search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / lib / libldap5 / sources / ldap / ssldap / ldapsinit.c
blob795b727ff209dac54c944d73520b0c42ee32a64a
1 /*
2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * The contents of this file are subject to the Netscape Public
8 * License Version 1.1 (the "License"); you may not use this file
9 * except in compliance with the License. You may obtain a copy of
10 * the License at http://www.mozilla.org/NPL/
11 *
12 * Software distributed under the License is distributed on an "AS
13 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
14 * implied. See the License for the specific language governing
15 * rights and limitations under the License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is Netscape
21 * Communications Corporation. Portions created by Netscape are
22 * Copyright (C) 1998-1999 Netscape Communications Corporation. All
23 * Rights Reserved.
24 *
25 * Contributor(s):
26 */
27
28 #pragma ident "%Z%%M% %I% %E% SMI"
29
30 /*
31 * ldapsinit.c
32 */
33
34 #if defined(NET_SSL)
35
36 #if defined( _WINDOWS )
37 #include <windows.h>
38 #endif
39
40 /* XXX:mhein The following is a workaround for the redefinition of */
41 /* const problem on OSF. Fix to be provided by NSS */
42 /* This is a pretty benign workaround for us which */
43 /* should not cause problems in the future even if */
44 /* we forget to take it out :-) */
45
46 #ifdef OSF1V4D
47 #ifndef __STDC__
48 # define __STDC__
49 #endif /* __STDC__ */
50 #endif /* OSF1V4D */
51
52 #include <errno.h>
53 #include <nspr.h>
54 #include <cert.h>
55 #include <key.h>
56 #include <ssl.h>
57 #include <sslproto.h>
58 #include <sslerr.h>
59 #include <prnetdb.h>
60
61 #include <ldap.h>
62
63 #include <ldappr.h>
64 #include <pk11func.h>
65
66 #ifdef _SOLARIS_SDK
67 #include "solaris-int.h"
68 #include <libintl.h>
69 #include <syslog.h>
70 #include <nsswitch.h>
71 #include <synch.h>
72 #include <nss_dbdefs.h>
73 #include <netinet/in.h>
74
75 #define HOST_BUF_SIZE 2048
76
77 #ifndef INADDR_NONE
78 #define INADDR_NONE (-1)
79 #endif
80
81 extern int
82 str2hostent(const char *instr, int lenstr, void *ent, char *buffer,
83 int buflen);
84
85 extern int
86 str2hostent6(const char *instr, int lenstr, void *ent, char *buffer,
87 int buflen);
88
89 extern LDAPHostEnt *
90 _ns_gethostbyaddr(LDAP *ld, const char *addr, int length, int type,
91 LDAPHostEnt *result, char *buffer, int buflen, int *statusp,
92 void *extradata);
93
94 static char *host_service = NULL;
95
96 static DEFINE_NSS_DB_ROOT(db_root_hosts);
97 static DEFINE_NSS_DB_ROOT(db_root_ipnodes);
98 #endif
99
100 /*
101 * Data structure to hold the standard NSPR I/O function pointers set by
102 * libprldap. We save them in our session data structure so we can call
103 * them from our own I/O functions (we add functionality to support SSL
104 * while using libprldap's functions as much as possible).
105 */
106 typedef struct ldapssl_std_functions {
107 LDAP_X_EXTIOF_CLOSE_CALLBACK *lssf_close_fn;
108 LDAP_X_EXTIOF_CONNECT_CALLBACK *lssf_connect_fn;
109 LDAP_X_EXTIOF_DISPOSEHANDLE_CALLBACK *lssf_disposehdl_fn;
110 } LDAPSSLStdFunctions;
111
112
113
114 /*
115 * LDAP session data structure.
116 */
117 typedef struct ldapssl_session_info {
118 int lssei_using_pcks_fns;
119 int lssei_ssl_strength;
120 char *lssei_certnickname;
121 char *lssei_keypasswd;
122 LDAPSSLStdFunctions lssei_std_functions;
123 CERTCertDBHandle *lssei_certdbh;
124 #ifdef _SOLARIS_SDK
125 /*
126 * This is a hack.
127 * ld is used so that we can use libldap's gethostbyaddr
128 * resolver. This is needed to prevent recursion with libsldap.
129 */
130 LDAP *ld;
131 #endif /* _SOLARIS_SDK */
132 } LDAPSSLSessionInfo;
133
134
135 /*
136 * LDAP socket data structure.
137 */
138 typedef struct ldapssl_socket_info {
139 LDAPSSLSessionInfo *soi_sessioninfo; /* session info */
140 } LDAPSSLSocketInfo;
141
142
143 /*
144 * XXXceb This is a hack until the new IO functions are done.
145 * this function MUST be called before ldap_enable_clienauth.
146 * right now, this function is called in ldapssl_pkcs_init();
147 */
148
149 static int using_pkcs_functions = 0;
150
151 void set_using_pkcs_functions( int val )
152 {
153 using_pkcs_functions = val;
154 }
155
156
157 /*
158 * Utility functions:
159 */
160 static void ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp );
161 static void ldapssl_free_socket_info( LDAPSSLSocketInfo **soipp );
162
163
164 /*
165 * SSL Stuff
166 */
167
168 static int ldapssl_AuthCertificate(void *sessionarg, PRFileDesc *fd,
169 PRBool checkSig, PRBool isServer);
170
171 /*
172 * client auth stuff
173 */
174 static int get_clientauth_data( void *sessionarg, PRFileDesc *prfd,
175 CERTDistNames *caNames, CERTCertificate **pRetCert,
176 SECKEYPrivateKey **pRetKey );
177 static int get_keyandcert( LDAPSSLSessionInfo *ssip,
178 CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey,
179 char **errmsgp );
180 static int check_clientauth_nicknames_and_passwd( LDAP *ld,
181 LDAPSSLSessionInfo *ssip );
182 static char *get_keypassword( PK11SlotInfo *slot, PRBool retry,
183 void *sessionarg );
184
185 /*
186 * Static variables.
187 */
188 #ifdef _SOLARIS_SDK
189 static int default_ssl_strength = LDAPSSL_AUTH_CNCHECK;
190 #else
191 static int default_ssl_strength = LDAPSSL_AUTH_CERT;
192 #endif
193
194 /*
195 * Like ldap_init(), except also install I/O routines from libsec so we
196 * can support SSL. If defsecure is non-zero, SSL is enabled for the
197 * default connection as well.
198 */
199 LDAP *
200 LDAP_CALL
201 ldapssl_init( const char *defhost, int defport, int defsecure )
202 {
203 LDAP *ld;
204
205
206 #ifndef LDAP_SSLIO_HOOKS
207 return( NULL );
208 #else
209 if (0 ==defport)
210 defport = LDAPS_PORT;
211
212 if (( ld = ldap_init( defhost, defport )) == NULL ) {
213 return( NULL );
214 }
215
216 if ( ldapssl_install_routines( ld ) < 0 || ldap_set_option( ld,
217 LDAP_OPT_SSL, defsecure ? LDAP_OPT_ON : LDAP_OPT_OFF ) != 0 ) {
218 PR_SetError( PR_UNKNOWN_ERROR, EINVAL ); /* XXXmcs: just a guess! */
219 ldap_unbind( ld );
220 return( NULL );
221 }
222
223 return( ld );
224 #endif
225 }
226
227
228 static int
229 ldapssl_close(int s, struct lextiof_socket_private *socketarg)
230 {
231 PRLDAPSocketInfo soi;
232 LDAPSSLSocketInfo *ssoip;
233 LDAPSSLSessionInfo *sseip;
234
235 memset( &soi, 0, sizeof(soi));
236 soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
237 if ( prldap_get_socket_info( s, socketarg, &soi ) != LDAP_SUCCESS ) {
238 return( -1 );
239 }
240
241 ssoip = (LDAPSSLSocketInfo *)soi.soinfo_appdata;
242 sseip = ssoip->soi_sessioninfo;
243
244 ldapssl_free_socket_info( (LDAPSSLSocketInfo **)&soi.soinfo_appdata );
245
246 return( (*(sseip->lssei_std_functions.lssf_close_fn))( s, socketarg ));
247 }
248
249 static int
250 do_ldapssl_connect(const char *hostlist, int defport, int timeout,
251 unsigned long options, struct lextiof_session_private *sessionarg,
252 struct lextiof_socket_private **socketargp, int clientauth )
253 {
254 int intfd = -1;
255 PRBool secure;
256 PRLDAPSessionInfo sei;
257 PRLDAPSocketInfo soi;
258 LDAPSSLSocketInfo *ssoip = NULL;
259 LDAPSSLSessionInfo *sseip;
260 PRFileDesc *sslfd = NULL;
261 #ifdef _SOLARIS_SDK
262 int port;
263 int parse_err;
264 char *host = NULL;
265 char *name;
266 struct ldap_x_hostlist_status
267 *status = NULL;
268 in_addr_t addr_ipv4;
269 in6_addr_t addr_ipv6;
270 char *host_buf;
271 LDAPHostEnt *hent;
272 LDAPHostEnt host_ent;
273 int stat;
274 int type;
275 #endif /* _SOLARIS_SDK */
276
277 /*
278 * Determine if secure option is set. Also, clear secure bit in options
279 * the we pass to the standard connect() function (since it doesn't know
280 * how to handle the secure option).
281 */
282 if ( 0 != ( options & LDAP_X_EXTIOF_OPT_SECURE )) {
283 secure = PR_TRUE;
284 options &= ~LDAP_X_EXTIOF_OPT_SECURE;
285 } else {
286 secure = PR_FALSE;
287 }
288
289 /*
290 * Retrieve session info. so we can store a pointer to our session info.
291 * in our socket info. later.
292 */
293 memset( &sei, 0, sizeof(sei));
294 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
295 if ( prldap_get_session_info( NULL, sessionarg, &sei ) != LDAP_SUCCESS ) {
296 return( -1 );
297 }
298 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
299
300 /*
301 * Call the standard connect() callback to make the TCP connection.
302 * If it succeeds, *socketargp is set.
303 */
304
305 intfd = (*(sseip->lssei_std_functions.lssf_connect_fn))( hostlist, defport,
306 timeout, options, sessionarg, socketargp
307 #ifdef _SOLARIS_SDK
308 , &host );
309 #else
310 );
311 #endif /* _SOLARIS_SDK */
312
313 if ( intfd < 0 ) {
314 return( intfd );
315 }
316
317 #ifdef _SOLARIS_SDK
318 /*
319 * Determine if the "host name" is an ip address. If so,
320 * we must look up the actual host name corresponding to
321 * it.
322 */
323 if ( NULL == host ) {
324 goto close_socket_and_exit_with_error;
325 }
326 type = AF_UNSPEC;
327 if (strlen(host) < INET6_ADDRSTRLEN &&
328 inet_pton(AF_INET6, host, &addr_ipv6) == 1) {
329 type = AF_INET6;
330 } else if (strlen(host) < INET_ADDRSTRLEN &&
331 inet_pton(AF_INET, host, &addr_ipv4) == 1) {
332 type = AF_INET;
333 }
334 if (type == AF_INET || type == AF_INET6) {
335 host_buf = malloc(HOST_BUF_SIZE);
336 if (host_buf == NULL) {
337 /* will free host in close_socket_and_exit_with_error */
338 goto close_socket_and_exit_with_error;
339 }
340
341 /* Call ldap layer's gethostbyaddr resolver */
342 hent = _ns_gethostbyaddr(sseip->ld, host, strlen(host), type,
343 &host_ent, host_buf, HOST_BUF_SIZE, &stat, NULL);
344
345 /* If we are unable to lookup the host addr, we fail! */
346 if (hent == NULL) {
347 syslog(LOG_WARNING,
348 "libldap: do_ldapssl_connect: "
349 "Unable to resolve '%s'", host);
350 free(host_buf);
351 /* will free host in close_socket_and_exit_with_error */
352 goto close_socket_and_exit_with_error;
353 }
354 /* We support only the primary host name */
355 else {
356 if (hent->ldaphe_name != NULL)
357 name = strdup(hent->ldaphe_name);
358 free(host_buf);
359 if (name == NULL)
360 goto close_socket_and_exit_with_error;
361 else
362 ldap_memfree(host); host = NULL;
363 host = name;
364 }
365 }
366 #endif /* _SOLARIS_SDK */
367
368 /*
369 * Retrieve socket info. so we have the PRFileDesc.
370 */
371 memset( &soi, 0, sizeof(soi));
372 soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
373 if ( prldap_get_socket_info( intfd, *socketargp, &soi ) != LDAP_SUCCESS ) {
374 goto close_socket_and_exit_with_error;
375 }
376
377 /*
378 * Allocate a structure to hold our socket-specific data.
379 */
380 if ( NULL == ( ssoip = PR_Calloc( 1, sizeof( LDAPSSLSocketInfo )))) {
381 goto close_socket_and_exit_with_error;
382 }
383 ssoip->soi_sessioninfo = sseip;
384
385 /*
386 * Add SSL layer and let the standard NSPR to LDAP layer and enable SSL.
387 */
388 if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
389 goto close_socket_and_exit_with_error;
390 }
391
392 if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
393 SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
394 != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
395 PR_FALSE ) != SECSuccess )) {
396 goto close_socket_and_exit_with_error;
397 }
398
399 /*
400 * Let the standard NSPR to LDAP layer know about the new socket and
401 * our own socket-specific data.
402 */
403 soi.soinfo_prfd = sslfd;
404 soi.soinfo_appdata = (void *)ssoip;
405 if ( prldap_set_socket_info( intfd, *socketargp, &soi ) != LDAP_SUCCESS ) {
406 goto close_socket_and_exit_with_error;
407 }
408
409 #ifdef _SOLARIS_SDK
410 /*
411 * Set hostname which will be retrieved (depending on ssl strength) when
412 * using client or server auth.
413 */
414 if (SSL_SetURL(sslfd, host) != SECSuccess)
415 goto close_socket_and_exit_with_error;
416 ldap_memfree(host);
417 host = NULL;
418 #endif /* _SOLARIS_SDK */
419
420 sslfd = NULL; /* so we don't close the socket twice upon error */
421
422 /*
423 * Install certificate hook function.
424 */
425 SSL_AuthCertificateHook( soi.soinfo_prfd,
426 (SSLAuthCertificate)ldapssl_AuthCertificate,
427 (void *)sseip);
428
429 if ( SSL_GetClientAuthDataHook( soi.soinfo_prfd,
430 get_clientauth_data, clientauth ? sseip : NULL ) != 0 ) {
431 goto close_socket_and_exit_with_error;
432 }
433
434 return( intfd ); /* success */
435
436 close_socket_and_exit_with_error:
437 #ifdef _SOLARIS_SDK
438 if ( NULL != host ) ldap_memfree(host);
439 #endif /* _SOLARIS_SDK */
440 if ( NULL != sslfd ) {
441 PR_Close( sslfd );
442 }
443 if ( NULL != ssoip ) {
444 ldapssl_free_socket_info( &ssoip );
445 }
446 if ( intfd >= 0 && NULL != *socketargp ) {
447 (*(sseip->lssei_std_functions.lssf_close_fn))( intfd, *socketargp );
448 }
449 return( -1 );
450 }
451
452
453 static int
454 ldapssl_connect(const char *hostlist, int defport, int timeout,
455 unsigned long options, struct lextiof_session_private *sessionarg,
456 struct lextiof_socket_private **socketargp )
457 {
458 return( do_ldapssl_connect( hostlist, defport, timeout, options,
459 sessionarg, socketargp, 0 ));
460 }
461
462
463 static int
464 ldapssl_clientauth_connect(const char *hostlist, int defport, int timeout,
465 unsigned long options, struct lextiof_session_private *sessionarg,
466 struct lextiof_socket_private **socketargp )
467 {
468 return( do_ldapssl_connect( hostlist, defport, timeout, options,
469 sessionarg, socketargp, 1 ));
470 }
471
472
473 static void
474 ldapssl_disposehandle(LDAP *ld, struct lextiof_session_private *sessionarg)
475 {
476 PRLDAPSessionInfo sei;
477 LDAPSSLSessionInfo *sseip;
478 LDAP_X_EXTIOF_DISPOSEHANDLE_CALLBACK *disposehdl_fn;
479
480 memset( &sei, 0, sizeof( sei ));
481 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
482 if ( prldap_get_session_info( ld, NULL, &sei ) == LDAP_SUCCESS ) {
483 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
484 disposehdl_fn = sseip->lssei_std_functions.lssf_disposehdl_fn;
485 ldapssl_free_session_info( &sseip );
486 (*disposehdl_fn)( ld, sessionarg );
487 }
488 }
489
490
491 /*
492 * Install I/O routines from libsec and NSPR into libldap to allow libldap
493 * to do SSL.
494 *
495 * We rely on libprldap to provide most of the functions, and then we override
496 * a few of them to support SSL.
497 */
498 int
499 LDAP_CALL
500 ldapssl_install_routines( LDAP *ld )
501 {
502 #ifndef LDAP_SSLIO_HOOKS
503 ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
504 return( -1 );
505 #else
506 struct ldap_x_ext_io_fns iofns;
507 LDAPSSLSessionInfo *ssip;
508 PRLDAPSessionInfo sei;
509
510 /*
511 * This is done within ldap_init() and
512 * ldap_init() is called from ldapssl_init()
513 */
514 #ifndef _SOLARIS_SDK
515 if ( prldap_install_routines(
516 ld,
517 1 /* shared -- we have to assume it is */ )
518 != LDAP_SUCCESS ) {
519 return( -1 );
520 }
521 #endif /*_SOLARIS_SDK*/
522
523 /*
524 * Allocate our own session information.
525 */
526 if ( NULL == ( ssip = (LDAPSSLSessionInfo *)PR_Calloc( 1,
527 sizeof( LDAPSSLSessionInfo )))) {
528 ldap_set_lderrno( ld, LDAP_NO_MEMORY, NULL, NULL );
529 return( -1 );
530 }
531 /*
532 * Initialize session info.
533 * XXX: it would be nice to be able to set these on a per-session basis:
534 * lssei_using_pcks_fns
535 * lssei_certdbh
536 */
537 ssip->lssei_ssl_strength = default_ssl_strength;
538 ssip->lssei_using_pcks_fns = using_pkcs_functions;
539 ssip->lssei_certdbh = CERT_GetDefaultCertDB();
540 #ifdef _SOLARIS_SDK
541 /*
542 * This is part of a hack to allow the ssl portion of the
543 * library to call the ldap library gethostbyaddr resolver.
544 */
545 ssip->ld = ld;
546 #endif /* _SOLARIS_SDK */
547
548 /*
549 * override a few functions, saving a pointer to the standard function
550 * in each case so we can call it from our SSL savvy functions.
551 */
552 memset( &iofns, 0, sizeof(iofns));
553 iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
554 if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns ) < 0 ) {
555 ldapssl_free_session_info( &ssip );
556 return( -1 );
557 }
558
559 /* override socket, connect, and ioctl */
560 ssip->lssei_std_functions.lssf_connect_fn = iofns.lextiof_connect;
561 iofns.lextiof_connect = ldapssl_connect;
562 ssip->lssei_std_functions.lssf_close_fn = iofns.lextiof_close;
563 iofns.lextiof_close = ldapssl_close;
564 ssip->lssei_std_functions.lssf_disposehdl_fn = iofns.lextiof_disposehandle;
565 iofns.lextiof_disposehandle = ldapssl_disposehandle;
566
567 if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns ) < 0 ) {
568 ldapssl_free_session_info( &ssip );
569 return( -1 );
570 }
571
572 /*
573 * Store session info. for later retrieval.
574 */
575 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
576 sei.seinfo_appdata = (void *)ssip;
577 if ( prldap_set_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
578 return( -1 );
579 }
580
581 return( 0 );
582 #endif
583 }
584
585
586 /*
587 * Set the SSL strength for an existing SSL-enabled LDAP session handle.
588 *
589 * See the description of ldapssl_serverauth_init() above for valid
590 * sslstrength values. If ld is NULL, the default for new LDAP session
591 * handles is set.
592 *
593 * Returns 0 if all goes well and -1 if an error occurs.
594 */
595 int
596 LDAP_CALL
597 ldapssl_set_strength( LDAP *ld, int sslstrength )
598 {
599 int rc = 0; /* assume success */
600
601 if ( sslstrength != LDAPSSL_AUTH_WEAK &&
602 sslstrength != LDAPSSL_AUTH_CERT &&
603 sslstrength != LDAPSSL_AUTH_CNCHECK ) {
604 rc = -1;
605 } else {
606 if ( NULL == ld ) { /* set default strength */
607 default_ssl_strength = sslstrength;
608 } else { /* set session-specific strength */
609 PRLDAPSessionInfo sei;
610 LDAPSSLSessionInfo *sseip;
611
612 memset( &sei, 0, sizeof( sei ));
613 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
614 if ( prldap_get_session_info( ld, NULL, &sei ) == LDAP_SUCCESS )
615 {
616 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
617 sseip->lssei_ssl_strength = sslstrength;
618 } else {
619 rc = -1;
620 }
621 }
622 }
623
624 return( rc );
625 }
626
627 int
628 LDAP_CALL
629 ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
630 char *keypasswd, char *certnickname )
631 {
632 #ifndef LDAP_SSLIO_HOOKS
633 ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
634 return( -1 );
635 #else
636 struct ldap_x_ext_io_fns iofns;
637 LDAPSSLSessionInfo *ssip;
638 PRLDAPSessionInfo sei;
639
640 /*
641 * Check parameters
642 */
643 if ( certnickname == NULL || keypasswd == NULL ) {
644 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
645 return( -1 );
646 }
647
648 /*
649 * Update session info. data structure.
650 */
651 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
652 if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
653 return( -1 );
654 }
655 ssip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
656 if ( NULL == ssip ) {
657 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
658 return( -1 );
659 }
660 ssip->lssei_certnickname = PL_strdup( certnickname );
661 ssip->lssei_keypasswd = PL_strdup( keypasswd );
662
663 if ( NULL == ssip->lssei_certnickname || NULL == ssip->lssei_keypasswd ) {
664 ldap_set_lderrno( ld, LDAP_NO_MEMORY, NULL, NULL );
665 return( -1 );
666 }
667
668 if ( check_clientauth_nicknames_and_passwd( ld, ssip ) != 0 ) {
669 return( -1 );
670 }
671
672 /*
673 * replace standard SSL CONNECT function with client auth aware one
674 */
675 memset( &iofns, 0, sizeof(iofns));
676 iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
677 if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
678 != 0 ) {
679 return( -1 );
680 }
681
682 if ( iofns.lextiof_connect != ldapssl_connect ) {
683 /* standard SSL setup has not done */
684 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
685 return( -1 );
686 }
687
688 iofns.lextiof_connect = ldapssl_clientauth_connect;
689
690 if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
691 != 0 ) {
692 return( -1 );
693 }
694
695 return( 0 );
696 #endif
697 }
698
699
700 static void
701 ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp )
702 {
703 if ( NULL != ssipp && NULL != *ssipp ) {
704 if ( NULL != (*ssipp)->lssei_certnickname ) {
705 PL_strfree( (*ssipp)->lssei_certnickname );
706 (*ssipp)->lssei_certnickname = NULL;
707 }
708 if ( NULL != (*ssipp)->lssei_keypasswd ) {
709 PL_strfree( (*ssipp)->lssei_keypasswd );
710 (*ssipp)->lssei_keypasswd = NULL;
711 }
712 PR_Free( *ssipp );
713 *ssipp = NULL;
714 }
715 }
716
717
718 static void
719 ldapssl_free_socket_info( LDAPSSLSocketInfo **soipp )
720 {
721 if ( NULL != soipp && NULL != *soipp ) {
722 PR_Free( *soipp );
723 *soipp = NULL;
724 }
725 }
726
727
728 /* this function provides cert authentication. This is called during
729 * the SSL_Handshake process. Once the cert has been retrieved from
730 * the server, the it is checked, using VerifyCertNow(), then
731 * the cn is checked against the host name, set with SSL_SetURL()
732 */
733
734 static int
735 ldapssl_AuthCertificate(void *sessionarg, PRFileDesc *fd, PRBool checkSig,
736 PRBool isServer)
737 {
738 SECStatus rv = SECFailure;
739 LDAPSSLSessionInfo *sseip;
740 CERTCertificate *cert;
741 SECCertUsage certUsage;
742 char *hostname = (char *)0;
743
744 if (!sessionarg || !socket)
745 return rv;
746
747 sseip = (LDAPSSLSessionInfo *)sessionarg;
748
749 if (LDAPSSL_AUTH_WEAK == sseip->lssei_ssl_strength ) { /* no check */
750 return SECSuccess;
751 }
752
753 if ( isServer ) {
754 certUsage = certUsageSSLClient;
755 } else {
756 certUsage = certUsageSSLServer;
757 }
758 cert = SSL_PeerCertificate( fd );
759
760 rv = CERT_VerifyCertNow(sseip->lssei_certdbh, cert, checkSig,
761 certUsage, NULL);
762
763 if ( rv != SECSuccess || isServer )
764 return rv;
765
766 if ( LDAPSSL_AUTH_CNCHECK == sseip->lssei_ssl_strength )
767 {
768 /* cert is OK. This is the client side of an SSL connection.
769 * Now check the name field in the cert against the desired hostname.
770 * NB: This is our only defense against Man-In-The-Middle (MITM)
771 * attacks!
772 */
773
774 hostname = SSL_RevealURL( fd );
775
776 if (hostname && hostname[0]) {
777 rv = CERT_VerifyCertName(cert, hostname);
778 } else {
779 rv = SECFailure;
780 }
781 if (hostname)
782 PORT_Free(hostname);
783 if (rv != SECSuccess)
784 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
785 }
786
787 return((int)rv);
788 }
789
790
791 /*
792 * called during SSL client auth. when server wants our cert and key.
793 * return 0 if we succeeded and set *pRetCert and *pRetKey, -1 otherwise.
794 * if -1 is returned SSL will proceed without sending a cert.
795 */
796
797 static int
798 get_clientauth_data( void *sessionarg, PRFileDesc *prfd,
799 CERTDistNames *caNames, CERTCertificate **pRetCert,
800 SECKEYPrivateKey **pRetKey )
801
802 {
803 LDAPSSLSessionInfo *ssip;
804
805 if (( ssip = (LDAPSSLSessionInfo *)sessionarg ) == NULL ) {
806 return( -1 ); /* client auth. not enabled */
807 }
808
809 return( get_keyandcert( ssip, pRetCert, pRetKey, NULL ));
810 }
811
812 static int
813 get_keyandcert( LDAPSSLSessionInfo *ssip,
814 CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey,
815 char **errmsgp )
816 {
817 CERTCertificate *cert;
818 SECKEYPrivateKey *key;
819
820 if (( cert = PK11_FindCertFromNickname( ssip->lssei_certnickname, NULL ))
821 == NULL ) {
822 if ( errmsgp != NULL ) {
823 *errmsgp = dgettext(TEXT_DOMAIN, "unable to find certificate");
824 }
825 return( -1 );
826 }
827
828 {
829 PK11_SetPasswordFunc( get_keypassword );
830 }
831
832
833
834 if (( key = PK11_FindKeyByAnyCert( cert, (void *)ssip )) == NULL ) {
835 CERT_DestroyCertificate( cert );
836 if ( errmsgp != NULL ) {
837 *errmsgp = dgettext(TEXT_DOMAIN, "bad key or key password");
838 }
839 return( -1 );
840 }
841
842 *pRetCert = cert;
843 *pRetKey = key;
844 return( 0 );
845 }
846
847
848 /*
849 * This function returns the password to NSS.
850 * This function is enable through PK11_SetPasswordFunc
851 * only if pkcs functions are not being used.
852 */
853
854 static char *
855 get_keypassword( PK11SlotInfo *slot, PRBool retry, void *sessionarg )
856 {
857 LDAPSSLSessionInfo *ssip;
858
859 if ( retry)
860 return (NULL);
861
862 ssip = (LDAPSSLSessionInfo *)sessionarg;
863 if ( NULL == ssip ) {
864 return( NULL );
865 }
866
867 return( ssip->lssei_keypasswd );
868 }
869
870
871 /*
872 * performs some basic checks on clientauth cert and key/password
873 *
874 * XXXmcs: could perform additional checks... see servers/slapd/ssl.c
875 * 1) check expiration
876 * 2) check that public key in cert matches private key
877 * see ns/netsite/ldap/servers/slapd/ssl.c:slapd_ssl_init() for example code.
878 */
879 static int
880 check_clientauth_nicknames_and_passwd( LDAP *ld, LDAPSSLSessionInfo *ssip )
881 {
882 char *errmsg = NULL;
883 CERTCertificate *cert = NULL;
884 SECKEYPrivateKey *key = NULL;
885 int rv;
886
887 rv = get_keyandcert( ssip, &cert, &key, &errmsg );
888
889 if ( rv != 0 ) {
890 if ( errmsg != NULL ) {
891 errmsg = strdup( errmsg );
892 }
893 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, errmsg );
894 return( -1 );
895 }
896
897 if ( cert != NULL ) {
898 CERT_DestroyCertificate( cert );
899 }
900 if ( key != NULL ) {
901 SECKEY_DestroyPrivateKey( key );
902 }
903 return( 0 );
904 }
905
906
907 #if 0 /* NOT_NEEDED_IN_LIBLDAP */
908 /* there are patches and kludges. this is both. force some linkers to
909 * link this stuff in
910 */
911 int stubs_o_stuff( void )
912 {
913 PRExplodedTime exploded;
914 PLArenaPool pool;
915
916 const char *name ="t";
917 PRUint32 size = 0, align = 0;
918
919 PR_ImplodeTime( &exploded );
920 PL_InitArenaPool( &pool, name, size, align);
921 PR_Cleanup();
922 PR_fprintf((PRFileDesc*)stderr, "Bad IDEA!!");
923
924 return 0;
925
926 }
927 #endif /* NOT_NEEDED_IN_LIBLDAP */
928
929
930 /*
931 * Import the file descriptor corresponding to the socket of an already
932 * open LDAP connection into SSL, and update the socket and session
933 * information accordingly.
934 */
935 int ldapssl_import_fd ( LDAP *ld, int secure )
936 {
937 PRLDAPSessionInfo sei;
938 PRLDAPSocketInfo soi;
939 LDAPSSLSocketInfo *ssoip = NULL;
940 LDAPSSLSessionInfo *sseip;
941 PRFileDesc *sslfd = NULL;
942
943
944 /*
945 * Retrieve session info. so we can store a pointer to our session info.
946 * in our socket info. later.
947 */
948 memset( &sei, 0, sizeof(sei));
949 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
950 if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
951 return( -1 );
952 }
953 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
954
955
956 /*
957 * Retrieve socket info. so we have the PRFileDesc.
958 */
959 memset( &soi, 0, sizeof(soi));
960 soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
961 if ( prldap_get_default_socket_info( ld, &soi ) != LDAP_SUCCESS ) {
962 return( -1 );
963 }
964
965 /*
966 * Allocate a structure to hold our socket-specific data.
967 */
968 if ( NULL == ( ssoip = PR_Calloc( 1, sizeof( LDAPSSLSocketInfo )))) {
969 goto reset_socket_and_exit_with_error;
970 }
971 ssoip->soi_sessioninfo = sseip;
972
973 /*
974 * Add SSL layer and let the standard NSPR to LDAP layer and enable SSL.
975 */
976 if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
977 goto reset_socket_and_exit_with_error;
978 }
979
980 if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
981 SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
982 != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
983 PR_FALSE ) != SECSuccess )) {
984 goto reset_socket_and_exit_with_error;
985 }
986
987 /*
988 * Let the standard NSPR to LDAP layer know about the new socket and
989 * our own socket-specific data.
990 */
991 soi.soinfo_prfd = sslfd;
992 soi.soinfo_appdata = (void *)ssoip;
993 if ( prldap_set_default_socket_info( ld, &soi ) != LDAP_SUCCESS ) {
994 goto reset_socket_and_exit_with_error;
995 }
996
997 /*
998 * Install certificate hook function.
999 */
1000 if ( SSL_AuthCertificateHook( soi.soinfo_prfd,
1001 (SSLAuthCertificate)ldapssl_AuthCertificate,
1002 (void *)CERT_GetDefaultCertDB()) != 0 ) {
1003 goto reset_socket_and_exit_with_error;
1004 }
1005
1006 if ( SSL_GetClientAuthDataHook( soi.soinfo_prfd,
1007 get_clientauth_data, sseip->lssei_certnickname ? sseip : NULL )
1008 != 0 ) {
1009 goto reset_socket_and_exit_with_error;
1010 }
1011
1012 return 0;
1013
1014 reset_socket_and_exit_with_error:
1015 if ( NULL != sslfd ) {
1016 /*
1017 * "Unimport" the socket from SSL, i.e. get rid of the upper layer of
1018 * the file descriptor stack, which represents SSL.
1019 */
1020 soi.soinfo_prfd = sslfd;
1021 sslfd = PR_PopIOLayer( soi.soinfo_prfd, PR_TOP_IO_LAYER );
1022 sslfd->dtor( sslfd );
1023 }
1024 if ( NULL != ssoip ) {
1025 ldapssl_free_socket_info( &ssoip );
1026 soi.soinfo_appdata = NULL;
1027 }
1028 prldap_set_default_socket_info( ld, &soi );
1029
1030 return( -1 );
1031 }
1032
1033
1034 /*
1035 * Reset an LDAP session from SSL to a non-secure status.
1036 * Basically, this function undoes the work done by ldapssl_install_routines.
1037 */
1038 int ldapssl_reset_to_nonsecure ( LDAP *ld )
1039 {
1040 PRLDAPSessionInfo sei;
1041 LDAPSSLSessionInfo *sseip;
1042
1043 struct ldap_x_ext_io_fns iofns;
1044 int rc = 0;
1045
1046 /*
1047 * Retrieve session info.
1048 */
1049 memset( &sei, 0, sizeof(sei));
1050 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
1051 if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
1052 return( -1 );
1053 }
1054 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
1055
1056 if ( sseip != NULL ) {
1057 /*
1058 * Reset the standard extended io functions.
1059 */
1060 memset( &iofns, 0, sizeof(iofns));
1061 iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
1062 if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
1063 < 0) {
1064 rc = -1;
1065 goto free_session_info;
1066 }
1067
1068 /* reset socket, connect, and ioctl */
1069 iofns.lextiof_connect = sseip->lssei_std_functions.lssf_connect_fn;
1070 iofns.lextiof_close = sseip->lssei_std_functions.lssf_close_fn;
1071 iofns.lextiof_disposehandle =
1072 sseip->lssei_std_functions.lssf_disposehdl_fn;
1073
1074 if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
1075 < 0) {
1076 rc = -1;
1077 goto free_session_info;
1078 }
1079
1080 free_session_info:
1081 ldapssl_free_session_info( &sseip );
1082 sei.seinfo_appdata = NULL;
1083 if ( prldap_set_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
1084 rc = -1;
1085 }
1086 } /* if ( sseip && *sseip ) */
1087
1088 if ( ldap_set_option( ld, LDAP_OPT_SSL, LDAP_OPT_OFF ) < 0 ) {
1089 return (-1);
1090 }
1091
1092 return rc;
1093 }
1094
1095
1096 #ifdef _SOLARIS_SDK
1097 static void
1098 _nss_initf_ipnodes(nss_db_params_t *p)
1099 {
1100 static char *no_service = "";
1101
1102 p->name = NSS_DBNAM_IPNODES;
1103 p->flags |= NSS_USE_DEFAULT_CONFIG;
1104 p->default_config = host_service == NULL ? no_service : host_service;
1105 }
1106
1107 static void
1108 _nss_initf_hosts(nss_db_params_t *p)
1109 {
1110 static char *no_service = "";
1111
1112 p->name = NSS_DBNAM_HOSTS;
1113 p->flags |= NSS_USE_DEFAULT_CONFIG;
1114 p->default_config = host_service == NULL ? no_service : host_service;
1115 }
1116
1117 static struct hostent *
1118 _switch_gethostbyaddr_r(const char *addr, int len, int type,
1119 struct hostent *result, char *buffer, int buflen,
1120 int *h_errnop)
1121 {
1122 nss_XbyY_args_t arg;
1123 nss_status_t res;
1124 int (*str2ent)();
1125 void (*nss_initf)();
1126 nss_db_root_t *nss_db_root;
1127
1128 if (AF_INET == type) {
1129 str2ent = str2hostent;
1130 nss_initf = _nss_initf_hosts;
1131 nss_db_root = &db_root_hosts;
1132 } else if (AF_INET6 == type) {
1133 str2ent = str2hostent6;
1134 nss_initf = _nss_initf_ipnodes;
1135 nss_db_root = &db_root_ipnodes;
1136 } else {
1137 return NULL;
1138 }
1139
1140 NSS_XbyY_INIT(&arg, result, buffer, buflen, str2ent);
1141
1142 arg.key.hostaddr.addr = addr;
1143 arg.key.hostaddr.len = len;
1144 arg.key.hostaddr.type = type;
1145 arg.stayopen = 0;
1146
1147 res = nss_search(nss_db_root, nss_initf,
1148 NSS_DBOP_HOSTS_BYADDR, &arg);
1149 arg.status = res;
1150 *h_errnop = arg.h_errno;
1151 return (struct hostent *)NSS_XbyY_FINI(&arg);
1152 }
1153
1154 /*
1155 * ns_gethostbyaddr is used to be a substitute gethostbyaddr for
1156 * libldap when ssl will need to determine the fully qualified
1157 * host name from an address when it is unsafe to use the normal
1158 * nameservice functions.
1159 *
1160 * Note that the ldap name service resolver calls this with the address as
1161 * a character string - which we must convert into address form.
1162 */
1163
1164 /*ARGSUSED*/
1165 static LDAPHostEnt *
1166 ns_gethostbyaddr(const char *addr, int len, int type,
1167 LDAPHostEnt *result, char *buffer, int buflen, int *statusp,
1168 void *extradata)
1169 {
1170 LDAPHostEnt *ldap_hent;
1171 int h_errno;
1172 struct hostent h_ent;
1173 struct hostent *h_e = NULL;
1174 struct in_addr a;
1175 struct in6_addr a6;
1176 int inet_error; /* error returned by inet_pton */
1177
1178
1179 if (addr == NULL || result == NULL || buffer == NULL ||
1180 (type != AF_INET && type != AF_INET6))
1181 return (NULL);
1182
1183
1184 (void) memset(&h_ent, 0, sizeof (h_ent));
1185
1186 if (AF_INET == type) {
1187 if (inet_pton(type, addr, &a.s_addr) == 1) {
1188 h_e = _switch_gethostbyaddr_r((char *)&a,
1189 sizeof (a.s_addr), type, &h_ent,
1190 buffer, buflen, &h_errno);
1191 }
1192 } else if (AF_INET6 == type) {
1193 if (inet_pton(type, addr, &a6.s6_addr) == 1) {
1194 h_e = _switch_gethostbyaddr_r((char *)&a6,
1195 sizeof (a6.s6_addr), type, &h_ent,
1196 buffer, buflen, &h_errno);
1197 }
1198 }
1199
1200 if (h_e == NULL) {
1201 ldap_hent = NULL;
1202 } else {
1203 (void) memset(result, 0, sizeof (LDAPHostEnt));
1204 ldap_hent = result;
1205 result->ldaphe_name = h_e->h_name;
1206 result->ldaphe_aliases = h_e->h_aliases;
1207 result->ldaphe_addrtype = h_e->h_addrtype;
1208 result->ldaphe_length = h_e->h_length;
1209 result->ldaphe_addr_list = h_e->h_addr_list;
1210 }
1211 return (ldap_hent);
1212 }
1213
1214 /*
1215 * ldapssl_install_gethostbyaddr attempts to prevent recursion in
1216 * gethostbyaddr calls when an ip address is given to ssl. This ip address
1217 * must be resolved to a host name.
1218 *
1219 * For example, libsldap cannot use LDAP to resolve this address to a
1220 * name because of recursion. The caller is instructing libldap to skip
1221 * the specified name service when resolving addresses for the specified
1222 * ldap connection.
1223 *
1224 * Currently only ldap and dns name services always return fully qualified
1225 * names. The other name services (files, nis, and nisplus) will returned
1226 * fully qualified names if the host names are stored as fully qualified names
1227 * in these name services.
1228 *
1229 * Note:
1230 *
1231 * Since host_service applies to all connections, calling
1232 * ldapssl_install_gethostbyaddr with different name services to
1233 * skip will lead to unpredictable results.
1234 *
1235 * Returns:
1236 * 0 if success
1237 * -1 if failure
1238 */
1239
1240 int
1241 ldapssl_install_gethostbyaddr(LDAP *ld, const char *skip)
1242 {
1243 enum __nsw_parse_err pserr;
1244 struct __nsw_switchconfig *conf;
1245 struct __nsw_lookup *lkp;
1246 struct ldap_dns_fns dns_fns;
1247 char *name_list = NULL;
1248 char *tmp;
1249 const char *name;
1250 int len;
1251 boolean_t got_skip = B_FALSE;
1252
1253 /*
1254 * db_root_hosts.lock mutex is used to ensure that the name list
1255 * is not in use by the name service switch while we are updating
1256 * the host_service
1257 */
1258
1259 (void) mutex_lock(&db_root_hosts.lock);
1260 conf = __nsw_getconfig("hosts", &pserr);
1261 if (conf == NULL) {
1262 (void) mutex_unlock(&db_root_hosts.lock);
1263 return (0);
1264 }
1265
1266 /* check for ldap and count other backends */
1267 for (lkp = conf->lookups; lkp != NULL; lkp = lkp->next) {
1268 name = lkp->service_name;
1269 if (strcmp(name, skip) == 0) {
1270 got_skip = B_TRUE;
1271 continue;
1272 }
1273 if (name_list == NULL)
1274 name_list = strdup(name);
1275 else {
1276 len = strlen(name_list);
1277 tmp = realloc(name_list, len + strlen(name) + 2);
1278 if (tmp == NULL) {
1279 free(name_list);
1280 name_list = NULL;
1281 } else {
1282 name_list = tmp;
1283 name_list[len++] = ' ';
1284 (void) strcpy(name_list+len, name);
1285 }
1286 }
1287 if (name_list == NULL) { /* alloc error */
1288 (void) mutex_unlock(&db_root_hosts.lock);
1289 __nsw_freeconfig(conf);
1290 return (-1);
1291 }
1292 }
1293 __nsw_freeconfig(conf);
1294 if (!got_skip) {
1295 /*
1296 * Since skip name service not used for hosts, we do not need
1297 * to install our private address resolution function
1298 */
1299 (void) mutex_unlock(&db_root_hosts.lock);
1300 if (name_list != NULL)
1301 free(name_list);
1302 return (0);
1303 }
1304 if (host_service != NULL)
1305 free(host_service);
1306 host_service = name_list;
1307 (void) mutex_unlock(&db_root_hosts.lock);
1308
1309 if (ldap_get_option(ld, LDAP_OPT_DNS_FN_PTRS, &dns_fns) != 0)
1310 return (-1);
1311 dns_fns.lddnsfn_gethostbyaddr = ns_gethostbyaddr;
1312 if (ldap_set_option(ld, LDAP_OPT_DNS_FN_PTRS, &dns_fns) != 0)
1313 return (-1);
1314 return (0);
1315 }
1316 #endif /* _SOLARIS_SDK */
1317 #endif /* NET_SSL */
unleashed repo fork