo->ldo_tls_keyfile ) { 118 LDAP_FREE( lo->ldo_tls_keyfile ); 119 lo->ldo_tls_keyfile = NULL; 120 } 121 if ( lo->ldo_tls_dhfile ) { 122 LDAP_FREE( lo->ldo_tls_dhfile ); 123 lo->ldo_tls_dhfile = NULL; 124 } 125 if ( lo->ldo_tls_ecname ) { 126 LDAP_FREE( lo->ldo_tls_ecname ); 127 lo->ldo_tls_ecname = NULL; 128 } 129 if ( lo->ldo_tls_cacertfile ) { 130 LDAP_FREE( lo->ldo_tls_cacertfile ); 131 lo->ldo_tls_cacertfile = NULL; 132 } 133 if ( lo->ldo_tls_cacertdir ) { 134 LDAP_FREE( lo->ldo_tls_cacertdir ); 135 lo->ldo_tls_cacertdir = NULL; 136 } 137 if ( lo->ldo_tls_ciphersuite ) { 138 LDAP_FREE( lo->ldo_tls_ciphersuite ); 139 lo->ldo_tls_ciphersuite = NULL; 140 } 141 if ( lo->ldo_tls_crlfile ) { 142 LDAP_FREE( lo->ldo_tls_crlfile ); 143 lo->ldo_tls_crlfile = NULL; 144 } 145 /* tls_pin_hashalg and tls_pin share the same buffer */ 146 if ( lo->ldo_tls_pin_hashalg ) { 147 LDAP_FREE( lo->ldo_tls_pin_hashalg ); 148 lo->ldo_tls_pin_hashalg = NULL; 149 } else { 150 LDAP_FREE( lo->ldo_tls_pin.bv_val ); 151 } 152 BER_BVZERO( &lo->ldo_tls_pin ); 153 } 154 155 /* 156 * Tear down the TLS subsystem. Should only be called once. 157 */ 158 void 159 ldap_pvt_tls_destroy( void ) 160 { 161 struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT(); 162 163 ldap_int_tls_destroy( lo ); 164 165 tls_imp->ti_tls_destroy(); 166 } 167 168 /* 169 * Initialize a particular TLS implementation. 170 * Called once per implementation. 171 */ 172 static int 173 tls_init(tls_impl *impl, int do_threads ) 174 { 175 static int tls_initialized = 0; 176 177 if ( !tls_initialized++ ) { 178 #ifdef LDAP_R_COMPILE 179 ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex ); 180 #endif 181 } 182 183 if ( impl->ti_inited++ ) return 0; 184 185 if ( do_threads ) { 186 #ifdef LDAP_R_COMPILE 187 impl->ti_thr_init(); 188 #endif 189 } 190 191 return impl->ti_tls_init(); 192 } 193 194 /* 195 * Initialize TLS subsystem. Called once per implementation. 196 */ 197 int 198 ldap_pvt_tls_init( int do_threads ) 199 { 200 return tls_init( tls_imp, do_threads ); 201 } 202 203 /* 204 * initialize a new TLS context 205 */ 206 static int 207 ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) 208 { 209 int rc = 0; 210 tls_impl *ti = tls_imp; 211 struct ldaptls lts = lo->ldo_tls_info; 212 213 if ( lo->ldo_tls_ctx ) 214 return 0; 215 216 tls_init( ti, 0 ); 217 218 if ( is_server && !lts.lt_certfile && !lts.lt_keyfile && 219 !lts.lt_cacertfile && !lts.lt_cacertdir && 220 !lts.lt_cacert.bv_val && !lts.lt_cert.bv_val && 221 !lts.lt_key.bv_val ) { 222 /* minimum configuration not provided */ 223 return LDAP_NOT_SUPPORTED; 224 } 225 226 #ifdef HAVE_EBCDIC 227 /* This ASCII/EBCDIC handling is a real pain! */ 228 if ( lts.lt_ciphersuite ) { 229 lts.lt_ciphersuite = LDAP_STRDUP( lts.lt_ciphersuite ); 230 __atoe( lts.lt_ciphersuite ); 231 } 232 if ( lts.lt_cacertfile ) { 233 lts.lt_cacertfile = LDAP_STRDUP( lts.lt_cacertfile ); 234 __atoe( lts.lt_cacertfile ); 235 } 236 if ( lts.lt_certfile ) { 237 lts.lt_certfile = LDAP_STRDUP( lts.lt_certfile ); 238 __atoe( lts.lt_certfile ); 239 } 240 if ( lts.lt_keyfile ) { 241 lts.lt_keyfile = LDAP_STRDUP( lts.lt_keyfile ); 242 __atoe( lts.lt_keyfile ); 243 } 244 if ( lts.lt_crlfile ) { 245 lts.lt_crlfile = LDAP_STRDUP( lts.lt_crlfile ); 246 __atoe( lts.lt_crlfile ); 247 } 248 if ( lts.lt_cacertdir ) { 249 lts.lt_cacertdir = LDAP_STRDUP( lts.lt_cacertdir ); 250 __atoe( lts.lt_cacertdir ); 251 } 252 if ( lts.lt_dhfile ) { 253 lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); 254 __atoe( lts.lt_dhfile ); 255 } 256 if ( lts.lt_ecname ) { 257 lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname ); 258 __atoe( lts.lt_ecname ); 259 } 260 #endif 261 lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); 262 if ( lo->ldo_tls_ctx == NULL ) { 263 Debug0( LDAP_DEBUG_ANY, 264 "TLS: could not allocate default ctx.\n" ); 265 rc = -1; 266 goto error_exit; 267 } 268 269 rc = ti->ti_ctx_init( lo, <s, is_server ); 270 271 error_exit: 272 if ( rc < 0 && lo->ldo_tls_ctx != NULL ) { 273 ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); 274 lo->ldo_tls_ctx = NULL; 275 } 276 #ifdef HAVE_EBCDIC 277 LDAP_FREE( lts.lt_ciphersuite ); 278 LDAP_FREE( lts.lt_cacertfile ); 279 LDAP_FREE( lts.lt_certfile ); 280 LDAP_FREE( lts.lt_keyfile ); 281 LDAP_FREE( lts.lt_crlfile ); 282 LDAP_FREE( lts.lt_cacertdir ); 283 LDAP_FREE( lts.lt_dhfile ); 284 LDAP_FREE( lts.lt_ecname ); 285 #endif 286 return rc; 287 } 288 289 /* 290 * initialize the default context 291 */ 292 int 293 ldap_pvt_tls_init_def_ctx( int is_server ) 294 { 295 struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT(); 296 int rc; 297 LDAP_MUTEX_LOCK( &tls_def_ctx_mutex ); 298 rc = ldap_int_tls_init_ctx( lo, is_server ); 299 LDAP_MUTEX_UNLOCK( &tls_def_ctx_mutex ); 300 return rc; 301 } 302 303 static tls_session * 304 alloc_handle( void *ctx_arg, int is_server ) 305 { 306 tls_ctx *ctx; 307 tls_session *ssl; 308 309 if ( ctx_arg ) { 310 ctx = ctx_arg; 311 } else { 312 struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT(); 313 if ( ldap_pvt_tls_init_def_ctx( is_server ) < 0 ) return NULL; 314 ctx = lo->ldo_tls_ctx; 315 } 316 317 ssl = tls_imp->ti_session_new( ctx, is_server ); 318 if ( ssl == NULL ) { 319 Debug0( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n" ); 320 return NULL; 321 } 322 return ssl; 323 } 324 325 static int 326 update_flags( Sockbuf *sb, tls_session * ssl, int rc ) 327 { 328 sb->sb_trans_needs_read = 0; 329 sb->sb_trans_needs_write = 0; 330 331 return tls_imp->ti_session_upflags( sb, ssl, rc ); 332 } 333 334 /* 335 * Call this to do a TLS connect on a sockbuf. ctx_arg can be 336 * a SSL_CTX * or NULL, in which case the default ctx is used. 337 * 338 * Return value: 339 * 340 * 0 - Success. Connection is ready for communication. 341 * <0 - Error. Can't create a TLS stream. 342 * >0 - Partial success. 343 * Do a select (using information from lber_pvt_sb_needs_{read,write} 344 * and call again. 345 */ 346 347 static int 348 ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host ) 349 { 350 Sockbuf *sb = conn->lconn_sb; 351 int err; 352 tls_session *ssl = NULL; 353 char *sni = (char *)host; 354 355 if ( HAS_TLS( sb )) { 356 ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); 357 } else { 358 struct ldapoptions *lo; 359 tls_ctx *ctx; 360 361 ctx = ld->ld_options.ldo_tls_ctx; 362 363 ssl = alloc_handle( ctx, 0 ); 364 365 if ( ssl == NULL ) return -1; 366 367 #ifdef LDAP_DEBUG 368 ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug, 369 LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" ); 370 #endif 371 ber_sockbuf_add_io( sb, tls_imp->ti_sbio, 372 LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl ); 373 374 lo = LDAP_INT_GLOBAL_OPT(); 375 if( ctx == NULL ) { 376 ctx = lo->ldo_tls_ctx; 377 ld->ld_options.ldo_tls_ctx = ctx; 378 tls_ctx_ref( ctx ); 379 } 380 if ( ld->ld_options.ldo_tls_connect_cb ) 381 ld->ld_options.ldo_tls_connect_cb( ld, ssl, ctx, 382 ld->ld_options.ldo_tls_connect_arg ); 383 if ( lo && lo->ldo_tls_connect_cb && lo->ldo_tls_connect_cb != 384 ld->ld_options.ldo_tls_connect_cb ) 385 lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg ); 386 } 387 388 /* pass hostname for SNI, but only if it's an actual name 389 * and not a numeric address 390 */ 391 { 392 int numeric = 1; 393 char *c; 394 for ( c = sni; *c; c++ ) { 395 if ( *c == ':' ) /* IPv6 address */ 396 break; 397 if ( *c == '.' ) 398 continue; 399 if ( !isdigit( (unsigned char)*c )) { 400 numeric = 0; 401 break; 402 } 403 } 404 if ( numeric ) 405 sni = NULL; 406 } 407 err = tls_imp->ti_session_connect( ld, ssl, sni ); 408 409 #ifdef HAVE_WINSOCK 410 errno = WSAGetLastError(); 411 #endif 412 413 if ( err == 0 ) { 414 err = ldap_pvt_tls_check_hostname( ld, ssl, host ); 415 } 416 417 if ( err < 0 ) 418 { 419 char buf[256], *msg; 420 if ( update_flags( sb, ssl, err )) { 421 return 1; 422 } 423 424 msg = tls_imp->ti_session_errmsg( ssl, err, buf, sizeof(buf) ); 425 if ( msg ) { 426 if ( ld->ld_error ) { 427 LDAP_FREE( ld->ld_error ); 428 } 429 ld->ld_error = LDAP_STRDUP( msg ); 430 #ifdef HAVE_EBCDIC 431 if ( ld->ld_error ) __etoa(ld->ld_error); 432 #endif 433 } 434 435 Debug1( LDAP_DEBUG_ANY,"TLS: can't connect: %s.\n", 436 ld->ld_error ? ld->ld_error : "" ); 437 438 ber_sockbuf_remove_io( sb, tls_imp->ti_sbio, 439 LBER_SBIOD_LEVEL_TRANSPORT ); 440 #ifdef LDAP_DEBUG 441 ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug, 442 LBER_SBIOD_LEVEL_TRANSPORT ); 443 #endif 444 return -1; 445 } 446 447 return 0; 448 } 449 450 int 451 ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, const char *host ) 452 { 453 LDAPConn conn = { .lconn_sb = sb }; 454 return ldap_int_tls_connect( ld, &conn, host ); 455 } 456 457 /* 458 * Call this to do a TLS accept on a sockbuf. 459 * Everything else is the same as with tls_connect. 460 */ 461 int 462 ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg ) 463 { 464 int err; 465 tls_session *ssl = NULL; 466 467 if ( HAS_TLS( sb )) { 468 ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); 469 } else { 470 ssl = alloc_handle( ctx_arg, 1 ); 471 if ( ssl == NULL ) return -1; 472 473 #ifdef LDAP_DEBUG 474 ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug, 475 LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" ); 476 #endif 477 ber_sockbuf_add_io( sb, tls_imp->ti_sbio, 478 LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl ); 479 } 480 481 err = tls_imp->ti_session_accept( ssl ); 482 483 #ifdef HAVE_WINSOCK 484 errno = WSAGetLastError(); 485 #endif 486 487 if ( err < 0 ) 488 { 489 if ( update_flags( sb, ssl, err )) return 1; 490 491 if ( DebugTest( LDAP_DEBUG_ANY ) ) { 492 char buf[256], *msg; 493 msg = tls_imp->ti_session_errmsg( ssl, err, buf, sizeof(buf) ); 494 Debug1( LDAP_DEBUG_ANY,"TLS: can't accept: %s.\n", 495 msg ? msg : "(unknown)" ); 496 } 497 498 ber_sockbuf_remove_io( sb, tls_imp->ti_sbio, 499 LBER_SBIOD_LEVEL_TRANSPORT ); 500 #ifdef LDAP_DEBUG 501 ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug, 502 LBER_SBIOD_LEVEL_TRANSPORT ); 503 #endif 504 return -1; 505 } 506 return 0; 507 } 508 509 int 510 ldap_pvt_tls_inplace ( Sockbuf *sb ) 511 { 512 return HAS_TLS( sb ) ? 1 : 0; 513 } 514 515 int 516 ldap_tls_inplace( LDAP *ld ) 517 { 518 Sockbuf *sb = NULL; 519 520 if ( ld->ld_defconn && ld->ld_defconn->lconn_sb ) { 521 sb = ld->ld_defconn->lconn_sb; 522 523 } else if ( ld->ld_sb ) { 524 sb = ld->ld_sb; 525 526 } else { 527 return 0; 528 } 529 530 return ldap_pvt_tls_inplace( sb ); 531 } 532 533 int 534 ldap_pvt_tls_get_peer_dn( void *s, struct berval *dn, 535 LDAPDN_rewrite_dummy *func, unsigned flags ) 536 { 537 tls_session *session = s; 538 struct berval bvdn; 539 int rc; 540 541 rc = tls_imp->ti_session_peer_dn( session, &bvdn ); 542 if ( rc ) return rc; 543 544 rc = ldap_X509dn2bv( &bvdn, dn, 545 (LDAPDN_rewrite_func *)func, flags); 546 return rc; 547 } 548 549 int 550 ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in ) 551 { 552 tls_session *session = s; 553 554 if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && 555 ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { 556 ld->ld_errno = tls_imp->ti_session_chkhost( ld, session, name_in ); 557 if (ld->ld_errno != LDAP_SUCCESS) { 558 return ld->ld_errno; 559 } 560 } 561 562 /* 563 * If instructed to do pinning, do it now 564 */ 565 if ( !BER_BVISNULL( &ld->ld_options.ldo_tls_pin ) ) { 566 ld->ld_errno = tls_imp->ti_session_pinning( ld, s, 567 ld->ld_options.ldo_tls_pin_hashalg, 568 &ld->ld_options.ldo_tls_pin ); 569 if (ld->ld_errno != LDAP_SUCCESS) { 570 return ld->ld_errno; 571 } 572 } 573 574 return LDAP_SUCCESS; 575 } 576 577 int 578 ldap_pvt_tls_config( LDAP *ld, int option, const char *arg ) 579 { 580 int i; 581 582 switch( option ) { 583 case LDAP_OPT_X_TLS_CACERTFILE: 584 case LDAP_OPT_X_TLS_CACERTDIR: 585 case LDAP_OPT_X_TLS_CERTFILE: 586 case LDAP_OPT_X_TLS_KEYFILE: 587 case LDAP_OPT_X_TLS_RANDOM_FILE: 588 case LDAP_OPT_X_TLS_CIPHER_SUITE: 589 case LDAP_OPT_X_TLS_DHFILE: 590 case LDAP_OPT_X_TLS_PEERKEY_HASH: 591 case LDAP_OPT_X_TLS_ECNAME: 592 case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ 593 return ldap_pvt_tls_set_option( ld, option, (void *) arg ); 594 595 case LDAP_OPT_X_TLS_REQUIRE_CERT: 596 case LDAP_OPT_X_TLS_REQUIRE_SAN: 597 case LDAP_OPT_X_TLS: 598 i = -1; 599 if ( strcasecmp( arg, "never" ) == 0 ) { 600 i = LDAP_OPT_X_TLS_NEVER ; 601 602 } else if ( strcasecmp( arg, "demand" ) == 0 ) { 603 i = LDAP_OPT_X_TLS_DEMAND ; 604 605 } else if ( strcasecmp( arg, "allow" ) == 0 ) { 606 i = LDAP_OPT_X_TLS_ALLOW ; 607 608 } else if ( strcasecmp( arg, "try" ) == 0 ) { 609 i = LDAP_OPT_X_TLS_TRY ; 610 611 } else if ( ( strcasecmp( arg, "hard" ) == 0 ) || 612 ( strcasecmp( arg, "on" ) == 0 ) || 613 ( strcasecmp( arg, "yes" ) == 0) || 614 ( strcasecmp( arg, "true" ) == 0 ) ) 615 { 616 i = LDAP_OPT_X_TLS_HARD ; 617 } 618 619 if (i >= 0) { 620 return ldap_pvt_tls_set_option( ld, option, &i ); 621 } 622 return -1; 623 case LDAP_OPT_X_TLS_PROTOCOL_MAX: 624 case LDAP_OPT_X_TLS_PROTOCOL_MIN: { 625 char *next; 626 long l; 627 l = strtol( arg, &next, 10 ); 628 if ( l < 0 || l > 0xff || next == arg || 629 ( *next != '\0' && *next != '.' ) ) 630 return -1; 631 i = l << 8; 632 if (*next == '.') { 633 arg = next + 1; 634 l = strtol( arg, &next, 10 ); 635 if ( l < 0 || l > 0xff || next == arg || *next != '\0' ) 636 return -1; 637 i += l; 638 } 639 return ldap_pvt_tls_set_option( ld, option, &i ); 640 } 641 #ifdef HAVE_OPENSSL 642 case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ 643 i = -1; 644 if ( strcasecmp( arg, "none" ) == 0 ) { 645 i = LDAP_OPT_X_TLS_CRL_NONE ; 646 } else if ( strcasecmp( arg, "peer" ) == 0 ) { 647 i = LDAP_OPT_X_TLS_CRL_PEER ; 648 } else if ( strcasecmp( arg, "all" ) == 0 ) { 649 i = LDAP_OPT_X_TLS_CRL_ALL ; 650 } 651 if (i >= 0) { 652 return ldap_pvt_tls_set_option( ld, option, &i ); 653 } 654 return -1; 655 #endif 656 } 657 return -1; 658 } 659 660 int 661 ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) 662 { 663 struct ldapoptions *lo; 664 665 if( option == LDAP_OPT_X_TLS_PACKAGE ) { 666 *(char **)arg = LDAP_STRDUP( tls_imp->ti_name ); 667 return 0; 668 } 669 670 if( ld != NULL ) { 671 assert( LDAP_VALID( ld ) ); 672 673 if( !LDAP_VALID( ld ) ) { 674 return LDAP_OPT_ERROR; 675 } 676 677 lo = &ld->ld_options; 678 679 } else { 680 /* Get pointer to global option structure */ 681 lo = LDAP_INT_GLOBAL_OPT(); 682 if ( lo == NULL ) { 683 return LDAP_NO_MEMORY; 684 } 685 } 686 687 switch( option ) { 688 case LDAP_OPT_X_TLS: 689 *(int *)arg = lo->ldo_tls_mode; 690 break; 691 case LDAP_OPT_X_TLS_CTX: 692 *(void **)arg = lo->ldo_tls_ctx; 693 if ( lo->ldo_tls_ctx ) { 694 tls_ctx_ref( lo->ldo_tls_ctx ); 695 } 696 break; 697 case LDAP_OPT_X_TLS_CACERTFILE: 698 *(char **)arg = lo->ldo_tls_cacertfile ? 699 LDAP_STRDUP( lo->ldo_tls_cacertfile ) : NULL; 700 break; 701 case LDAP_OPT_X_TLS_CACERTDIR: 702 *(char **)arg = lo->ldo_tls_cacertdir ? 703 LDAP_STRDUP( lo->ldo_tls_cacertdir ) : NULL; 704 break; 705 case LDAP_OPT_X_TLS_CERTFILE: 706 *(char **)arg = lo->ldo_tls_certfile ? 707 LDAP_STRDUP( lo->ldo_tls_certfile ) : NULL; 708 break; 709 case LDAP_OPT_X_TLS_KEYFILE: 710 *(char **)arg = lo->ldo_tls_keyfile ? 711 LDAP_STRDUP( lo->ldo_tls_keyfile ) : NULL; 712 break; 713 case LDAP_OPT_X_TLS_DHFILE: 714 *(char **)arg = lo->ldo_tls_dhfile ? 715 LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; 716 break; 717 case LDAP_OPT_X_TLS_ECNAME: 718 *(char **)arg = lo->ldo_tls_ecname ? 719 LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL; 720 break; 721 case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ 722 *(char **)arg = lo->ldo_tls_crlfile ? 723 LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; 724 break; 725 case LDAP_OPT_X_TLS_REQUIRE_CERT: 726 *(int *)arg = lo->ldo_tls_require_cert; 727 break; 728 case LDAP_OPT_X_TLS_REQUIRE_SAN: 729 *(int *)arg = lo->ldo_tls_require_san; 730 break; 731 #ifdef HAVE_OPENSSL 732 case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ 733 *(int *)arg = lo->ldo_tls_crlcheck; 734 break; 735 #endif 736 case LDAP_OPT_X_TLS_CIPHER_SUITE: 737 *(char **)arg = lo->ldo_tls_ciphersuite ? 738 LDAP_STRDUP( lo->ldo_tls_ciphersuite ) : NULL; 739 break; 740 case LDAP_OPT_X_TLS_PROTOCOL_MIN: 741 *(int *)arg = lo->ldo_tls_protocol_min; 742 break; 743 case LDAP_OPT_X_TLS_PROTOCOL_MAX: 744 *(int *)arg = lo->ldo_tls_protocol_max; 745 break; 746 case LDAP_OPT_X_TLS_RANDOM_FILE: 747 *(char **)arg = lo->ldo_tls_randfile ? 748 LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL; 749 break; 750 case LDAP_OPT_X_TLS_SSL_CTX: { 751 void *retval = 0; 752 if ( ld != NULL ) { 753 LDAPConn *conn = ld->ld_defconn; 754 if ( conn != NULL ) { 755 Sockbuf *sb = conn->lconn_sb; 756 retval = ldap_pvt_tls_sb_ctx( sb ); 757 } 758 } 759 *(void **)arg = retval; 760 break; 761 } 762 case LDAP_OPT_X_TLS_CONNECT_CB: 763 *(LDAP_TLS_CONNECT_CB **)arg = lo->ldo_tls_connect_cb; 764 break; 765 case LDAP_OPT_X_TLS_CONNECT_ARG: 766 *(void **)arg = lo->ldo_tls_connect_arg; 767 break; 768 case LDAP_OPT_X_TLS_VERSION: { 769 void *sess = NULL; 770 const char *retval = NULL; 771 if ( ld != NULL ) { 772 LDAPConn *conn = ld->ld_defconn; 773 if ( conn != NULL ) { 774 Sockbuf *sb = conn->lconn_sb; 775 sess = ldap_pvt_tls_sb_ctx( sb ); 776 if ( sess != NULL ) 777 retval = ldap_pvt_tls_get_version( sess ); 778 } 779 } 780 *(char **)arg = retval ? LDAP_STRDUP( retval ) : NULL; 781 break; 782 } 783 case LDAP_OPT_X_TLS_CIPHER: { 784 void *sess = NULL; 785 const char *retval = NULL; 786 if ( ld != NULL ) { 787 LDAPConn *conn = ld->ld_defconn; 788 if ( conn != NULL ) { 789 Sockbuf *sb = conn->lconn_sb; 790 sess = ldap_pvt_tls_sb_ctx( sb ); 791 if ( sess != NULL ) 792 retval = ldap_pvt_tls_get_cipher( sess ); 793 } 794 } 795 *(char **)arg = retval ? LDAP_STRDUP( retval ) : NULL; 796 break; 797 } 798 case LDAP_OPT_X_TLS_PEERCERT: { 799 void *sess = NULL; 800 struct berval *bv = arg; 801 bv->bv_len = 0; 802 bv->bv_val = NULL; 803 if ( ld != NULL ) { 804 LDAPConn *conn = ld->ld_defconn; 805 if ( conn != NULL ) { 806 Sockbuf *sb = conn->lconn_sb; 807 sess = ldap_pvt_tls_sb_ctx( sb ); 808 if ( sess != NULL ) 809 return ldap_pvt_tls_get_peercert( sess, bv ); 810 } 811 } 812 break; 813 } 814 case LDAP_OPT_X_TLS_CACERT: { 815 struct berval *bv = arg; 816 if ( lo->ldo_tls_cacert.bv_val ) { 817 ber_dupbv( bv, &lo->ldo_tls_cacert ); 818 } else { 819 BER_BVZERO( bv ); 820 } 821 break; 822 } 823 case LDAP_OPT_X_TLS_CERT: { 824 struct berval *bv = arg; 825 if ( lo->ldo_tls_cert.bv_val ) { 826 ber_dupbv( bv, &lo->ldo_tls_cert ); 827 } else { 828 BER_BVZERO( bv ); 829 } 830 break; 831 } 832 case LDAP_OPT_X_TLS_KEY: { 833 struct berval *bv = arg; 834 if ( lo->ldo_tls_key.bv_val ) { 835 ber_dupbv( bv, &lo->ldo_tls_key ); 836 } else { 837 BER_BVZERO( bv ); 838 } 839 break; 840 } 841 842 default: 843 return -1; 844 } 845 return 0; 846 } 847 848 int 849 ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) 850 { 851 struct ldapoptions *lo; 852 853 if( ld != NULL ) { 854 assert( LDAP_VALID( ld ) ); 855 856 if( !LDAP_VALID( ld ) ) { 857 return LDAP_OPT_ERROR; 858 } 859 860 lo = &ld->ld_options; 861 862 } else { 863 /* Get pointer to global option structure */ 864 lo = LDAP_INT_GLOBAL_OPT(); 865 if ( lo == NULL ) { 866 return LDAP_NO_MEMORY; 867 } 868 } 869 870 switch( option ) { 871 case LDAP_OPT_X_TLS: 872 if ( !arg ) return -1; 873 874 switch( *(int *) arg ) { 875 case LDAP_OPT_X_TLS_NEVER: 876 case LDAP_OPT_X_TLS_DEMAND: 877 case LDAP_OPT_X_TLS_ALLOW: 878 case LDAP_OPT_X_TLS_TRY: 879 case LDAP_OPT_X_TLS_HARD: 880 if (lo != NULL) { 881 lo->ldo_tls_mode = *(int *)arg; 882 } 883 884 return 0; 885 } 886 return -1; 887 888 case LDAP_OPT_X_TLS_CTX: 889 if ( lo->ldo_tls_ctx ) 890 ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); 891 lo->ldo_tls_ctx = arg; 892 tls_ctx_ref( lo->ldo_tls_ctx ); 893 return 0; 894 case LDAP_OPT_X_TLS_CONNECT_CB: 895 lo->ldo_tls_connect_cb = (LDAP_TLS_CONNECT_CB *)arg; 896 return 0; 897 case LDAP_OPT_X_TLS_CONNECT_ARG: 898 lo->ldo_tls_connect_arg = arg; 899 return 0; 900 case LDAP_OPT_X_TLS_CACERTFILE: 901 if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile ); 902 lo->ldo_tls_cacertfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 903 return 0; 904 case LDAP_OPT_X_TLS_CACERTDIR: 905 if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir ); 906 lo->ldo_tls_cacertdir = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 907 return 0; 908 case LDAP_OPT_X_TLS_CERTFILE: 909 if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile ); 910 lo->ldo_tls_certfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 911 return 0; 912 case LDAP_OPT_X_TLS_KEYFILE: 913 if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile ); 914 lo->ldo_tls_keyfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 915 return 0; 916 case LDAP_OPT_X_TLS_DHFILE: 917 if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); 918 lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 919 return 0; 920 case LDAP_OPT_X_TLS_ECNAME: 921 if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname ); 922 lo->ldo_tls_ecname = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 923 return 0; 924 case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ 925 if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); 926 lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 927 return 0; 928 case LDAP_OPT_X_TLS_REQUIRE_CERT: 929 if ( !arg ) return -1; 930 switch( *(int *) arg ) { 931 case LDAP_OPT_X_TLS_NEVER: 932 case LDAP_OPT_X_TLS_DEMAND: 933 case LDAP_OPT_X_TLS_ALLOW: 934 case LDAP_OPT_X_TLS_TRY: 935 case LDAP_OPT_X_TLS_HARD: 936 lo->ldo_tls_require_cert = * (int *) arg; 937 return 0; 938 } 939 return -1; 940 case LDAP_OPT_X_TLS_REQUIRE_SAN: 941 if ( !arg ) return -1; 942 switch( *(int *) arg ) { 943 case LDAP_OPT_X_TLS_NEVER: 944 case LDAP_OPT_X_TLS_DEMAND: 945 case LDAP_OPT_X_TLS_ALLOW: 946 case LDAP_OPT_X_TLS_TRY: 947 case LDAP_OPT_X_TLS_HARD: 948 lo->ldo_tls_require_san = * (int *) arg; 949 return 0; 950 } 951 return -1; 952 #ifdef HAVE_OPENSSL 953 case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ 954 if ( !arg ) return -1; 955 switch( *(int *) arg ) { 956 case LDAP_OPT_X_TLS_CRL_NONE: 957 case LDAP_OPT_X_TLS_CRL_PEER: 958 case LDAP_OPT_X_TLS_CRL_ALL: 959 lo->ldo_tls_crlcheck = * (int *) arg; 960 return 0; 961 } 962 return -1; 963 #endif 964 case LDAP_OPT_X_TLS_CIPHER_SUITE: 965 if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite ); 966 lo->ldo_tls_ciphersuite = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 967 return 0; 968 969 case LDAP_OPT_X_TLS_PROTOCOL_MIN: 970 if ( !arg ) return -1; 971 lo->ldo_tls_protocol_min = *(int *)arg; 972 return 0; 973 case LDAP_OPT_X_TLS_PROTOCOL_MAX: 974 if ( !arg ) return -1; 975 lo->ldo_tls_protocol_max = *(int *)arg; 976 return 0; 977 case LDAP_OPT_X_TLS_RANDOM_FILE: 978 if ( ld != NULL ) 979 return -1; 980 if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile ); 981 lo->ldo_tls_randfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; 982 break; 983 case LDAP_OPT_X_TLS_NEWCTX: 984 if ( !arg ) return -1; 985 if ( lo->ldo_tls_ctx ) 986 ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); 987 lo->ldo_tls_ctx = NULL; 988 return ldap_int_tls_init_ctx( lo, *(int *)arg ); 989 case LDAP_OPT_X_TLS_CACERT: 990 if ( lo->ldo_tls_cacert.bv_val ) 991 LDAP_FREE( lo->ldo_tls_cacert.bv_val ); 992 if ( arg ) { 993 lo->ldo_tls_cacert.bv_len = ((struct berval *)arg)->bv_len; 994 lo->ldo_tls_cacert.bv_val = LDAP_MALLOC( lo->ldo_tls_cacert.bv_len ); 995 if ( !lo->ldo_tls_cacert.bv_val ) 996 return -1; 997 AC_MEMCPY( lo->ldo_tls_cacert.bv_val, ((struct berval *)arg)->bv_val, lo->ldo_tls_cacert.bv_len ); 998 } else { 999 BER_BVZERO( &lo->ldo_tls_cacert ); 1000 } 1001 break; 1002 case LDAP_OPT_X_TLS_CERT: 1003 if ( lo->ldo_tls_cert.bv_val ) 1004 LDAP_FREE( lo->ldo_tls_cert.bv_val ); 1005 if ( arg ) { 1006 lo->ldo_tls_cert.bv_len = ((struct berval *)arg)->bv_len; 1007 lo->ldo_tls_cert.bv_val = LDAP_MALLOC( lo->ldo_tls_cert.bv_len ); 1008 if ( !lo->ldo_tls_cert.bv_val ) 1009 return -1; 1010 AC_MEMCPY( lo->ldo_tls_cert.bv_val, ((struct berval *)arg)->bv_val, lo->ldo_tls_cert.bv_len ); 1011 } else { 1012 BER_BVZERO( &lo->ldo_tls_cert ); 1013 } 1014 break; 1015 case LDAP_OPT_X_TLS_KEY: 1016 if ( lo->ldo_tls_key.bv_val ) 1017 LDAP_FREE( lo->ldo_tls_key.bv_val ); 1018 if ( arg ) { 1019 lo->ldo_tls_key.bv_len = ((struct berval *)arg)->bv_len; 1020 lo->ldo_tls_key.bv_val = LDAP_MALLOC( lo->ldo_tls_key.bv_len ); 1021 if ( !lo->ldo_tls_key.bv_val ) 1022 return -1; 1023 AC_MEMCPY( lo->ldo_tls_key.bv_val, ((struct berval *)arg)->bv_val, lo->ldo_tls_key.bv_len ); 1024 } else { 1025 BER_BVZERO( &lo->ldo_tls_key ); 1026 } 1027 break; 1028 case LDAP_OPT_X_TLS_PEERKEY_HASH: { 1029 /* arg = "[hashalg:]pubkey_hash" */ 1030 struct berval bv; 1031 char *p, *pin = arg; 1032 int rc = LDAP_SUCCESS; 1033 1034 if ( !tls_imp->ti_session_pinning ) return -1; 1035 1036 if ( !pin || !*pin ) { 1037 if ( lo->ldo_tls_pin_hashalg ) { 1038 LDAP_FREE( lo->ldo_tls_pin_hashalg ); 1039 } else if ( lo->ldo_tls_pin.bv_val ) { 1040 LDAP_FREE( lo->ldo_tls_pin.bv_val ); 1041 } 1042 lo->ldo_tls_pin_hashalg = NULL; 1043 BER_BVZERO( &lo->ldo_tls_pin ); 1044 return rc; 1045 } 1046 1047 pin = LDAP_STRDUP( pin ); 1048 p = strchr( pin, ':' ); 1049 1050 /* pubkey (its hash) goes in bv, alg in p */ 1051 if ( p ) { 1052 *p = '\0'; 1053 bv.bv_val = p+1; 1054 p = pin; 1055 } else { 1056 bv.bv_val = pin; 1057 } 1058 1059 bv.bv_len = strlen(bv.bv_val); 1060 if ( ldap_int_decode_b64_inplace( &bv ) ) { 1061 LDAP_FREE( pin ); 1062 return -1; 1063 } 1064 1065 if ( ld != NULL ) { 1066 LDAPConn *conn = ld->ld_defconn; 1067 if ( conn != NULL ) { 1068 Sockbuf *sb = conn->lconn_sb; 1069 void *sess = ldap_pvt_tls_sb_ctx( sb ); 1070 if ( sess != NULL ) { 1071 rc = tls_imp->ti_session_pinning( ld, sess, p, &bv ); 1072 } 1073 } 1074 } 1075 1076 if ( rc == LDAP_SUCCESS ) { 1077 if ( lo->ldo_tls_pin_hashalg ) { 1078 LDAP_FREE( lo->ldo_tls_pin_hashalg ); 1079 } else if ( lo->ldo_tls_pin.bv_val ) { 1080 LDAP_FREE( lo->ldo_tls_pin.bv_val ); 1081 } 1082 lo->ldo_tls_pin_hashalg = p; 1083 lo->ldo_tls_pin = bv; 1084 } else { 1085 LDAP_FREE( pin ); 1086 } 1087 1088 return rc; 1089 } 1090 default: 1091 return -1; 1092 } 1093 return 0; 1094 } 1095 1096 int 1097 ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) 1098 { 1099 Sockbuf *sb; 1100 char *host; 1101 void *ssl; 1102 int ret, async; 1103 struct timeval start_time_tv, tv, tv0; 1104 ber_socket_t sd = AC_SOCKET_ERROR; 1105 1106 if ( !conn ) 1107 return LDAP_PARAM_ERROR; 1108 1109 sb = conn->lconn_sb; 1110 if( srv ) { 1111 host = srv->lud_host; 1112 } else { 1113 host = conn->lconn_server->lud_host; 1114 } 1115 1116 /* avoid NULL host */ 1117 if( host == NULL ) { 1118 host = "localhost"; 1119 } 1120 1121 (void) tls_init( tls_imp, 0 ); 1122 1123 /* 1124 * Use non-blocking io during SSL Handshake when a timeout is configured 1125 */ 1126 async = LDAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); 1127 if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { 1128 if ( !async ) { 1129 /* if async, this has already been set */ 1130 ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); 1131 } 1132 ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd ); 1133 tv = ld->ld_options.ldo_tm_net; 1134 tv0 = tv; 1135 #ifdef HAVE_GETTIMEOFDAY 1136 gettimeofday( &start_time_tv, NULL ); 1137 #else /* ! HAVE_GETTIMEOFDAY */ 1138 time( &start_time_tv.tv_sec ); 1139 start_time_tv.tv_usec = 0; 1140 #endif /* ! HAVE_GETTIMEOFDAY */ 1141 } 1142 1143 ld->ld_errno = LDAP_SUCCESS; 1144 ret = ldap_int_tls_connect( ld, conn, host ); 1145 1146 /* this mainly only happens for non-blocking io 1147 * but can also happen when the handshake is too 1148 * big for a single network message. 1149 */ 1150 while ( ret > 0 ) { 1151 if ( async ) { 1152 struct timeval curr_time_tv, delta_tv; 1153 int wr=0; 1154 1155 if ( sb->sb_trans_needs_read ) { 1156 wr=0; 1157 } else if ( sb->sb_trans_needs_write ) { 1158 wr=1; 1159 } 1160 Debug1( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ldap_int_tls_connect needs %s\n", 1161 wr ? "write": "read" ); 1162 1163 /* This is mostly copied from result.c:wait4msg(), should 1164 * probably be moved into a separate function */ 1165 #ifdef HAVE_GETTIMEOFDAY 1166 gettimeofday( &curr_time_tv, NULL ); 1167 #else /* ! HAVE_GETTIMEOFDAY */ 1168 time( &curr_time_tv.tv_sec ); 1169 curr_time_tv.tv_usec = 0; 1170 #endif /* ! HAVE_GETTIMEOFDAY */ 1171 1172 /* delta = curr - start */ 1173 delta_tv.tv_sec = curr_time_tv.tv_sec - start_time_tv.tv_sec; 1174 delta_tv.tv_usec = curr_time_tv.tv_usec - start_time_tv.tv_usec; 1175 if ( delta_tv.tv_usec < 0 ) { 1176 delta_tv.tv_sec--; 1177 delta_tv.tv_usec += 1000000; 1178 } 1179 1180 /* tv0 < delta ? */ 1181 if ( ( tv0.tv_sec < delta_tv.tv_sec ) || 1182 ( ( tv0.tv_sec == delta_tv.tv_sec ) && 1183 ( tv0.tv_usec < delta_tv.tv_usec ) ) ) 1184 { 1185 ret = -1; 1186 ld->ld_errno = LDAP_TIMEOUT; 1187 break; 1188 } 1189 /* timeout -= delta_time */ 1190 tv0.tv_sec -= delta_tv.tv_sec; 1191 tv0.tv_usec -= delta_tv.tv_usec; 1192 if ( tv0.tv_usec < 0 ) { 1193 tv0.tv_sec--; 1194 tv0.tv_usec += 1000000; 1195 } 1196 start_time_tv.tv_sec = curr_time_tv.tv_sec; 1197 start_time_tv.tv_usec = curr_time_tv.tv_usec; 1198 tv = tv0; 1199 Debug3( LDAP_DEBUG_TRACE, "ldap_int_tls_start: ld %p %ld s %ld us to go\n", 1200 (void *)ld, (long) tv.tv_sec, (long) tv.tv_usec ); 1201 ret = ldap_int_poll( ld, sd, &tv, wr); 1202 if ( ret < 0 ) { 1203 ld->ld_errno = LDAP_TIMEOUT; 1204 break; 1205 } 1206 } 1207 ret = ldap_int_tls_connect( ld, conn, host ); 1208 } 1209 1210 if ( ret < 0 ) { 1211 if ( ld->ld_errno == LDAP_SUCCESS ) 1212 ld->ld_errno = LDAP_CONNECT_ERROR; 1213 return (ld->ld_errno); 1214 } 1215 1216 return LDAP_SUCCESS; 1217 } 1218 1219 void * 1220 ldap_pvt_tls_sb_ctx( Sockbuf *sb ) 1221 { 1222 void *p = NULL; 1223 1224 ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&p ); 1225 return p; 1226 } 1227 1228 int 1229 ldap_pvt_tls_get_strength( void *s ) 1230 { 1231 tls_session *session = s; 1232 1233 return tls_imp->ti_session_strength( session ); 1234 } 1235 1236 int 1237 ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func, unsigned flags ) 1238 { 1239 tls_session *session = s; 1240 struct berval der_dn; 1241 int rc; 1242 1243 rc = tls_imp->ti_session_my_dn( session, &der_dn ); 1244 if ( rc == LDAP_SUCCESS ) 1245 rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags ); 1246 return rc; 1247 } 1248 1249 int 1250 ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) 1251 { 1252 tls_session *session = s; 1253 return tls_imp->ti_session_unique( session, buf, is_server ); 1254 } 1255 1256 int 1257 ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server ) 1258 { 1259 tls_session *session = s; 1260 return tls_imp->ti_session_endpoint( session, buf, is_server ); 1261 } 1262 1263 const char * 1264 ldap_pvt_tls_get_version( void *s ) 1265 { 1266 tls_session *session = s; 1267 return tls_imp->ti_session_version( session ); 1268 } 1269 1270 const char * 1271 ldap_pvt_tls_get_cipher( void *s ) 1272 { 1273 tls_session *session = s; 1274 return tls_imp->ti_session_cipher( session ); 1275 } 1276 1277 int 1278 ldap_pvt_tls_get_peercert( void *s, struct berval *der ) 1279 { 1280 tls_session *session = s; 1281 return tls_imp->ti_session_peercert( session, der ); 1282 } 1283 #endif /* HAVE_TLS */ 1284 1285 int 1286 ldap_start_tls( LDAP *ld, 1287 LDAPControl **serverctrls, 1288 LDAPControl **clientctrls, 1289 int *msgidp ) 1290 { 1291 return ldap_extended_operation( ld, LDAP_EXOP_START_TLS, 1292 NULL, serverctrls, clientctrls, msgidp ); 1293 } 1294 1295 int 1296 ldap_install_tls( LDAP *ld ) 1297 { 1298 #ifndef HAVE_TLS 1299 return LDAP_NOT_SUPPORTED; 1300 #else 1301 if ( ldap_tls_inplace( ld ) ) { 1302 return LDAP_LOCAL_ERROR; 1303 } 1304 1305 return ldap_int_tls_start( ld, ld->ld_defconn, NULL ); 1306 #endif 1307 } 1308 1309 int 1310 ldap_start_tls_s ( LDAP *ld, 1311 LDAPControl **serverctrls, 1312 LDAPControl **clientctrls ) 1313 { 1314 #ifndef HAVE_TLS 1315 return LDAP_NOT_SUPPORTED; 1316 #else 1317 int rc; 1318 char *rspoid = NULL; 1319 struct berval *rspdata = NULL; 1320 1321 /* XXYYZ: this initiates operation only on default connection! */ 1322 1323 if ( ldap_tls_inplace( ld ) ) { 1324 return LDAP_LOCAL_ERROR; 1325 } 1326 1327 rc = ldap_extended_operation_s( ld, LDAP_EXOP_START_TLS, 1328 NULL, serverctrls, clientctrls, &rspoid, &rspdata ); 1329 1330 if ( rspoid != NULL ) { 1331 LDAP_FREE(rspoid); 1332 } 1333 1334 if ( rspdata != NULL ) { 1335 ber_bvfree( rspdata ); 1336 } 1337 1338 if ( rc == LDAP_SUCCESS ) { 1339 rc = ldap_int_tls_start( ld, ld->ld_defconn, NULL ); 1340 } 1341 1342 return rc; 1343 #endif 1344 } 1345 1346 /* These tags probably all belong in lber.h, but they're 1347 * not normally encountered when processing LDAP, so maybe 1348 * they belong somewhere else instead. 1349 */ 1350 1351 #define LBER_TAG_OID ((ber_tag_t) 0x06UL) 1352 1353 /* Tags for string types used in a DirectoryString. 1354 * 1355 * Note that IA5string is not one of the defined choices for 1356 * DirectoryString in X.520, but it gets used for email AVAs. 1357 */ 1358 #define LBER_TAG_UTF8 ((ber_tag_t) 0x0cUL) 1359 #define LBER_TAG_PRINTABLE ((ber_tag_t) 0x13UL) 1360 #define LBER_TAG_TELETEX ((ber_tag_t) 0x14UL) 1361 #define LBER_TAG_IA5 ((ber_tag_t) 0x16UL) 1362 #define LBER_TAG_UNIVERSAL ((ber_tag_t) 0x1cUL) 1363 #define LBER_TAG_BMP ((ber_tag_t) 0x1eUL) 1364 1365 static oid_name * 1366 find_oid( struct berval *oid ) 1367 { 1368 int i; 1369 1370 for ( i=0; !BER_BVISNULL( &oids[i].oid ); i++ ) { 1371 if ( oids[i].oid.bv_len != oid->bv_len ) continue; 1372 if ( !strcmp( oids[i].oid.bv_val, oid->bv_val )) 1373 return &oids[i]; 1374 } 1375 return NULL; 1376 } 1377 1378 /* Converts BER Bitstring value to LDAP BitString value (RFC4517) 1379 * 1380 * berValue : IN 1381 * rfc4517Value: OUT 1382 * 1383 * berValue and ldapValue should not be NULL 1384 */ 1385 1386 #define BITS_PER_BYTE 8 1387 #define SQUOTE_LENGTH 1 1388 #define B_CHAR_LENGTH 1 1389 #define STR_OVERHEAD (2*SQUOTE_LENGTH + B_CHAR_LENGTH) 1390 1391 static int 1392 der_to_ldap_BitString (struct berval *berValue, 1393 struct berval *ldapValue) 1394 { 1395 ber_len_t bitPadding=0; 1396 ber_len_t bits, maxBits; 1397 char *tmpStr; 1398 unsigned char byte; 1399 ber_len_t bitLength; 1400 ber_len_t valLen; 1401 unsigned char* valPtr; 1402 1403 ldapValue->bv_len=0; 1404 ldapValue->bv_val=NULL; 1405 1406 /* Gets padding and points to binary data */ 1407 valLen=berValue->bv_len; 1408 valPtr=(unsigned char*)berValue->bv_val; 1409 if (valLen) { 1410 bitPadding=(ber_len_t)(valPtr[0]); 1411 valLen--; 1412 valPtr++; 1413 } 1414 /* If Block is non DER encoding fixes to DER encoding */ 1415 if (bitPadding >= BITS_PER_BYTE) { 1416 if (valLen*BITS_PER_BYTE > bitPadding ) { 1417 valLen-=(bitPadding/BITS_PER_BYTE); 1418 bitPadding%=BITS_PER_BYTE; 1419 } else { 1420 valLen=0; 1421 bitPadding=0; 1422 } 1423 } 1424 /* Just in case bad encoding */ 1425 if (valLen*BITS_PER_BYTE < bitPadding ) { 1426 bitPadding=0; 1427 valLen=0; 1428 } 1429 1430 /* Gets buffer to hold RFC4517 Bit String format */ 1431 bitLength=valLen*BITS_PER_BYTE-bitPadding; 1432 tmpStr=LDAP_MALLOC(bitLength + STR_OVERHEAD + 1); 1433 1434 if (!tmpStr) 1435 return LDAP_NO_MEMORY; 1436 1437 ldapValue->bv_val=tmpStr; 1438 ldapValue->bv_len=bitLength + STR_OVERHEAD; 1439 1440 /* Formatting in '*binary-digit'B format */ 1441 maxBits=BITS_PER_BYTE; 1442 *tmpStr++ ='\''; 1443 while(valLen) { 1444 byte=*valPtr; 1445 if (valLen==1) 1446 maxBits-=bitPadding; 1447 for (bits=0; bits<maxBits; bits++) { 1448 if (0x80 & byte) 1449 *tmpStr='1'; 1450 else 1451 *tmpStr='0'; 1452 tmpStr++; 1453 byte<<=1; 1454 } 1455 valPtr++; 1456 valLen--; 1457 } 1458 *tmpStr++ ='\''; 1459 *tmpStr++ ='B'; 1460 *tmpStr=0; 1461 1462 return LDAP_SUCCESS; 1463 } 1464 1465 /* Convert a structured DN from an X.509 certificate into an LDAPV3 DN. 1466 * x509_name must be raw DER. If func is non-NULL, the 1467 * constructed DN will use numeric OIDs to identify attributeTypes, 1468 * and the func() will be invoked to rewrite the DN with the given 1469 * flags. 1470 * 1471 * Otherwise the DN will use shortNames from a hardcoded table. 1472 */ 1473 int 1474 ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func, 1475 unsigned flags ) 1476 { 1477 LDAPDN newDN; 1478 LDAPRDN newRDN; 1479 LDAPAVA *newAVA, *baseAVA; 1480 BerElementBuffer berbuf; 1481 BerElement *ber = (BerElement *)&berbuf; 1482 char oids[8192], *oidptr = oids, *oidbuf = NULL; 1483 void *ptrs[2048]; 1484 char *dn_end, *rdn_end; 1485 int i, navas, nrdns, rc = LDAP_SUCCESS; 1486 size_t dnsize, oidrem = sizeof(oids), oidsize = 0; 1487 int csize; 1488 ber_tag_t tag; 1489 ber_len_t len; 1490 oid_name *oidname; 1491 1492 struct berval Oid, Val, oid2, *in = x509_name; 1493 1494 assert( bv != NULL ); 1495 1496 bv->bv_len = 0; 1497 bv->bv_val = NULL; 1498 1499 navas = 0; 1500 nrdns = 0; 1501 1502 /* A DN is a SEQUENCE of RDNs. An RDN is a SET of AVAs. 1503 * An AVA is a SEQUENCE of attr and value. 1504 * Count the number of AVAs and RDNs 1505 */ 1506 ber_init2( ber, in, LBER_USE_DER ); 1507 tag = ber_peek_tag( ber, &len ); 1508 if ( tag != LBER_SEQUENCE ) 1509 return LDAP_DECODING_ERROR; 1510 1511 for ( tag = ber_first_element( ber, &len, &dn_end ); 1512 tag == LBER_SET; 1513 tag = ber_next_element( ber, &len, dn_end )) { 1514 nrdns++; 1515 for ( tag = ber_first_element( ber, &len, &rdn_end ); 1516 tag == LBER_SEQUENCE; 1517 tag = ber_next_element( ber, &len, rdn_end )) { 1518 if ( rdn_end > dn_end ) 1519 return LDAP_DECODING_ERROR; 1520 tag = ber_skip_tag( ber, &len ); 1521 ber_skip_data( ber, len ); 1522 navas++; 1523 } 1524 } 1525 1526 /* Rewind and prepare to extract */ 1527 ber_rewind( ber ); 1528 tag = ber_first_element( ber, &len, &dn_end ); 1529 if ( tag != LBER_SET ) 1530 return LDAP_DECODING_ERROR; 1531 1532 /* Allocate the DN/RDN/AVA stuff as a single block */ 1533 dnsize = sizeof(LDAPRDN) * (nrdns+1); 1534 dnsize += sizeof(LDAPAVA *) * (navas+nrdns); 1535 dnsize += sizeof(LDAPAVA) * navas; 1536 if (dnsize > sizeof(ptrs)) { 1537 newDN = (LDAPDN)LDAP_MALLOC( dnsize ); 1538 if ( newDN == NULL ) 1539 return LDAP_NO_MEMORY; 1540 } else { 1541 newDN = (LDAPDN)(char *)ptrs; 1542 } 1543 1544 newDN[nrdns] = NULL; 1545 newRDN = (LDAPRDN)(newDN + nrdns+1); 1546 newAVA = (LDAPAVA *)(newRDN + navas + nrdns); 1547 baseAVA = newAVA; 1548 1549 for ( i = nrdns - 1; i >= 0; i-- ) { 1550 newDN[i] = newRDN; 1551 1552 for ( tag = ber_first_element( ber, &len, &rdn_end ); 1553 tag == LBER_SEQUENCE; 1554 tag = ber_next_element( ber, &len, rdn_end )) { 1555 1556 *newRDN++ = newAVA; 1557 tag = ber_skip_tag( ber, &len ); 1558 tag = ber_get_stringbv( ber, &Oid, LBER_BV_NOTERM ); 1559 if ( tag != LBER_TAG_OID ) { 1560 rc = LDAP_DECODING_ERROR; 1561 goto nomem; 1562 } 1563 1564 oid2.bv_val = oidptr; 1565 oid2.bv_len = oidrem; 1566 if ( ber_decode_oid( &Oid, &oid2 ) < 0 ) { 1567 rc = LDAP_DECODING_ERROR; 1568 goto nomem; 1569 } 1570 oidname = find_oid( &oid2 ); 1571 if ( !oidname ) { 1572 newAVA->la_attr = oid2; 1573 oidptr += oid2.bv_len + 1; 1574 oidrem -= oid2.bv_len + 1; 1575 1576 /* Running out of OID buffer space? */ 1577 if (oidrem < 128) { 1578 if ( oidsize == 0 ) { 1579 oidsize = sizeof(oids) * 2; 1580 oidrem = oidsize; 1581 oidbuf = LDAP_MALLOC( oidsize ); 1582 if ( oidbuf == NULL ) goto nomem; 1583 oidptr = oidbuf; 1584 } else { 1585 char *old = oidbuf; 1586 oidbuf = LDAP_REALLOC( oidbuf, oidsize*2 ); 1587 if ( oidbuf == NULL ) goto nomem; 1588 /* Buffer moved! Fix AVA pointers */ 1589 if ( old != oidbuf ) { 1590 LDAPAVA *a; 1591 long dif = oidbuf - old; 1592 1593 for (a=baseAVA; a<=newAVA; a++){ 1594 if (a->la_attr.bv_val >= old && 1595 a->la_attr.bv_val <= (old + oidsize)) 1596 a->la_attr.bv_val += dif; 1597 } 1598 } 1599 oidptr = oidbuf + oidsize - oidrem; 1600 oidrem += oidsize; 1601 oidsize *= 2; 1602 } 1603 } 1604 } else { 1605 if ( func ) { 1606 newAVA->la_attr = oidname->oid; 1607 } else { 1608 newAVA->la_attr = oidname->name; 1609 } 1610 } 1611 newAVA->la_private = NULL; 1612 newAVA->la_flags = LDAP_AVA_STRING; 1613 tag = ber_get_stringbv( ber, &Val, LBER_BV_NOTERM ); 1614 switch(tag) { 1615 case LBER_TAG_UNIVERSAL: 1616 /* This uses 32-bit ISO 10646-1 */ 1617 csize = 4; goto to_utf8; 1618 case LBER_TAG_BMP: 1619 /* This uses 16-bit ISO 10646-1 */ 1620 csize = 2; goto to_utf8; 1621 case LBER_TAG_TELETEX: 1622 /* This uses 8-bit, assume ISO 8859-1 */ 1623 csize = 1; 1624 to_utf8: rc = ldap_ucs_to_utf8s( &Val, csize, &newAVA->la_value ); 1625 newAVA->la_flags |= LDAP_AVA_NONPRINTABLE; 1626 allocd: 1627 newAVA->la_flags |= LDAP_AVA_FREE_VALUE; 1628 if (rc != LDAP_SUCCESS) goto nomem; 1629 break; 1630 case LBER_TAG_UTF8: 1631 newAVA->la_flags |= LDAP_AVA_NONPRINTABLE; 1632 /* This is already in UTF-8 encoding */ 1633 case LBER_TAG_IA5: 1634 case LBER_TAG_PRINTABLE: 1635 /* These are always 7-bit strings */ 1636 newAVA->la_value = Val; 1637 break; 1638 case LBER_BITSTRING: 1639 /* X.690 bitString value converted to RFC4517 Bit String */ 1640 rc = der_to_ldap_BitString( &Val, &newAVA->la_value ); 1641 goto allocd; 1642 case LBER_DEFAULT: 1643 /* decode error */ 1644 rc = LDAP_DECODING_ERROR; 1645 goto nomem; 1646 default: 1647 /* Not a string type at all */ 1648 newAVA->la_flags = 0; 1649 newAVA->la_value = Val; 1650 break; 1651 } 1652 newAVA++; 1653 } 1654 *newRDN++ = NULL; 1655 tag = ber_next_element( ber, &len, dn_end ); 1656 } 1657 1658 if ( func ) { 1659 rc = func( newDN, flags, NULL ); 1660 if ( rc != LDAP_SUCCESS ) 1661 goto nomem; 1662 } 1663 1664 rc = ldap_dn2bv_x( newDN, bv, LDAP_DN_FORMAT_LDAPV3, NULL ); 1665 1666 nomem: 1667 for (;baseAVA < newAVA; baseAVA++) { 1668 if (baseAVA->la_flags & LDAP_AVA_FREE_ATTR) 1669 LDAP_FREE( baseAVA->la_attr.bv_val ); 1670 if (baseAVA->la_flags & LDAP_AVA_FREE_VALUE) 1671 LDAP_FREE( baseAVA->la_value.bv_val ); 1672 } 1673 1674 if ( oidsize != 0 ) 1675 LDAP_FREE( oidbuf ); 1676 if ( newDN != (LDAPDN)(char *) ptrs ) 1677 LDAP_FREE( newDN ); 1678 return rc; 1679 } 1680 1681