Another round of TLS updates to support secure referral chasing

include/ldap_pvt.h

@@ -168,23 +168,22 @@ LDAP_F( char * )
 ldap_pvt_str2lower LDAP_P(( char *str ));
 
 /* tls.c */
-LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void ));
-LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld,
-	Sockbuf *sb, void *ctx_arg ));
-LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
-LDAP_F (void *) ldap_pvt_tls_sb_handle LDAP_P(( Sockbuf *sb ));
-LDAP_F (void *) ldap_pvt_tls_get_handle LDAP_P(( struct ldap *ld ));
-LDAP_F (char *) ldap_pvt_tls_get_peer LDAP_P(( void *handle ));
-LDAP_F (char *) ldap_pvt_tls_get_peer_dn LDAP_P(( void *handle ));
-LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *handle ));
-LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
-LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld,
-	Sockbuf *sb, void *ctx_arg ));
 LDAP_F (int) ldap_pvt_tls_get_option LDAP_P(( struct ldap *ld,
 	int option, void *arg ));
 LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld,
 	int option, void *arg ));
 
+LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void ));
+LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
+LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
+LDAP_F (void *) ldap_pvt_tls_get_ctx LDAP_P(( Sockbuf *sb ));
+
+LDAP_F (int) ldap_pvt_tls_init_default_ctx LDAP_P(( void ));
+
+LDAP_F (char *) ldap_pvt_tls_get_peer LDAP_P(( void *ctx ));
+LDAP_F (char *) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx ));
+LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
+
 LDAP_END_DECL
 
 #include "ldap_pvt_uc.h"

libraries/libldap/ldap-int.h

@@ -553,6 +553,9 @@ LDAP_F (int) ldap_int_sasl_bind LDAP_P((
 LDAP_F (int) ldap_int_tls_config LDAP_P(( LDAP *ld,
 	int option, const char *arg ));
 
+LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld,
+	LDAPConn *conn ));
+
 LDAP_END_DECL
 
 #endif /* _LDAP_INT_H */

libraries/libldap/open.c

@@ -331,14 +331,10 @@ ldap_int_open_connection(
 	if (ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ||
 		strcmp( srv->lud_scheme, "ldaps" ) == 0 )
 	{
-		LDAPConn	*savedefconn = ld->ld_defconn;
 		++conn->lconn_refcnt;	/* avoid premature free */
-		ld->ld_defconn = conn;
 
-		rc = ldap_pvt_tls_start( ld, conn->lconn_sb,
-			conn->lconn_tls_ctx );
+		rc = ldap_int_tls_start( ld, conn );
 
-		ld->ld_defconn = savedefconn;
 		--conn->lconn_refcnt;
 
 		if (rc != LDAP_SUCCESS) {

libraries/libldap/options.c

@@ -585,7 +585,7 @@ ldap_set_option(
 
 	default:
 #ifdef HAVE_TLS
-		if ( ldap_pvt_tls_set_option( lo, option, (void	*)invalue ) == 0 )
+		if ( ldap_pvt_tls_set_option( ld, option, (void *)invalue ) == 0 )
 	     	return LDAP_OPT_SUCCESS;
 #endif
 #ifdef HAVE_CYRUS_SASL

libraries/libldap/tls.c

@@ -553,16 +553,19 @@ BIO_METHOD ldap_pvt_sb_bio_method =
  *		and call again.
  */
 
-int
-ldap_pvt_tls_connect( LDAP *ld, Sockbuf *sb, void *ctx_arg )
+static int
+ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 {
+	Sockbuf *sb = conn->lconn_sb;
+	void *ctx = ld->ld_defconn->lconn_tls_ctx;
+
 	int	err;
 	SSL	*ssl;
 
 	if ( HAS_TLS( sb ) ) {
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
 	} else {
-		ssl = alloc_handle( ctx_arg );
+		ssl = alloc_handle( ctx );
 		if ( ssl == NULL )
 			return -1;
 #ifdef LDAP_DEBUG
@@ -652,7 +655,7 @@ ldap_pvt_tls_inplace ( Sockbuf *sb )
 }
 
 void *
-ldap_pvt_tls_sb_handle( Sockbuf *sb )
+ldap_pvt_tls_sb_ctx( Sockbuf *sb )
 {
 	void			*p;
 	
@@ -664,12 +667,6 @@ ldap_pvt_tls_sb_handle( Sockbuf *sb )
 	return NULL;
 }
 
-void *
-ldap_pvt_tls_get_handle( LDAP *ld )
-{
-	return ldap_pvt_tls_sb_handle( ld->ld_sb );
-}
-
 int
 ldap_pvt_tls_get_strength( void *s )
 {
@@ -952,9 +949,12 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 }
 
 int
-ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
+ldap_int_tls_start ( LDAP *ld, LDAPConn *conn )
 {
-	char *ld_host = ld->ld_conns->lconn_server->lud_host;
+	Sockbuf *sb = conn->lconn_sb;
+	char *host = conn->lconn_server->lud_host;
+	void *ctx = ld->ld_defconn->lconn_tls_ctx;
+
 	char *peer_cert_cn;
 	void *ssl;
 
@@ -963,11 +963,11 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 	/*
 	 * Fortunately, the lib uses blocking io...
 	 */
-	if ( ldap_pvt_tls_connect( ld, sb, ctx_arg ) < 0 ) {
+	if ( ldap_int_tls_connect( ld, conn ) < 0 ) {
 		return LDAP_CONNECT_ERROR;
 	}
 
-	ssl = (void *) ldap_pvt_tls_sb_handle( sb );
+	ssl = (void *) ldap_pvt_tls_sb_ctx( sb );
 	assert( ssl != NULL );
 
 	/* 
@@ -983,10 +983,10 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 		return LDAP_LOCAL_ERROR;
 	}
 
-	if ( strcasecmp( ld_host, peer_cert_cn ) != 0 ) {
+	if ( strcasecmp( host, peer_cert_cn ) != 0 ) {
 		Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
 			"common name in certificate (%s).\n", 
-			ld_host, peer_cert_cn, 0 );
+			host, peer_cert_cn, 0 );
 		LDAP_FREE( peer_cert_cn );
 		return LDAP_CONNECT_ERROR;
 	}
@@ -1181,8 +1181,9 @@ ldap_start_tls_s ( LDAP *ld,
 	LDAPControl **serverctrls,
 	LDAPControl **clientctrls )
 {
-#ifdef HAVE_TLS
 	int rc;
+
+#ifdef HAVE_TLS
 	char *rspoid = NULL;
 	struct berval *rspdata = NULL;
 
@@ -1206,12 +1207,10 @@ ldap_start_tls_s ( LDAP *ld,
 		ber_bvfree( rspdata );
 	}
 
-	rc = ldap_pvt_tls_start( ld, ld->ld_sb,
-		ld->ld_defconn->lconn_tls_ctx );
-
-	return rc;
+	rc = ldap_int_tls_start( ld, ld->ld_defconn );
 #else
-	return LDAP_NOT_SUPPORTED;
+	rc = LDAP_NOT_SUPPORTED;
 #endif
+	return rc;
 }
 

servers/slapd/connection.c

@@ -1064,7 +1064,7 @@ int connection_read(ber_socket_t s)
 			c->c_needs_tls_accept = 0;
 
 			/* we need to let SASL know */
-			ssl = (void *)ldap_pvt_tls_sb_handle( c->c_sb );
+			ssl = (void *)ldap_pvt_tls_sb_ctx( c->c_sb );
 
 			c->c_tls_ssf = (slap_ssf_t) ldap_pvt_tls_get_strength( ssl );
 			if( c->c_tls_ssf > c->c_ssf ) {