move TLS ctx to lconn struct in prep for supporting TLS with referrals

need to rework cert check to use per lconn host name

include/ldap.h

@@ -113,16 +113,16 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_URI				0x5006
 
 /* OpenLDAP TLS options */
-#define LDAP_OPT_X_TLS_CACERTFILE	0x6001
-#define LDAP_OPT_X_TLS_CACERTDIR	0x6002
-#define LDAP_OPT_X_TLS_CERT		0x6003
+#define LDAP_OPT_X_TLS				0x6000
+#define LDAP_OPT_X_TLS_CTX			0x6001	/* SSL CTX */
+#define LDAP_OPT_X_TLS_CACERTFILE	0x6002
+#define LDAP_OPT_X_TLS_CACERTDIR	0x6003
 #define LDAP_OPT_X_TLS_CERTFILE		0x6004
 #define LDAP_OPT_X_TLS_KEYFILE		0x6005
 #define LDAP_OPT_X_TLS_REQUIRE_CERT	0x6006
-#define LDAP_OPT_X_TLS			0x6007
-#define LDAP_OPT_X_TLS_PROTOCOL		0x6008
-#define LDAP_OPT_X_TLS_CIPHER_SUITE	0x6009
-#define LDAP_OPT_X_TLS_RANDOM_FILE	0x600a
+#define LDAP_OPT_X_TLS_PROTOCOL		0x6007
+#define LDAP_OPT_X_TLS_CIPHER_SUITE	0x6008
+#define LDAP_OPT_X_TLS_RANDOM_FILE	0x6009
 
 #define LDAP_OPT_X_TLS_NEVER		0
 #define LDAP_OPT_X_TLS_HARD		1

include/ldap_pvt.h

@@ -149,6 +149,7 @@ LDAP_F (int) ldap_pvt_sasl_install LDAP_P(( struct sockbuf *, void * ));
 #define LDAP_PVT_SASL_LOCAL_SSF	71	/* SSF for Unix Domain Sockets */
 
 struct ldap;
+
 LDAP_F (int) ldap_open_internal_connection LDAP_P((
 	struct ldap **ldp, ber_socket_t *fdp ));
 
@@ -167,11 +168,9 @@ LDAP_F( char * )
 ldap_pvt_str2lower LDAP_P(( char *str ));
 
 /* tls.c */
-struct ldapoptions;
-struct ldap;
-
 LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void ));
-LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld, Sockbuf *sb, void *ctx_arg ));
+LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld,
+	Sockbuf *sb, void *ctx_arg ));
 LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
 LDAP_F (void *) ldap_pvt_tls_sb_handle LDAP_P(( Sockbuf *sb ));
 LDAP_F (void *) ldap_pvt_tls_get_handle LDAP_P(( struct ldap *ld ));
@@ -179,10 +178,12 @@ LDAP_F (char *) ldap_pvt_tls_get_peer LDAP_P(( void *handle ));
 LDAP_F (char *) ldap_pvt_tls_get_peer_dn LDAP_P(( void *handle ));
 LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *handle ));
 LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
-LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld, Sockbuf *sb, void *ctx_arg ));
-
-LDAP_F (int) ldap_pvt_tls_get_option LDAP_P(( struct ldapoptions *lo, int option, void *arg ));
-LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldapoptions *lo, int option, void *arg ));
+LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld,
+	Sockbuf *sb, void *ctx_arg ));
+LDAP_F (int) ldap_pvt_tls_get_option LDAP_P(( struct ldap *ld,
+	int option, void *arg ));
+LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld,
+	int option, void *arg ));
 
 LDAP_END_DECL
 

libraries/libldap/cyrus.c

@@ -425,7 +425,7 @@ ldap_int_sasl_open(
 		return ld->ld_errno;
 	}
 
-	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: %s\n",
+	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_open: host=%s\n",
 		host, 0, 0 );
 
 	lc->lconn_sasl_ctx = ctx;

libraries/libldap/init.c

@@ -419,12 +419,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
 		SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS;
 #endif
 
-#ifdef HAVE_TLS
-   	gopts->ldo_tls_ctx = NULL;
-#endif
-
 	gopts->ldo_valid = LDAP_INITIALIZED;
-
    	return;
 }
 

libraries/libldap/ldap-int.h

@@ -125,6 +125,10 @@ struct ldapoptions {
 	ber_int_t		ldo_timelimit;
 	ber_int_t		ldo_sizelimit;
 
+#ifdef HAVE_TLS
+   	int			ldo_tls_mode;
+#endif
+
 	LDAPURLDesc *ldo_defludp;
 	int		ldo_defport;
 	char*	ldo_defbase;
@@ -150,32 +154,22 @@ struct ldapoptions {
 	LDAP_REBIND_PROC *ldo_rebind_proc;
 	void *ldo_rebind_params;
 
-#ifdef HAVE_TLS
-   	/* tls context */
-   	void		*ldo_tls_ctx;
-   	int		ldo_tls_mode;
-#endif
 	LDAP_BOOLEANS ldo_booleans;	/* boolean options */
 };
 
 
-/*
- * structure for tracking LDAP server host, ports, DNs, etc.
- */
-typedef struct ldap_server {
-	char			*lsrv_host;
-	char			*lsrv_dn;	/* if NULL, use default */
-	int			lsrv_port;
-	struct ldap_server	*lsrv_next;
-} LDAPServer;
-
-
 /*
  * structure for representing an LDAP server connection
  */
 typedef struct ldap_conn {
 	Sockbuf		*lconn_sb;
+#ifdef HAVE_TLS
+   	/* tls context */
+   	void		*lconn_tls_ctx;
+#endif
+#ifdef HAVE_CYRUS_SASL
 	void		*lconn_sasl_ctx;
+#endif
 	int			lconn_refcnt;
 	time_t		lconn_lastused;	/* time */
 	int			lconn_rebind_inprogress;	/* set if rebind in progress */
@@ -188,8 +182,9 @@ typedef struct ldap_conn {
 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
 	char			*lconn_krbinstance;
 #endif
+	BerElement		*lconn_ber;	/* ber receiving on this conn. */
+
 	struct ldap_conn	*lconn_next;
-	BerElement		*lconn_ber;/* ber receiving on this conn. */
 } LDAPConn;
 
 
@@ -274,9 +269,6 @@ struct ldap {
 
 #define ld_version		ld_options.ldo_version
 
-	char	*ld_host;
-	int		ld_port;
-
 	unsigned short	ld_lberoptions;
 
 	ber_int_t	ld_errno;
@@ -410,10 +402,11 @@ LDAP_F (int) ldap_connect_to_host( LDAP *ld, Sockbuf *sb,
 	int proto, const char *host, unsigned long address, int port,
 	int async );
 
-#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) || defined(HAVE_TLS) || defined(HAVE_CYRUS_SASL)
+#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) || \
+	defined(HAVE_TLS) || defined(HAVE_CYRUS_SASL)
 LDAP_V (char *) ldap_int_hostname;
 LDAP_F (char *) ldap_host_connected_to( Sockbuf *sb );
-#endif /* LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND */
+#endif
 
 LDAP_F (void) ldap_int_ip_init( void );
 LDAP_F (int) do_ldap_select( LDAP *ld, struct timeval *timeout );
@@ -543,7 +536,7 @@ LDAP_F (int) ldap_int_sasl_config LDAP_P(( struct ldapoptions *lo,
 	int option, const char *arg ));
 
 LDAP_F (int) ldap_int_sasl_bind LDAP_P((
-	struct ldap *ld,
+	LDAP *ld,
 	const char *,
 	const char *,
 	LDAPControl **, LDAPControl **,
@@ -557,7 +550,8 @@ LDAP_F (int) ldap_int_sasl_bind LDAP_P((
 /*
  * in tls.c
  */
-LDAP_F (int) ldap_int_tls_config LDAP_P(( struct ldapoptions *lo, int option, const char *arg ));
+LDAP_F (int) ldap_int_tls_config LDAP_P(( LDAP *ld,
+	int option, const char *arg ));
 
 LDAP_END_DECL
 

libraries/libldap/open.c

@@ -54,9 +54,11 @@ ldap_open( LDAP_CONST char *host, int port )
 	int rc;
 	LDAP		*ld;
 
-	Debug( LDAP_DEBUG_TRACE, "ldap_open\n", 0, 0, 0 );
+	Debug( LDAP_DEBUG_TRACE, "ldap_open(%s, %d)\n",
+		host, port, 0 );
 
-	if (( ld = ldap_init( host, port )) == NULL ) {
+	ld = ldap_init( host, port );
+	if ( ld == NULL ) {
 		return( NULL );
 	}
 
@@ -64,13 +66,13 @@ ldap_open( LDAP_CONST char *host, int port )
 
 	if( rc < 0 ) {
 		ldap_ld_free( ld, 0, NULL, NULL );
-		return( NULL );
+		ld = NULL;
 	}
 
-	Debug( LDAP_DEBUG_TRACE, "ldap_open successful, ld_host is %s\n",
-		( ld->ld_host == NULL ) ? "(null)" : ld->ld_host, 0, 0 );
+	Debug( LDAP_DEBUG_TRACE, "ldap_open: %s\n",
+		ld == NULL ? "succeeded" : "failed", 0, 0 );
 
-	return( ld );
+	return ld;
 }
 
 
@@ -334,7 +336,7 @@ ldap_int_open_connection(
 		ld->ld_defconn = conn;
 
 		rc = ldap_pvt_tls_start( ld, conn->lconn_sb,
-			ld->ld_options.ldo_tls_ctx );
+			conn->lconn_tls_ctx );
 
 		ld->ld_defconn = savedefconn;
 		--conn->lconn_refcnt;

libraries/libldap/options.c

@@ -282,12 +282,14 @@ ldap_get_option(
 
 	default:
 #ifdef HAVE_TLS
-	   	if ( ldap_pvt_tls_get_option((struct ldapoptions *)lo, option, outvalue ) == 0 )
-	     		return LDAP_OPT_SUCCESS;
+		if ( ldap_pvt_tls_get_option( ld, option, outvalue ) == 0 ) {
+			return LDAP_OPT_SUCCESS;
+		}
 #endif
 #ifdef HAVE_CYRUS_SASL
-	   	if ( ldap_int_sasl_get_option(ld, option, outvalue ) == 0 )
-	     		return LDAP_OPT_SUCCESS;
+		if ( ldap_int_sasl_get_option( ld, option, outvalue ) == 0 ) {
+			return LDAP_OPT_SUCCESS;
+		}
 #endif
 		/* bad param */
 		break;

libraries/libldap/os-ip.c

@@ -294,7 +294,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
 	struct hostent		*hp = NULL;
 	char   			*ha_buf=NULL, *p, *q;
 
-	osip_debug(ld, "ldap_connect_to_host\n",0,0,0);
+	osip_debug(ld, "ldap_connect_to_host: %s\n",host,0,0);
 	
 	if (host != NULL) {
 #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )

libraries/libldap/request.c

@@ -95,8 +95,8 @@ ldap_send_initial_request(
 		}
 
 		Debug( LDAP_DEBUG_TRACE,
-			"ldap_delayed_open successful, ld_host is %s\n",
-			( ld->ld_host == NULL ) ? "(null)" : ld->ld_host, 0, 0 );
+			"ldap_open_defconn: successful\n",
+			0, 0, 0 );
 	}
 
 	{

libraries/libldap/tls.c

@@ -767,7 +767,7 @@ ldap_pvt_tls_get_peer_issuer( void *s )
 }
 
 int
-ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
+ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 {
 	int i;
 
@@ -778,11 +778,13 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
 	case LDAP_OPT_X_TLS_KEYFILE:
 	case LDAP_OPT_X_TLS_RANDOM_FILE:
 		return ldap_pvt_tls_set_option( NULL, option, (void *) arg );
+
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		i = ( ( strcasecmp( arg, "on" ) == 0 ) ||
 		      ( strcasecmp( arg, "yes" ) == 0) ||
 		      ( strcasecmp( arg, "true" ) == 0 ) );
 		return ldap_pvt_tls_set_option( NULL, option, (void *) &i );
+
 	case LDAP_OPT_X_TLS:
 		i = -1;
 		if ( strcasecmp( arg, "never" ) == 0 )
@@ -795,8 +797,10 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
 			i = LDAP_OPT_X_TLS_TRY ;
 		if ( strcasecmp( arg, "hard" ) == 0 )
 			i = LDAP_OPT_X_TLS_HARD ;
-		if (i >= 0)
-			return ldap_pvt_tls_set_option( lo, option, &i );
+
+		if (i >= 0) {
+			return ldap_pvt_tls_set_option( ld, option, &i );
+		}
 		return -1;
 	}
 
@@ -804,17 +808,35 @@ ldap_int_tls_config( struct ldapoptions *lo, int option, const char *arg )
 }
 
 int
-ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg )
+ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 {
+	struct ldapoptions *lo;
+
+	/* Get pointer to global option structure */
+	lo = LDAP_INT_GLOBAL_OPT();   
+	if (NULL == lo)	{
+		return LDAP_NO_MEMORY;
+	}
+
+	if(ld != NULL) {
+		assert( LDAP_VALID( ld ) );
+
+		if( !LDAP_VALID( ld ) ) {
+			return LDAP_OPT_ERROR;
+		}
+
+		lo = &ld->ld_options;
+	}
+
 	switch( option ) {
 	case LDAP_OPT_X_TLS:
 		*(int *)arg = lo->ldo_tls_mode;
 		break;
-	case LDAP_OPT_X_TLS_CERT:
-		if ( lo == NULL )
+	case LDAP_OPT_X_TLS_CTX:
+		if ( ld == NULL )
 			*(void **)arg = (void *) tls_def_ctx;
 		else
-			*(void **)arg = lo->ldo_tls_ctx;
+			*(void **)arg = ld->ld_defconn->lconn_tls_ctx;
 		break;
 	case LDAP_OPT_X_TLS_CACERTFILE:
 		*(char **)arg = tls_opt_cacertfile ?
@@ -845,8 +867,26 @@ ldap_pvt_tls_get_option( struct ldapoptions *lo, int option, void *arg )
 }
 
 int
-ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
+ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 {
+	struct ldapoptions *lo;
+
+	/* Get pointer to global option structure */
+	lo = LDAP_INT_GLOBAL_OPT();   
+	if (NULL == lo)	{
+		return LDAP_NO_MEMORY;
+	}
+
+	if(ld != NULL) {
+		assert( LDAP_VALID( ld ) );
+
+		if( !LDAP_VALID( ld ) ) {
+			return LDAP_OPT_ERROR;
+		}
+
+		lo = &ld->ld_options;
+	}
+
 	switch( option ) {
 	case LDAP_OPT_X_TLS:
 		switch( *(int *) arg ) {
@@ -863,12 +903,12 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 		}
 		return -1;
 
-	case LDAP_OPT_X_TLS_CERT:
-		if ( lo == NULL ) {
+	case LDAP_OPT_X_TLS_CTX:
+		if ( ld == NULL ) {
 			tls_def_ctx = (SSL_CTX *) arg;
 
 		} else {
-			lo->ldo_tls_ctx = arg;
+			ld->ld_defconn->lconn_tls_ctx = arg;
 		}
 		return 0;
 	}
@@ -914,7 +954,9 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 int
 ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 {
+#if 0
 	char *peer_cert_cn;
+#endif
 	void *ssl;
 
 	(void) ldap_pvt_tls_init();
@@ -929,8 +971,9 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 	ssl = (void *) ldap_pvt_tls_sb_handle( sb );
 	assert( ssl != NULL );
 
+#if 0
 	/* 
-	 * compare ld->ld_host with name in certificate 
+	 * compare host with name in certificate 
 	 */
 
 	peer_cert_cn = ldap_pvt_tls_get_peer_hostname( ssl );
@@ -942,7 +985,7 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 		return LDAP_LOCAL_ERROR;
 	}
 
-	if ( strcasecmp(ld->ld_host, peer_cert_cn) != 0 ) {
+	if ( strcasecmp( ld->ld_host, peer_cert_cn ) != 0 ) {
 		Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
 			"common name in certificate (%s).\n", 
 			ld->ld_host, peer_cert_cn, 0 );
@@ -951,6 +994,7 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg )
 	}
 
 	LDAP_FREE( peer_cert_cn );
+#endif
 
 	/*
 	 * set SASL properties to TLS ssf and authid
@@ -1145,7 +1189,7 @@ ldap_start_tls_s ( LDAP *ld,
 	char *rspoid = NULL;
 	struct berval *rspdata = NULL;
 
-	/* XXYYZ: this initiates operaton only on default connection! */
+	/* XXYYZ: this initiates operation only on default connection! */
 
 	if ( ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) {
 		return LDAP_LOCAL_ERROR;
@@ -1165,7 +1209,9 @@ ldap_start_tls_s ( LDAP *ld,
 		ber_bvfree( rspdata );
 	}
 
-	rc = ldap_pvt_tls_start( ld, ld->ld_sb, ld->ld_options.ldo_tls_ctx );
+	rc = ldap_pvt_tls_start( ld, ld->ld_sb,
+		ld->ld_defconn->lconn_tls_ctx );
+
 	return rc;
 #else
 	return LDAP_NOT_SUPPORTED;

libraries/libldap/unbind.c

@@ -99,11 +99,6 @@ ldap_ld_free(
 		ld->ld_matched = NULL;
 	}
 
-	if ( ld->ld_host != NULL ) {
-		LDAP_FREE( ld->ld_host );
-		ld->ld_host = NULL;
-	}
-
 	if ( ld->ld_abandoned != NULL ) {
 		LDAP_FREE( ld->ld_abandoned );
 		ld->ld_abandoned = NULL;

servers/slapd/starttls.c

@@ -75,7 +75,7 @@ starttls_extop (
 	}
 
 	/* fail if TLS could not be initialized */
-	if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
+	if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
 		|| ctx == NULL)
 	{
 		if (default_referral != NULL) {