search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / usr / src / lib / libldap5 / sources / ldap / ssldap / ldapsinit.c
blob8ba27c2d48f1d4e0774bb1e4e7388406209278d0
1 /*
2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 /*
7 * The contents of this file are subject to the Netscape Public
8 * License Version 1.1 (the "License"); you may not use this file
9 * except in compliance with the License. You may obtain a copy of
10 * the License at http://www.mozilla.org/NPL/
11 *
12 * Software distributed under the License is distributed on an "AS
13 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
14 * implied. See the License for the specific language governing
15 * rights and limitations under the License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is Netscape
21 * Communications Corporation. Portions created by Netscape are
22 * Copyright (C) 1998-1999 Netscape Communications Corporation. All
23 * Rights Reserved.
24 *
25 * Contributor(s):
26 */
27
28 /*
29 * ldapsinit.c
30 */
31
32 #if defined(NET_SSL)
33
34 #if defined( _WINDOWS )
35 #include <windows.h>
36 #endif
37
38 /* XXX:mhein The following is a workaround for the redefinition of */
39 /* const problem on OSF. Fix to be provided by NSS */
40 /* This is a pretty benign workaround for us which */
41 /* should not cause problems in the future even if */
42 /* we forget to take it out :-) */
43
44 #ifdef OSF1V4D
45 #ifndef __STDC__
46 # define __STDC__
47 #endif /* __STDC__ */
48 #endif /* OSF1V4D */
49
50 #include <errno.h>
51 #include <nspr.h>
52 #include <cert.h>
53 #include <key.h>
54 #include <ssl.h>
55 #include <sslproto.h>
56 #include <sslerr.h>
57 #include <prnetdb.h>
58
59 #include <ldap.h>
60
61 #include <ldappr.h>
62 #include <pk11func.h>
63
64 #ifdef _SOLARIS_SDK
65 #include "solaris-int.h"
66 #include <libintl.h>
67 #include <syslog.h>
68 #include <nsswitch.h>
69 #include <synch.h>
70 #include <nss_dbdefs.h>
71 #include <netinet/in.h>
72
73 #define HOST_BUF_SIZE 2048
74
75 #ifndef INADDR_NONE
76 #define INADDR_NONE (-1)
77 #endif
78
79 extern int
80 str2hostent(const char *instr, int lenstr, void *ent, char *buffer,
81 int buflen);
82
83 extern int
84 str2hostent6(const char *instr, int lenstr, void *ent, char *buffer,
85 int buflen);
86
87 extern LDAPHostEnt *
88 _ns_gethostbyaddr(LDAP *ld, const char *addr, int length, int type,
89 LDAPHostEnt *result, char *buffer, int buflen, int *statusp,
90 void *extradata);
91
92 static char *host_service = NULL;
93
94 static DEFINE_NSS_DB_ROOT(db_root_hosts);
95 static DEFINE_NSS_DB_ROOT(db_root_ipnodes);
96 #endif
97
98 /*
99 * Data structure to hold the standard NSPR I/O function pointers set by
100 * libprldap. We save them in our session data structure so we can call
101 * them from our own I/O functions (we add functionality to support SSL
102 * while using libprldap's functions as much as possible).
103 */
104 typedef struct ldapssl_std_functions {
105 LDAP_X_EXTIOF_CLOSE_CALLBACK *lssf_close_fn;
106 LDAP_X_EXTIOF_CONNECT_CALLBACK *lssf_connect_fn;
107 LDAP_X_EXTIOF_DISPOSEHANDLE_CALLBACK *lssf_disposehdl_fn;
108 } LDAPSSLStdFunctions;
109
110
111
112 /*
113 * LDAP session data structure.
114 */
115 typedef struct ldapssl_session_info {
116 int lssei_using_pcks_fns;
117 int lssei_ssl_strength;
118 char *lssei_certnickname;
119 char *lssei_keypasswd;
120 LDAPSSLStdFunctions lssei_std_functions;
121 CERTCertDBHandle *lssei_certdbh;
122 #ifdef _SOLARIS_SDK
123 /*
124 * This is a hack.
125 * ld is used so that we can use libldap's gethostbyaddr
126 * resolver. This is needed to prevent recursion with libsldap.
127 */
128 LDAP *ld;
129 #endif /* _SOLARIS_SDK */
130 } LDAPSSLSessionInfo;
131
132
133 /*
134 * LDAP socket data structure.
135 */
136 typedef struct ldapssl_socket_info {
137 LDAPSSLSessionInfo *soi_sessioninfo; /* session info */
138 } LDAPSSLSocketInfo;
139
140
141 /*
142 * XXXceb This is a hack until the new IO functions are done.
143 * this function MUST be called before ldap_enable_clienauth.
144 * right now, this function is called in ldapssl_pkcs_init();
145 */
146
147 static int using_pkcs_functions = 0;
148
149 void set_using_pkcs_functions( int val )
150 {
151 using_pkcs_functions = val;
152 }
153
154
155 /*
156 * Utility functions:
157 */
158 static void ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp );
159 static void ldapssl_free_socket_info( LDAPSSLSocketInfo **soipp );
160
161
162 /*
163 * SSL Stuff
164 */
165
166 static int ldapssl_AuthCertificate(void *sessionarg, PRFileDesc *fd,
167 PRBool checkSig, PRBool isServer);
168
169 /*
170 * client auth stuff
171 */
172 static int get_clientauth_data( void *sessionarg, PRFileDesc *prfd,
173 CERTDistNames *caNames, CERTCertificate **pRetCert,
174 SECKEYPrivateKey **pRetKey );
175 static int get_keyandcert( LDAPSSLSessionInfo *ssip,
176 CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey,
177 char **errmsgp );
178 static int check_clientauth_nicknames_and_passwd( LDAP *ld,
179 LDAPSSLSessionInfo *ssip );
180 static char *get_keypassword( PK11SlotInfo *slot, PRBool retry,
181 void *sessionarg );
182
183 /*
184 * Static variables.
185 */
186 #ifdef _SOLARIS_SDK
187 static int default_ssl_strength = LDAPSSL_AUTH_CNCHECK;
188 #else
189 static int default_ssl_strength = LDAPSSL_AUTH_CERT;
190 #endif
191
192 /*
193 * Like ldap_init(), except also install I/O routines from libsec so we
194 * can support SSL. If defsecure is non-zero, SSL is enabled for the
195 * default connection as well.
196 */
197 LDAP *
198 LDAP_CALL
199 ldapssl_init( const char *defhost, int defport, int defsecure )
200 {
201 LDAP *ld;
202
203
204 #ifndef LDAP_SSLIO_HOOKS
205 return( NULL );
206 #else
207 if (0 ==defport)
208 defport = LDAPS_PORT;
209
210 if (( ld = ldap_init( defhost, defport )) == NULL ) {
211 return( NULL );
212 }
213
214 if ( ldapssl_install_routines( ld ) < 0 || ldap_set_option( ld,
215 LDAP_OPT_SSL, defsecure ? LDAP_OPT_ON : LDAP_OPT_OFF ) != 0 ) {
216 PR_SetError( PR_UNKNOWN_ERROR, EINVAL ); /* XXXmcs: just a guess! */
217 ldap_unbind( ld );
218 return( NULL );
219 }
220
221 return( ld );
222 #endif
223 }
224
225
226 static int
227 ldapssl_close(int s, struct lextiof_socket_private *socketarg)
228 {
229 PRLDAPSocketInfo soi;
230 LDAPSSLSocketInfo *ssoip;
231 LDAPSSLSessionInfo *sseip;
232
233 memset( &soi, 0, sizeof(soi));
234 soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
235 if ( prldap_get_socket_info( s, socketarg, &soi ) != LDAP_SUCCESS ) {
236 return( -1 );
237 }
238
239 ssoip = (LDAPSSLSocketInfo *)soi.soinfo_appdata;
240 sseip = ssoip->soi_sessioninfo;
241
242 ldapssl_free_socket_info( (LDAPSSLSocketInfo **)&soi.soinfo_appdata );
243
244 return( (*(sseip->lssei_std_functions.lssf_close_fn))( s, socketarg ));
245 }
246
247 static int
248 do_ldapssl_connect(const char *hostlist, int defport, int timeout,
249 unsigned long options, struct lextiof_session_private *sessionarg,
250 struct lextiof_socket_private **socketargp, int clientauth )
251 {
252 int intfd = -1;
253 PRBool secure;
254 PRLDAPSessionInfo sei;
255 PRLDAPSocketInfo soi;
256 LDAPSSLSocketInfo *ssoip = NULL;
257 LDAPSSLSessionInfo *sseip;
258 PRFileDesc *sslfd = NULL;
259 #ifdef _SOLARIS_SDK
260 int port;
261 int parse_err;
262 char *host = NULL;
263 char *name;
264 struct ldap_x_hostlist_status
265 *status = NULL;
266 in_addr_t addr_ipv4;
267 in6_addr_t addr_ipv6;
268 char *host_buf;
269 LDAPHostEnt *hent;
270 LDAPHostEnt host_ent;
271 int stat;
272 int type;
273 #endif /* _SOLARIS_SDK */
274
275 /*
276 * Determine if secure option is set. Also, clear secure bit in options
277 * the we pass to the standard connect() function (since it doesn't know
278 * how to handle the secure option).
279 */
280 if ( 0 != ( options & LDAP_X_EXTIOF_OPT_SECURE )) {
281 secure = PR_TRUE;
282 options &= ~LDAP_X_EXTIOF_OPT_SECURE;
283 } else {
284 secure = PR_FALSE;
285 }
286
287 /*
288 * Retrieve session info. so we can store a pointer to our session info.
289 * in our socket info. later.
290 */
291 memset( &sei, 0, sizeof(sei));
292 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
293 if ( prldap_get_session_info( NULL, sessionarg, &sei ) != LDAP_SUCCESS ) {
294 return( -1 );
295 }
296 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
297
298 /*
299 * Call the standard connect() callback to make the TCP connection.
300 * If it succeeds, *socketargp is set.
301 */
302
303 intfd = (*(sseip->lssei_std_functions.lssf_connect_fn))( hostlist, defport,
304 timeout, options, sessionarg, socketargp
305 #ifdef _SOLARIS_SDK
306 , &host );
307 #else
308 );
309 #endif /* _SOLARIS_SDK */
310
311 if ( intfd < 0 ) {
312 return( intfd );
313 }
314
315 #ifdef _SOLARIS_SDK
316 /*
317 * Determine if the "host name" is an ip address. If so,
318 * we must look up the actual host name corresponding to
319 * it.
320 */
321 if ( NULL == host ) {
322 goto close_socket_and_exit_with_error;
323 }
324 type = AF_UNSPEC;
325 if (strlen(host) < INET6_ADDRSTRLEN &&
326 inet_pton(AF_INET6, host, &addr_ipv6) == 1) {
327 type = AF_INET6;
328 } else if (strlen(host) < INET_ADDRSTRLEN &&
329 inet_pton(AF_INET, host, &addr_ipv4) == 1) {
330 type = AF_INET;
331 }
332 if (type == AF_INET || type == AF_INET6) {
333 host_buf = malloc(HOST_BUF_SIZE);
334 if (host_buf == NULL) {
335 /* will free host in close_socket_and_exit_with_error */
336 goto close_socket_and_exit_with_error;
337 }
338
339 /* Call ldap layer's gethostbyaddr resolver */
340 hent = _ns_gethostbyaddr(sseip->ld, host, strlen(host), type,
341 &host_ent, host_buf, HOST_BUF_SIZE, &stat, NULL);
342
343 /* If we are unable to lookup the host addr, we fail! */
344 if (hent == NULL) {
345 syslog(LOG_WARNING,
346 "libldap: do_ldapssl_connect: "
347 "Unable to resolve '%s'", host);
348 free(host_buf);
349 /* will free host in close_socket_and_exit_with_error */
350 goto close_socket_and_exit_with_error;
351 }
352 /* We support only the primary host name */
353 else {
354 if (hent->ldaphe_name != NULL)
355 name = strdup(hent->ldaphe_name);
356 free(host_buf);
357 if (name == NULL)
358 goto close_socket_and_exit_with_error;
359 else
360 ldap_memfree(host); host = NULL;
361 host = name;
362 }
363 }
364 #endif /* _SOLARIS_SDK */
365
366 /*
367 * Retrieve socket info. so we have the PRFileDesc.
368 */
369 memset( &soi, 0, sizeof(soi));
370 soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
371 if ( prldap_get_socket_info( intfd, *socketargp, &soi ) != LDAP_SUCCESS ) {
372 goto close_socket_and_exit_with_error;
373 }
374
375 /*
376 * Allocate a structure to hold our socket-specific data.
377 */
378 if ( NULL == ( ssoip = PR_Calloc( 1, sizeof( LDAPSSLSocketInfo )))) {
379 goto close_socket_and_exit_with_error;
380 }
381 ssoip->soi_sessioninfo = sseip;
382
383 /*
384 * Add SSL layer and let the standard NSPR to LDAP layer and enable SSL.
385 */
386 if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
387 goto close_socket_and_exit_with_error;
388 }
389
390 if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
391 SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
392 != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
393 PR_FALSE ) != SECSuccess )) {
394 goto close_socket_and_exit_with_error;
395 }
396
397 /*
398 * Let the standard NSPR to LDAP layer know about the new socket and
399 * our own socket-specific data.
400 */
401 soi.soinfo_prfd = sslfd;
402 soi.soinfo_appdata = (void *)ssoip;
403 if ( prldap_set_socket_info( intfd, *socketargp, &soi ) != LDAP_SUCCESS ) {
404 goto close_socket_and_exit_with_error;
405 }
406
407 #ifdef _SOLARIS_SDK
408 /*
409 * Set hostname which will be retrieved (depending on ssl strength) when
410 * using client or server auth.
411 */
412 if (SSL_SetURL(sslfd, host) != SECSuccess)
413 goto close_socket_and_exit_with_error;
414 ldap_memfree(host);
415 host = NULL;
416 #endif /* _SOLARIS_SDK */
417
418 sslfd = NULL; /* so we don't close the socket twice upon error */
419
420 /*
421 * Install certificate hook function.
422 */
423 SSL_AuthCertificateHook( soi.soinfo_prfd,
424 (SSLAuthCertificate)ldapssl_AuthCertificate,
425 (void *)sseip);
426
427 if ( SSL_GetClientAuthDataHook( soi.soinfo_prfd,
428 get_clientauth_data, clientauth ? sseip : NULL ) != 0 ) {
429 goto close_socket_and_exit_with_error;
430 }
431
432 return( intfd ); /* success */
433
434 close_socket_and_exit_with_error:
435 #ifdef _SOLARIS_SDK
436 if ( NULL != host ) ldap_memfree(host);
437 #endif /* _SOLARIS_SDK */
438 if ( NULL != sslfd ) {
439 PR_Close( sslfd );
440 }
441 if ( NULL != ssoip ) {
442 ldapssl_free_socket_info( &ssoip );
443 }
444 if ( intfd >= 0 && NULL != *socketargp ) {
445 (*(sseip->lssei_std_functions.lssf_close_fn))( intfd, *socketargp );
446 }
447 return( -1 );
448 }
449
450
451 static int
452 ldapssl_connect(const char *hostlist, int defport, int timeout,
453 unsigned long options, struct lextiof_session_private *sessionarg,
454 struct lextiof_socket_private **socketargp )
455 {
456 return( do_ldapssl_connect( hostlist, defport, timeout, options,
457 sessionarg, socketargp, 0 ));
458 }
459
460
461 static int
462 ldapssl_clientauth_connect(const char *hostlist, int defport, int timeout,
463 unsigned long options, struct lextiof_session_private *sessionarg,
464 struct lextiof_socket_private **socketargp )
465 {
466 return( do_ldapssl_connect( hostlist, defport, timeout, options,
467 sessionarg, socketargp, 1 ));
468 }
469
470
471 static void
472 ldapssl_disposehandle(LDAP *ld, struct lextiof_session_private *sessionarg)
473 {
474 PRLDAPSessionInfo sei;
475 LDAPSSLSessionInfo *sseip;
476 LDAP_X_EXTIOF_DISPOSEHANDLE_CALLBACK *disposehdl_fn;
477
478 memset( &sei, 0, sizeof( sei ));
479 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
480 if ( prldap_get_session_info( ld, NULL, &sei ) == LDAP_SUCCESS ) {
481 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
482 disposehdl_fn = sseip->lssei_std_functions.lssf_disposehdl_fn;
483 ldapssl_free_session_info( &sseip );
484 (*disposehdl_fn)( ld, sessionarg );
485 }
486 }
487
488
489 /*
490 * Install I/O routines from libsec and NSPR into libldap to allow libldap
491 * to do SSL.
492 *
493 * We rely on libprldap to provide most of the functions, and then we override
494 * a few of them to support SSL.
495 */
496 int
497 LDAP_CALL
498 ldapssl_install_routines( LDAP *ld )
499 {
500 #ifndef LDAP_SSLIO_HOOKS
501 ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
502 return( -1 );
503 #else
504 struct ldap_x_ext_io_fns iofns;
505 LDAPSSLSessionInfo *ssip;
506 PRLDAPSessionInfo sei;
507
508 /*
509 * This is done within ldap_init() and
510 * ldap_init() is called from ldapssl_init()
511 */
512 #ifndef _SOLARIS_SDK
513 if ( prldap_install_routines(
514 ld,
515 1 /* shared -- we have to assume it is */ )
516 != LDAP_SUCCESS ) {
517 return( -1 );
518 }
519 #endif /*_SOLARIS_SDK*/
520
521 /*
522 * Allocate our own session information.
523 */
524 if ( NULL == ( ssip = (LDAPSSLSessionInfo *)PR_Calloc( 1,
525 sizeof( LDAPSSLSessionInfo )))) {
526 ldap_set_lderrno( ld, LDAP_NO_MEMORY, NULL, NULL );
527 return( -1 );
528 }
529 /*
530 * Initialize session info.
531 * XXX: it would be nice to be able to set these on a per-session basis:
532 * lssei_using_pcks_fns
533 * lssei_certdbh
534 */
535 ssip->lssei_ssl_strength = default_ssl_strength;
536 ssip->lssei_using_pcks_fns = using_pkcs_functions;
537 ssip->lssei_certdbh = CERT_GetDefaultCertDB();
538 #ifdef _SOLARIS_SDK
539 /*
540 * This is part of a hack to allow the ssl portion of the
541 * library to call the ldap library gethostbyaddr resolver.
542 */
543 ssip->ld = ld;
544 #endif /* _SOLARIS_SDK */
545
546 /*
547 * override a few functions, saving a pointer to the standard function
548 * in each case so we can call it from our SSL savvy functions.
549 */
550 memset( &iofns, 0, sizeof(iofns));
551 iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
552 if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns ) < 0 ) {
553 ldapssl_free_session_info( &ssip );
554 return( -1 );
555 }
556
557 /* override socket, connect, and ioctl */
558 ssip->lssei_std_functions.lssf_connect_fn = iofns.lextiof_connect;
559 iofns.lextiof_connect = ldapssl_connect;
560 ssip->lssei_std_functions.lssf_close_fn = iofns.lextiof_close;
561 iofns.lextiof_close = ldapssl_close;
562 ssip->lssei_std_functions.lssf_disposehdl_fn = iofns.lextiof_disposehandle;
563 iofns.lextiof_disposehandle = ldapssl_disposehandle;
564
565 if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns ) < 0 ) {
566 ldapssl_free_session_info( &ssip );
567 return( -1 );
568 }
569
570 /*
571 * Store session info. for later retrieval.
572 */
573 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
574 sei.seinfo_appdata = (void *)ssip;
575 if ( prldap_set_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
576 return( -1 );
577 }
578
579 return( 0 );
580 #endif
581 }
582
583
584 /*
585 * Set the SSL strength for an existing SSL-enabled LDAP session handle.
586 *
587 * See the description of ldapssl_serverauth_init() above for valid
588 * sslstrength values. If ld is NULL, the default for new LDAP session
589 * handles is set.
590 *
591 * Returns 0 if all goes well and -1 if an error occurs.
592 */
593 int
594 LDAP_CALL
595 ldapssl_set_strength( LDAP *ld, int sslstrength )
596 {
597 int rc = 0; /* assume success */
598
599 if ( sslstrength != LDAPSSL_AUTH_WEAK &&
600 sslstrength != LDAPSSL_AUTH_CERT &&
601 sslstrength != LDAPSSL_AUTH_CNCHECK ) {
602 rc = -1;
603 } else {
604 if ( NULL == ld ) { /* set default strength */
605 default_ssl_strength = sslstrength;
606 } else { /* set session-specific strength */
607 PRLDAPSessionInfo sei;
608 LDAPSSLSessionInfo *sseip;
609
610 memset( &sei, 0, sizeof( sei ));
611 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
612 if ( prldap_get_session_info( ld, NULL, &sei ) == LDAP_SUCCESS )
613 {
614 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
615 sseip->lssei_ssl_strength = sslstrength;
616 } else {
617 rc = -1;
618 }
619 }
620 }
621
622 return( rc );
623 }
624
625 int
626 LDAP_CALL
627 ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
628 char *keypasswd, char *certnickname )
629 {
630 #ifndef LDAP_SSLIO_HOOKS
631 ldap_set_lderrno( ld, LDAP_LOCAL_ERROR, NULL, NULL );
632 return( -1 );
633 #else
634 struct ldap_x_ext_io_fns iofns;
635 LDAPSSLSessionInfo *ssip;
636 PRLDAPSessionInfo sei;
637
638 /*
639 * Check parameters
640 */
641 if ( certnickname == NULL || keypasswd == NULL ) {
642 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
643 return( -1 );
644 }
645
646 /*
647 * Update session info. data structure.
648 */
649 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
650 if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
651 return( -1 );
652 }
653 ssip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
654 if ( NULL == ssip ) {
655 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
656 return( -1 );
657 }
658 ssip->lssei_certnickname = PL_strdup( certnickname );
659 ssip->lssei_keypasswd = PL_strdup( keypasswd );
660
661 if ( NULL == ssip->lssei_certnickname || NULL == ssip->lssei_keypasswd ) {
662 ldap_set_lderrno( ld, LDAP_NO_MEMORY, NULL, NULL );
663 return( -1 );
664 }
665
666 if ( check_clientauth_nicknames_and_passwd( ld, ssip ) != 0 ) {
667 return( -1 );
668 }
669
670 /*
671 * replace standard SSL CONNECT function with client auth aware one
672 */
673 memset( &iofns, 0, sizeof(iofns));
674 iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
675 if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
676 != 0 ) {
677 return( -1 );
678 }
679
680 if ( iofns.lextiof_connect != ldapssl_connect ) {
681 /* standard SSL setup has not done */
682 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, NULL );
683 return( -1 );
684 }
685
686 iofns.lextiof_connect = ldapssl_clientauth_connect;
687
688 if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
689 != 0 ) {
690 return( -1 );
691 }
692
693 return( 0 );
694 #endif
695 }
696
697
698 static void
699 ldapssl_free_session_info( LDAPSSLSessionInfo **ssipp )
700 {
701 if ( NULL != ssipp && NULL != *ssipp ) {
702 if ( NULL != (*ssipp)->lssei_certnickname ) {
703 PL_strfree( (*ssipp)->lssei_certnickname );
704 (*ssipp)->lssei_certnickname = NULL;
705 }
706 if ( NULL != (*ssipp)->lssei_keypasswd ) {
707 PL_strfree( (*ssipp)->lssei_keypasswd );
708 (*ssipp)->lssei_keypasswd = NULL;
709 }
710 PR_Free( *ssipp );
711 *ssipp = NULL;
712 }
713 }
714
715
716 static void
717 ldapssl_free_socket_info( LDAPSSLSocketInfo **soipp )
718 {
719 if ( NULL != soipp && NULL != *soipp ) {
720 PR_Free( *soipp );
721 *soipp = NULL;
722 }
723 }
724
725
726 /* this function provides cert authentication. This is called during
727 * the SSL_Handshake process. Once the cert has been retrieved from
728 * the server, the it is checked, using VerifyCertNow(), then
729 * the cn is checked against the host name, set with SSL_SetURL()
730 */
731
732 static int
733 ldapssl_AuthCertificate(void *sessionarg, PRFileDesc *fd, PRBool checkSig,
734 PRBool isServer)
735 {
736 SECStatus rv = SECFailure;
737 LDAPSSLSessionInfo *sseip;
738 CERTCertificate *cert;
739 SECCertUsage certUsage;
740 char *hostname = NULL;
741
742 if (!sessionarg || !socket)
743 return rv;
744
745 sseip = (LDAPSSLSessionInfo *)sessionarg;
746
747 if (LDAPSSL_AUTH_WEAK == sseip->lssei_ssl_strength ) { /* no check */
748 return SECSuccess;
749 }
750
751 if ( isServer ) {
752 certUsage = certUsageSSLClient;
753 } else {
754 certUsage = certUsageSSLServer;
755 }
756 cert = SSL_PeerCertificate( fd );
757
758 rv = CERT_VerifyCertNow(sseip->lssei_certdbh, cert, checkSig,
759 certUsage, NULL);
760
761 if ( rv != SECSuccess || isServer )
762 return rv;
763
764 if ( LDAPSSL_AUTH_CNCHECK == sseip->lssei_ssl_strength )
765 {
766 /* cert is OK. This is the client side of an SSL connection.
767 * Now check the name field in the cert against the desired hostname.
768 * NB: This is our only defense against Man-In-The-Middle (MITM)
769 * attacks!
770 */
771
772 hostname = SSL_RevealURL( fd );
773
774 if (hostname && hostname[0]) {
775 rv = CERT_VerifyCertName(cert, hostname);
776 } else {
777 rv = SECFailure;
778 }
779 if (hostname)
780 PORT_Free(hostname);
781 if (rv != SECSuccess)
782 PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
783 }
784
785 return((int)rv);
786 }
787
788
789 /*
790 * called during SSL client auth. when server wants our cert and key.
791 * return 0 if we succeeded and set *pRetCert and *pRetKey, -1 otherwise.
792 * if -1 is returned SSL will proceed without sending a cert.
793 */
794
795 static int
796 get_clientauth_data( void *sessionarg, PRFileDesc *prfd,
797 CERTDistNames *caNames, CERTCertificate **pRetCert,
798 SECKEYPrivateKey **pRetKey )
799
800 {
801 LDAPSSLSessionInfo *ssip;
802
803 if (( ssip = (LDAPSSLSessionInfo *)sessionarg ) == NULL ) {
804 return( -1 ); /* client auth. not enabled */
805 }
806
807 return( get_keyandcert( ssip, pRetCert, pRetKey, NULL ));
808 }
809
810 static int
811 get_keyandcert( LDAPSSLSessionInfo *ssip,
812 CERTCertificate **pRetCert, SECKEYPrivateKey **pRetKey,
813 char **errmsgp )
814 {
815 CERTCertificate *cert;
816 SECKEYPrivateKey *key;
817
818 if (( cert = PK11_FindCertFromNickname( ssip->lssei_certnickname, NULL ))
819 == NULL ) {
820 if ( errmsgp != NULL ) {
821 *errmsgp = dgettext(TEXT_DOMAIN, "unable to find certificate");
822 }
823 return( -1 );
824 }
825
826 {
827 PK11_SetPasswordFunc( get_keypassword );
828 }
829
830
831
832 if (( key = PK11_FindKeyByAnyCert( cert, (void *)ssip )) == NULL ) {
833 CERT_DestroyCertificate( cert );
834 if ( errmsgp != NULL ) {
835 *errmsgp = dgettext(TEXT_DOMAIN, "bad key or key password");
836 }
837 return( -1 );
838 }
839
840 *pRetCert = cert;
841 *pRetKey = key;
842 return( 0 );
843 }
844
845
846 /*
847 * This function returns the password to NSS.
848 * This function is enable through PK11_SetPasswordFunc
849 * only if pkcs functions are not being used.
850 */
851
852 static char *
853 get_keypassword( PK11SlotInfo *slot, PRBool retry, void *sessionarg )
854 {
855 LDAPSSLSessionInfo *ssip;
856
857 if ( retry)
858 return (NULL);
859
860 ssip = (LDAPSSLSessionInfo *)sessionarg;
861 if ( NULL == ssip ) {
862 return( NULL );
863 }
864
865 return( ssip->lssei_keypasswd );
866 }
867
868
869 /*
870 * performs some basic checks on clientauth cert and key/password
871 *
872 * XXXmcs: could perform additional checks... see servers/slapd/ssl.c
873 * 1) check expiration
874 * 2) check that public key in cert matches private key
875 * see ns/netsite/ldap/servers/slapd/ssl.c:slapd_ssl_init() for example code.
876 */
877 static int
878 check_clientauth_nicknames_and_passwd( LDAP *ld, LDAPSSLSessionInfo *ssip )
879 {
880 char *errmsg = NULL;
881 CERTCertificate *cert = NULL;
882 SECKEYPrivateKey *key = NULL;
883 int rv;
884
885 rv = get_keyandcert( ssip, &cert, &key, &errmsg );
886
887 if ( rv != 0 ) {
888 if ( errmsg != NULL ) {
889 errmsg = strdup( errmsg );
890 }
891 ldap_set_lderrno( ld, LDAP_PARAM_ERROR, NULL, errmsg );
892 return( -1 );
893 }
894
895 if ( cert != NULL ) {
896 CERT_DestroyCertificate( cert );
897 }
898 if ( key != NULL ) {
899 SECKEY_DestroyPrivateKey( key );
900 }
901 return( 0 );
902 }
903
904
905 #if 0 /* NOT_NEEDED_IN_LIBLDAP */
906 /* there are patches and kludges. this is both. force some linkers to
907 * link this stuff in
908 */
909 int stubs_o_stuff( void )
910 {
911 PRExplodedTime exploded;
912 PLArenaPool pool;
913
914 const char *name ="t";
915 PRUint32 size = 0, align = 0;
916
917 PR_ImplodeTime( &exploded );
918 PL_InitArenaPool( &pool, name, size, align);
919 PR_Cleanup();
920 PR_fprintf((PRFileDesc*)stderr, "Bad IDEA!!");
921
922 return 0;
923
924 }
925 #endif /* NOT_NEEDED_IN_LIBLDAP */
926
927
928 /*
929 * Import the file descriptor corresponding to the socket of an already
930 * open LDAP connection into SSL, and update the socket and session
931 * information accordingly.
932 */
933 int ldapssl_import_fd ( LDAP *ld, int secure )
934 {
935 PRLDAPSessionInfo sei;
936 PRLDAPSocketInfo soi;
937 LDAPSSLSocketInfo *ssoip = NULL;
938 LDAPSSLSessionInfo *sseip;
939 PRFileDesc *sslfd = NULL;
940
941
942 /*
943 * Retrieve session info. so we can store a pointer to our session info.
944 * in our socket info. later.
945 */
946 memset( &sei, 0, sizeof(sei));
947 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
948 if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
949 return( -1 );
950 }
951 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
952
953
954 /*
955 * Retrieve socket info. so we have the PRFileDesc.
956 */
957 memset( &soi, 0, sizeof(soi));
958 soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
959 if ( prldap_get_default_socket_info( ld, &soi ) != LDAP_SUCCESS ) {
960 return( -1 );
961 }
962
963 /*
964 * Allocate a structure to hold our socket-specific data.
965 */
966 if ( NULL == ( ssoip = PR_Calloc( 1, sizeof( LDAPSSLSocketInfo )))) {
967 goto reset_socket_and_exit_with_error;
968 }
969 ssoip->soi_sessioninfo = sseip;
970
971 /*
972 * Add SSL layer and let the standard NSPR to LDAP layer and enable SSL.
973 */
974 if (( sslfd = SSL_ImportFD( NULL, soi.soinfo_prfd )) == NULL ) {
975 goto reset_socket_and_exit_with_error;
976 }
977
978 if ( SSL_OptionSet( sslfd, SSL_SECURITY, secure ) != SECSuccess ||
979 SSL_OptionSet( sslfd, SSL_HANDSHAKE_AS_CLIENT, secure )
980 != SECSuccess || ( secure && SSL_ResetHandshake( sslfd,
981 PR_FALSE ) != SECSuccess )) {
982 goto reset_socket_and_exit_with_error;
983 }
984
985 /*
986 * Let the standard NSPR to LDAP layer know about the new socket and
987 * our own socket-specific data.
988 */
989 soi.soinfo_prfd = sslfd;
990 soi.soinfo_appdata = (void *)ssoip;
991 if ( prldap_set_default_socket_info( ld, &soi ) != LDAP_SUCCESS ) {
992 goto reset_socket_and_exit_with_error;
993 }
994
995 /*
996 * Install certificate hook function.
997 */
998 if ( SSL_AuthCertificateHook( soi.soinfo_prfd,
999 (SSLAuthCertificate)ldapssl_AuthCertificate,
1000 (void *)CERT_GetDefaultCertDB()) != 0 ) {
1001 goto reset_socket_and_exit_with_error;
1002 }
1003
1004 if ( SSL_GetClientAuthDataHook( soi.soinfo_prfd,
1005 get_clientauth_data, sseip->lssei_certnickname ? sseip : NULL )
1006 != 0 ) {
1007 goto reset_socket_and_exit_with_error;
1008 }
1009
1010 return 0;
1011
1012 reset_socket_and_exit_with_error:
1013 if ( NULL != sslfd ) {
1014 /*
1015 * "Unimport" the socket from SSL, i.e. get rid of the upper layer of
1016 * the file descriptor stack, which represents SSL.
1017 */
1018 soi.soinfo_prfd = sslfd;
1019 sslfd = PR_PopIOLayer( soi.soinfo_prfd, PR_TOP_IO_LAYER );
1020 sslfd->dtor( sslfd );
1021 }
1022 if ( NULL != ssoip ) {
1023 ldapssl_free_socket_info( &ssoip );
1024 soi.soinfo_appdata = NULL;
1025 }
1026 prldap_set_default_socket_info( ld, &soi );
1027
1028 return( -1 );
1029 }
1030
1031
1032 /*
1033 * Reset an LDAP session from SSL to a non-secure status.
1034 * Basically, this function undoes the work done by ldapssl_install_routines.
1035 */
1036 int ldapssl_reset_to_nonsecure ( LDAP *ld )
1037 {
1038 PRLDAPSessionInfo sei;
1039 LDAPSSLSessionInfo *sseip;
1040
1041 struct ldap_x_ext_io_fns iofns;
1042 int rc = 0;
1043
1044 /*
1045 * Retrieve session info.
1046 */
1047 memset( &sei, 0, sizeof(sei));
1048 sei.seinfo_size = PRLDAP_SESSIONINFO_SIZE;
1049 if ( prldap_get_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
1050 return( -1 );
1051 }
1052 sseip = (LDAPSSLSessionInfo *)sei.seinfo_appdata;
1053
1054 if ( sseip != NULL ) {
1055 /*
1056 * Reset the standard extended io functions.
1057 */
1058 memset( &iofns, 0, sizeof(iofns));
1059 iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE;
1060 if ( ldap_get_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
1061 < 0) {
1062 rc = -1;
1063 goto free_session_info;
1064 }
1065
1066 /* reset socket, connect, and ioctl */
1067 iofns.lextiof_connect = sseip->lssei_std_functions.lssf_connect_fn;
1068 iofns.lextiof_close = sseip->lssei_std_functions.lssf_close_fn;
1069 iofns.lextiof_disposehandle =
1070 sseip->lssei_std_functions.lssf_disposehdl_fn;
1071
1072 if ( ldap_set_option( ld, LDAP_X_OPT_EXTIO_FN_PTRS, (void *)&iofns )
1073 < 0) {
1074 rc = -1;
1075 goto free_session_info;
1076 }
1077
1078 free_session_info:
1079 ldapssl_free_session_info( &sseip );
1080 sei.seinfo_appdata = NULL;
1081 if ( prldap_set_session_info( ld, NULL, &sei ) != LDAP_SUCCESS ) {
1082 rc = -1;
1083 }
1084 } /* if ( sseip && *sseip ) */
1085
1086 if ( ldap_set_option( ld, LDAP_OPT_SSL, LDAP_OPT_OFF ) < 0 ) {
1087 return (-1);
1088 }
1089
1090 return rc;
1091 }
1092
1093
1094 #ifdef _SOLARIS_SDK
1095 static void
1096 _nss_initf_ipnodes(nss_db_params_t *p)
1097 {
1098 static char *no_service = "";
1099
1100 p->name = NSS_DBNAM_IPNODES;
1101 p->flags |= NSS_USE_DEFAULT_CONFIG;
1102 p->default_config = host_service == NULL ? no_service : host_service;
1103 }
1104
1105 static void
1106 _nss_initf_hosts(nss_db_params_t *p)
1107 {
1108 static char *no_service = "";
1109
1110 p->name = NSS_DBNAM_HOSTS;
1111 p->flags |= NSS_USE_DEFAULT_CONFIG;
1112 p->default_config = host_service == NULL ? no_service : host_service;
1113 }
1114
1115 static struct hostent *
1116 _switch_gethostbyaddr_r(const char *addr, int len, int type,
1117 struct hostent *result, char *buffer, int buflen,
1118 int *h_errnop)
1119 {
1120 nss_XbyY_args_t arg;
1121 nss_status_t res;
1122 int (*str2ent)();
1123 void (*nss_initf)();
1124 nss_db_root_t *nss_db_root;
1125
1126 if (AF_INET == type) {
1127 str2ent = str2hostent;
1128 nss_initf = _nss_initf_hosts;
1129 nss_db_root = &db_root_hosts;
1130 } else if (AF_INET6 == type) {
1131 str2ent = str2hostent6;
1132 nss_initf = _nss_initf_ipnodes;
1133 nss_db_root = &db_root_ipnodes;
1134 } else {
1135 return NULL;
1136 }
1137
1138 NSS_XbyY_INIT(&arg, result, buffer, buflen, str2ent);
1139
1140 arg.key.hostaddr.addr = addr;
1141 arg.key.hostaddr.len = len;
1142 arg.key.hostaddr.type = type;
1143 arg.stayopen = 0;
1144
1145 res = nss_search(nss_db_root, nss_initf,
1146 NSS_DBOP_HOSTS_BYADDR, &arg);
1147 arg.status = res;
1148 *h_errnop = arg.h_errno;
1149 return (struct hostent *)NSS_XbyY_FINI(&arg);
1150 }
1151
1152 /*
1153 * ns_gethostbyaddr is used to be a substitute gethostbyaddr for
1154 * libldap when ssl will need to determine the fully qualified
1155 * host name from an address when it is unsafe to use the normal
1156 * nameservice functions.
1157 *
1158 * Note that the ldap name service resolver calls this with the address as
1159 * a character string - which we must convert into address form.
1160 */
1161
1162 /*ARGSUSED*/
1163 static LDAPHostEnt *
1164 ns_gethostbyaddr(const char *addr, int len, int type,
1165 LDAPHostEnt *result, char *buffer, int buflen, int *statusp,
1166 void *extradata)
1167 {
1168 LDAPHostEnt *ldap_hent;
1169 int h_errno;
1170 struct hostent h_ent;
1171 struct hostent *h_e = NULL;
1172 struct in_addr a;
1173 struct in6_addr a6;
1174 int inet_error; /* error returned by inet_pton */
1175
1176
1177 if (addr == NULL || result == NULL || buffer == NULL ||
1178 (type != AF_INET && type != AF_INET6))
1179 return (NULL);
1180
1181
1182 (void) memset(&h_ent, 0, sizeof (h_ent));
1183
1184 if (AF_INET == type) {
1185 if (inet_pton(type, addr, &a.s_addr) == 1) {
1186 h_e = _switch_gethostbyaddr_r((char *)&a,
1187 sizeof (a.s_addr), type, &h_ent,
1188 buffer, buflen, &h_errno);
1189 }
1190 } else if (AF_INET6 == type) {
1191 if (inet_pton(type, addr, &a6.s6_addr) == 1) {
1192 h_e = _switch_gethostbyaddr_r((char *)&a6,
1193 sizeof (a6.s6_addr), type, &h_ent,
1194 buffer, buflen, &h_errno);
1195 }
1196 }
1197
1198 if (h_e == NULL) {
1199 ldap_hent = NULL;
1200 } else {
1201 (void) memset(result, 0, sizeof (LDAPHostEnt));
1202 ldap_hent = result;
1203 result->ldaphe_name = h_e->h_name;
1204 result->ldaphe_aliases = h_e->h_aliases;
1205 result->ldaphe_addrtype = h_e->h_addrtype;
1206 result->ldaphe_length = h_e->h_length;
1207 result->ldaphe_addr_list = h_e->h_addr_list;
1208 }
1209 return (ldap_hent);
1210 }
1211
1212 /*
1213 * ldapssl_install_gethostbyaddr attempts to prevent recursion in
1214 * gethostbyaddr calls when an ip address is given to ssl. This ip address
1215 * must be resolved to a host name.
1216 *
1217 * For example, libsldap cannot use LDAP to resolve this address to a
1218 * name because of recursion. The caller is instructing libldap to skip
1219 * the specified name service when resolving addresses for the specified
1220 * ldap connection.
1221 *
1222 * Currently only ldap and dns name services always return fully qualified
1223 * names. The other name services (files, nis, and nisplus) will returned
1224 * fully qualified names if the host names are stored as fully qualified names
1225 * in these name services.
1226 *
1227 * Note:
1228 *
1229 * Since host_service applies to all connections, calling
1230 * ldapssl_install_gethostbyaddr with different name services to
1231 * skip will lead to unpredictable results.
1232 *
1233 * Returns:
1234 * 0 if success
1235 * -1 if failure
1236 */
1237
1238 int
1239 ldapssl_install_gethostbyaddr(LDAP *ld, const char *skip)
1240 {
1241 enum __nsw_parse_err pserr;
1242 struct __nsw_switchconfig *conf;
1243 struct __nsw_lookup *lkp;
1244 struct ldap_dns_fns dns_fns;
1245 char *name_list = NULL;
1246 char *tmp;
1247 const char *name;
1248 int len;
1249 boolean_t got_skip = B_FALSE;
1250
1251 /*
1252 * db_root_hosts.lock mutex is used to ensure that the name list
1253 * is not in use by the name service switch while we are updating
1254 * the host_service
1255 */
1256
1257 (void) mutex_lock(&db_root_hosts.lock);
1258 conf = __nsw_getconfig("hosts", &pserr);
1259 if (conf == NULL) {
1260 (void) mutex_unlock(&db_root_hosts.lock);
1261 return (0);
1262 }
1263
1264 /* check for ldap and count other backends */
1265 for (lkp = conf->lookups; lkp != NULL; lkp = lkp->next) {
1266 name = lkp->service_name;
1267 if (strcmp(name, skip) == 0) {
1268 got_skip = B_TRUE;
1269 continue;
1270 }
1271 if (name_list == NULL)
1272 name_list = strdup(name);
1273 else {
1274 len = strlen(name_list);
1275 tmp = realloc(name_list, len + strlen(name) + 2);
1276 if (tmp == NULL) {
1277 free(name_list);
1278 name_list = NULL;
1279 } else {
1280 name_list = tmp;
1281 name_list[len++] = ' ';
1282 (void) strcpy(name_list+len, name);
1283 }
1284 }
1285 if (name_list == NULL) { /* alloc error */
1286 (void) mutex_unlock(&db_root_hosts.lock);
1287 __nsw_freeconfig(conf);
1288 return (-1);
1289 }
1290 }
1291 __nsw_freeconfig(conf);
1292 if (!got_skip) {
1293 /*
1294 * Since skip name service not used for hosts, we do not need
1295 * to install our private address resolution function
1296 */
1297 (void) mutex_unlock(&db_root_hosts.lock);
1298 free(name_list);
1299 return (0);
1300 }
1301 free(host_service);
1302 host_service = name_list;
1303 (void) mutex_unlock(&db_root_hosts.lock);
1304
1305 if (ldap_get_option(ld, LDAP_OPT_DNS_FN_PTRS, &dns_fns) != 0)
1306 return (-1);
1307 dns_fns.lddnsfn_gethostbyaddr = ns_gethostbyaddr;
1308 if (ldap_set_option(ld, LDAP_OPT_DNS_FN_PTRS, &dns_fns) != 0)
1309 return (-1);
1310 return (0);
1311 }
1312 #endif /* _SOLARIS_SDK */
1313 #endif /* NET_SSL */
unleashed repo fork