/*
* Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
*/
/*
* The contents of this file are subject to the Netscape Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/NPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is Mozilla Communicator client code, released
* March 31, 1998.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1998-1999 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
*/
/*
* clientinit.c
*/
#if defined(NET_SSL)
#if defined( _WINDOWS )
#include <windows.h>
#include "proto-ntutil.h"
#endif
#include <nspr.h>
#include <plstr.h>
#include <synch.h>
#include <cert.h>
#include <key.h>
#include <ssl.h>
#include <sslproto.h>
#include <ldap.h>
#include <ldappr.h>
#include <solaris-int.h>
#include <nss.h>
/* XXX:mhein The following is a workaround for the redefinition of */
/* const problem on OSF. Fix to be provided by NSS */
/* This is a pretty benign workaround for us which */
/* should not cause problems in the future even if */
/* we forget to take it out :-) */
#ifdef OSF1V4D
#ifndef __STDC__
# define __STDC__
#endif /* __STDC__ */
#endif /* OSF1V4D */
#ifndef FILE_PATHSEP
#define FILE_PATHSEP '/'
#endif
/*
* StartTls()
*/
#define START_TLS_OID "1.3.6.1.4.1.1466.20037"
static PRStatus local_SSLPLCY_Install(void);
/*
* This little tricky guy keeps us from initializing twice
*/
static int inited = 0;
#ifdef _SOLARIS_SDK
mutex_t inited_mutex = DEFAULTMUTEX;
#else
static mutex_t inited_mutex = DEFAULTMUTEX;
#endif /* _SOLARIS_SDK */
#if 0 /* UNNEEDED BY LIBLDAP */
static char tokDes[34] = "Internal (Software) Database ";
static char ptokDes[34] = "Internal (Software) Token ";
#endif /* UNNEEDED BY LIBLDAP */
/* IN: */
/* string: /u/mhein/.netscape/mykey3.db */
/* OUT: */
/* dir: /u/mhein/.netscape/ */
/* prefix: my */
/* key: key3.db */
static int
splitpath(char *string, char *dir, char *prefix, char *key) {
char *k;
char *s;
char *d = string;
char *l;
int len = 0;
if (string == NULL)
return (-1);
/* goto the end of the string, and walk backwards until */
/* you get to the first pathseparator */
len = PL_strlen(string);
l = string + len - 1;
while (l != string && *l != '/' && *l != '\\')
l--;
/* search for the .db */
if ((k = PL_strstr(l, ".db")) != NULL) {
/* now we are sitting on . of .db */
/* move backward to the first 'c' or 'k' */
/* indicating cert or key */
while (k != l && *k != 'c' && *k != 'k')
k--;
/* move backwards to the first path separator */
if (k != d && k > d)
s = k - 1;
while (s != d && *s != '/' && *s != '\\')
s--;
/* if we are sitting on top of a path */
/* separator there is no prefix */
if (s + 1 == k) {
/* we know there is no prefix */
prefix = '\0';
PL_strcpy(key, k);
*k = '\0';
PL_strcpy(dir, d);
} else {
/* grab the prefix */
PL_strcpy(key, k);
*k = '\0';
PL_strcpy(prefix, ++s);
*s = '\0';
PL_strcpy(dir, d);
}
} else {
/* neither *key[0-9].db nor *cert[0=9].db found */
return (-1);
}
return (0);
}
static PRStatus local_SSLPLCY_Install(void)
{
SECStatus s;
#ifdef NS_DOMESTIC
s = NSS_SetDomesticPolicy();
#elif NS_EXPORT
s = NSS_SetExportPolicy();
#else
s = PR_FAILURE;
#endif
return s?PR_FAILURE:PR_SUCCESS;
}
static void
ldapssl_basic_init( void )
{
#ifndef _SOLARIS_SDK
/*
* NSPR is initialized in .init on SOLARIS
*/
/* PR_Init() must to be called before everything else... */
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
#endif
PR_SetConcurrency( 4 ); /* work around for NSPR 3.x I/O hangs */
}
/*
* Cover functions for malloc(), calloc(), strdup() and free() that are
* compatible with the NSS libraries (they seem to use the C runtime
* library malloc/free so these functions are quite simple right now).
*/
static void *
ldapssl_malloc( size_t size )
{
void *p;
p = malloc( size );
return p;
}
static void *
ldapssl_calloc( int nelem, size_t elsize )
{
void *p;
p = calloc( nelem, elsize );
return p;
}
static char *
ldapssl_strdup( const char *s )
{
char *scopy;
if ( NULL == s ) {
scopy = NULL;
} else {
scopy = strdup( s );
}
return scopy;
}
static void
ldapssl_free( void **pp )
{
if ( NULL != pp && NULL != *pp ) {
free( (void *)*pp );
*pp = NULL;
}
}
#ifdef _SOLARIS_SDK
/*
* Disable strict fork detection of NSS library to allow safe fork of
* consumers. Otherwise NSS will not work after fork because it was not
* deinitialized before fork and there is no safe way how to do it after fork.
*
* Return values:
* 1 - DISABLED was already set, no modification to environment
* 0 - successfully modified environment, old value saved to enval if there
* was some
* -1 - setenv or strdup failed, the environment was left unchanged
*
*/
static int
update_nss_strict_fork_env(char **enval)
{
char *temps = getenv("NSS_STRICT_NOFORK");
if (temps == NULL) {
*enval = NULL;
} else if (strncmp(temps, "DISABLED", 9) == 0) {
/* Do not need to set as DISABLED, it is already set. */
*enval = NULL;
return (1);
} else {
if ((*enval = ldapssl_strdup(temps)) == NULL)
return (-1);
}
return (setenv("NSS_STRICT_NOFORK", "DISABLED", 1));
}
/*
* Reset environment variable NSS_STRICT_NOFORK to value before
* update_nss_strict_fork_env() call or remove it from environment if it did
* not exist.
* NSS_STRICT_NOFORK=DISABLED is needed only during NSS initialization to
* disable activation of atfork handler in NSS which is invalidating
* initialization in child process after fork.
*/
static int
reset_nss_strict_fork_env(char *enval)
{
if (enval != NULL) {
return (setenv("NSS_STRICT_NOFORK", enval, 1));
} else {
return (unsetenv("NSS_STRICT_NOFORK"));
}
}
#endif
static char *
buildDBName(const char *basename, const char *dbname)
{
char *result;
PRUint32 len, pathlen, addslash;
if (basename)
{
if (( len = PL_strlen( basename )) > 3
&& PL_strcasecmp( ".db", basename + len - 3 ) == 0 ) {
return (ldapssl_strdup(basename));
}
pathlen = len;
len = pathlen + PL_strlen(dbname) + 1;
addslash = ( pathlen > 0 &&
(( *(basename + pathlen - 1) != FILE_PATHSEP ) ||
( *(basename + pathlen - 1) != '\\' )));
if ( addslash ) {
++len;
}
if (( result = ldapssl_malloc( len )) != NULL ) {
PL_strcpy( result, basename );
if ( addslash ) {
*(result+pathlen) = FILE_PATHSEP; /* replaces '\0' */
++pathlen;
}
PL_strcpy(result+pathlen, dbname);
}
}
return result;
}
char *
GetCertDBName(void *alias, int dbVersion)
{
char *source;
char dbname[128];
source = (char *)alias;
if (!source)
{
source = "";
}
sprintf(dbname, "cert%d.db",dbVersion);
return(buildDBName(source, dbname));
}
/*
* return database name by appending "dbname" to "path".
* this code doesn't need to be terribly efficient (not called often).
*/
/* XXXceb this is the old function. To be removed eventually */
static char *
GetDBName(const char *dbname, const char *path)
{
char *result;
PRUint32 len, pathlen;
int addslash;
if ( dbname == NULL ) {
dbname = "";
}
if ((path == NULL) || (*path == 0)) {
result = ldapssl_strdup(dbname);
} else {
pathlen = PL_strlen(path);
len = pathlen + PL_strlen(dbname) + 1;
addslash = ( path[pathlen - 1] != '/' );
if ( addslash ) {
++len;
}
if (( result = ldapssl_malloc( len )) != NULL ) {
PL_strcpy( result, path );
if ( addslash ) {
*(result+pathlen) = '/'; /* replaces '\0' */
++pathlen;
}
PL_strcpy(result+pathlen, dbname);
}
}
return result;
}
/*
* Initialize ns/security so it can be used for SSL client authentication.
* It is safe to call this more than once.
*
* If needkeydb == 0, no key database is opened and SSL server authentication
* is supported but not client authentication.
*
* If "certdbpath" is NULL or "", the default cert. db is used (typically
* ~/.netscape/cert7.db).
*
* If "certdbpath" ends with ".db" (case-insensitive compare), then
* it is assumed to be a full path to the cert. db file; otherwise,
* it is assumed to be a directory that contains a file called
* "cert7.db" or "cert.db".
*
* If certdbhandle is non-NULL, it is assumed to be a pointer to a
* SECCertDBHandle structure. It is fine to pass NULL since this
* routine will allocate one for you (CERT_GetDefaultDB() can be
* used to retrieve the cert db handle).
*
* If "keydbpath" is NULL or "", the default key db is used (typically
* ~/.netscape/key3.db).
*
* If "keydbpath" ends with ".db" (case-insensitive compare), then
* it is assumed to be a full path to the key db file; otherwise,
* it is assumed to be a directory that contains a file called
* "key3.db"
*
* If certdbhandle is non-NULL< it is assumed to be a pointed to a
* SECKEYKeyDBHandle structure. It is fine to pass NULL since this
* routine will allocate one for you (SECKEY_GetDefaultDB() can be
* used to retrieve the cert db handle).
*/
int
LDAP_CALL
ldapssl_clientauth_init( const char *certdbpath, void *certdbhandle,
const int needkeydb, const char *keydbpath, void *keydbhandle )
{
int rc;
#ifdef _SOLARIS_SDK
char *enval;
int rcenv = 0;
#endif
/*
* LDAPDebug(LDAP_DEBUG_TRACE, "ldapssl_clientauth_init\n",0 ,0 ,0);
*/
mutex_lock(&inited_mutex);
if ( inited ) {
mutex_unlock(&inited_mutex);
return( 0 );
}
ldapssl_basic_init();
#ifdef _SOLARIS_SDK
if ((rcenv = update_nss_strict_fork_env(&enval)) == -1) {
mutex_unlock(&inited_mutex);
return (-1);
}
#endif
/* Open the certificate database */
rc = NSS_Init(certdbpath);
#ifdef _SOLARIS_SDK
/* Error from NSS_Init() more important! */
if ((rcenv != 1) && (reset_nss_strict_fork_env(enval) != 0) && (rc == 0)) {
ldapssl_free(&enval);
mutex_unlock(&inited_mutex);
return (-1);
}
ldapssl_free(&enval);
#endif
if (rc != 0) {
if ((rc = PR_GetError()) >= 0)
rc = -1;
mutex_unlock(&inited_mutex);
return (rc);
}
if (SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE)
|| SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE)) {
if (( rc = PR_GetError()) >= 0 ) {
rc = -1;
}
mutex_unlock(&inited_mutex);
return( rc );
}
#if defined(NS_DOMESTIC)
if (local_SSLPLCY_Install() == PR_FAILURE) {
mutex_unlock(&inited_mutex);
return( -1 );
}
#elif(NS_EXPORT)
if (local_SSLPLCY_Install() == PR_FAILURE) {
mutex_unlock(&inited_mutex);
return( -1 );
}
#else
mutex_unlock(&inited_mutex);
return( -1 );
#endif
inited = 1;
mutex_unlock(&inited_mutex);
return( 0 );
}
/*
* Initialize ns/security so it can be used for SSL client authentication.
* It is safe to call this more than once.
*
* If needkeydb == 0, no key database is opened and SSL server authentication
* is supported but not client authentication.
*
* If "certdbpath" is NULL or "", the default cert. db is used (typically
* ~/.netscape/cert7.db).
*
* If "certdbpath" ends with ".db" (case-insensitive compare), then
* it is assumed to be a full path to the cert. db file; otherwise,
* it is assumed to be a directory that contains a file called
* "cert7.db" or "cert.db".
*
* If certdbhandle is non-NULL, it is assumed to be a pointer to a
* SECCertDBHandle structure. It is fine to pass NULL since this
* routine will allocate one for you (CERT_GetDefaultDB() can be
* used to retrieve the cert db handle).
*
* If "keydbpath" is NULL or "", the default key db is used (typically
* ~/.netscape/key3.db).
*
* If "keydbpath" ends with ".db" (case-insensitive compare), then
* it is assumed to be a full path to the key db file; otherwise,
* it is assumed to be a directory that contains a file called
* "key3.db"
*
* If certdbhandle is non-NULL< it is assumed to be a pointed to a
* SECKEYKeyDBHandle structure. It is fine to pass NULL since this
* routine will allocate one for you (SECKEY_GetDefaultDB() can be
* used to retrieve the cert db handle). */
int
LDAP_CALL
ldapssl_advclientauth_init(
const char *certdbpath, void *certdbhandle,
const int needkeydb, const char *keydbpath, void *keydbhandle,
const int needsecmoddb, const char *secmoddbpath,
const int sslstrength )
{
int rc;
#ifdef _SOLARIS_SDK
char *enval;
int rcenv = 0;
#endif
mutex_lock(&inited_mutex);
if ( inited ) {
mutex_unlock(&inited_mutex);
return( 0 );
}
/*
* LDAPDebug(LDAP_DEBUG_TRACE, "ldapssl_advclientauth_init\n",0 ,0 ,0);
*/
ldapssl_basic_init();
#ifdef _SOLARIS_SDK
if ((rcenv = update_nss_strict_fork_env(&enval)) == -1) {
mutex_unlock(&inited_mutex);
return (-1);
}
#endif
rc = NSS_Init(certdbpath);
#ifdef _SOLARIS_SDK
/* Error from NSS_Init() more important! */
if ((rcenv != 1) && (reset_nss_strict_fork_env(enval) != 0) && (rc == 0)) {
ldapssl_free(&enval);
mutex_unlock(&inited_mutex);
return (-1);
}
ldapssl_free(&enval);
#endif
if (rc != 0) {
if ((rc = PR_GetError()) >= 0)
rc = -1;
mutex_unlock(&inited_mutex);
return (rc);
}
#if defined(NS_DOMESTIC)
if (local_SSLPLCY_Install() == PR_FAILURE) {
mutex_unlock(&inited_mutex);
return( -1 );
}
#elif(NS_EXPORT)
if (local_SSLPLCY_Install() == PR_FAILURE) {
mutex_unlock(&inited_mutex);
return( -1 );
}
#else
mutex_unlock(&inited_mutex);
return( -1 );
#endif
inited = 1;
mutex_unlock(&inited_mutex);
return( ldapssl_set_strength( NULL, sslstrength));
}
/*
* Initialize ns/security so it can be used for SSL client authentication.
* It is safe to call this more than once.
*/
/*
* XXXceb This is a hack until the new IO functions are done.
* this function lives in ldapsinit.c
*/
void set_using_pkcs_functions( int val );
int
LDAP_CALL
ldapssl_pkcs_init( const struct ldapssl_pkcs_fns *pfns )
{
char *certdbName, *s, *keydbpath;
char *certdbPrefix, *keydbPrefix;
char *confDir, *keydbName;
static char *secmodname = "secmod.db";
int rc;
#ifdef _SOLARIS_SDK
char *enval;
int rcenv = 0;
#endif
mutex_lock(&inited_mutex);
if ( inited ) {
mutex_unlock(&inited_mutex);
return( 0 );
}
/*
* XXXceb This is a hack until the new IO functions are done.
* this function MUST be called before ldap_enable_clienauth.
*
*/
set_using_pkcs_functions( 1 );
/*
* LDAPDebug(LDAP_DEBUG_TRACE, "ldapssl_pkcs_init\n",0 ,0 ,0);
*/
ldapssl_basic_init();
pfns->pkcs_getcertpath( NULL, &s);
confDir = ldapssl_strdup( s );
certdbPrefix = ldapssl_strdup( s );
certdbName = ldapssl_strdup( s );
*certdbPrefix = 0;
splitpath(s, confDir, certdbPrefix, certdbName);
pfns->pkcs_getkeypath( NULL, &s);
keydbpath = ldapssl_strdup( s );
keydbPrefix = ldapssl_strdup( s );
keydbName = ldapssl_strdup( s );
*keydbPrefix = 0;
splitpath(s, keydbpath, keydbPrefix, keydbName);
/* verify confDir == keydbpath and adjust as necessary */
ldapssl_free((void **)&certdbName);
ldapssl_free((void **)&keydbName);
ldapssl_free((void **)&keydbpath);
#ifdef _SOLARIS_SDK
if ((rcenv = update_nss_strict_fork_env(&enval)) == -1) {
mutex_unlock(&inited_mutex);
return (-1);
}
#endif
rc = NSS_Initialize(confDir,certdbPrefix,keydbPrefix,secmodname,
NSS_INIT_READONLY);
ldapssl_free((void **)&certdbPrefix);
ldapssl_free((void **)&keydbPrefix);
ldapssl_free((void **)&confDir);
#ifdef _SOLARIS_SDK
/* Error from NSS_Initialize() more important! */
if ((rcenv != 1) && (reset_nss_strict_fork_env(enval) != 0) && (rc == 0)) {
ldapssl_free(&enval);
mutex_unlock(&inited_mutex);
return (-1);
}
ldapssl_free(&enval);
#endif
if (rc != 0) {
if ((rc = PR_GetError()) >= 0)
rc = -1;
mutex_unlock(&inited_mutex);
return (rc);
}
#if 0 /* UNNEEDED BY LIBLDAP */
/* this is odd */
PK11_ConfigurePKCS11(NULL, NULL, tokDes, ptokDes, NULL, NULL, NULL, NULL, 0, 0 );
#endif /* UNNEEDED BY LIBLDAP */
if (SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE)
|| SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE)) {
if (( rc = PR_GetError()) >= 0 ) {
rc = -1;
}
mutex_unlock(&inited_mutex);
return( rc );
}
#if defined(NS_DOMESTIC)
if (local_SSLPLCY_Install() == PR_FAILURE) {
mutex_unlock(&inited_mutex);
return( -1 );
}
#elif(NS_EXPORT)
if (local_SSLPLCY_Install() == PR_FAILURE) {
mutex_unlock(&inited_mutex);
return( -1 );
}
#else
mutex_unlock(&inited_mutex);
return( -1 );
#endif
inited = 1;
if ( certdbName != NULL ) {
ldapssl_free((void **) &certdbName );
}
return( ldapssl_set_strength( NULL, LDAPSSL_AUTH_CNCHECK));
}
/*
* ldapssl_client_init() is a server-authentication only version of
* ldapssl_clientauth_init().
*/
int
LDAP_CALL
ldapssl_client_init(const char* certdbpath, void *certdbhandle )
{
return( ldapssl_clientauth_init( certdbpath, certdbhandle,
0, NULL, NULL ));
}
/*
* ldapssl_serverauth_init() is a server-authentication only version of
* ldapssl_clientauth_init(). This function allows the sslstrength
* to be passed in. The sslstrength can take one of the following
* values:
* LDAPSSL_AUTH_WEAK: indicate that you accept the server's
* certificate without checking the CA who
* issued the certificate
* LDAPSSL_AUTH_CERT: indicates that you accept the server's
* certificate only if you trust the CA who
* issued the certificate
* LDAPSSL_AUTH_CNCHECK:
indicates that you accept the server's
* certificate only if you trust the CA who
* issued the certificate and if the value
* of the cn attribute in the DNS hostname
* of the server
*/
int
LDAP_CALL
ldapssl_serverauth_init(const char* certdbpath,
void *certdbhandle,
const int sslstrength )
{
if ( ldapssl_set_strength( NULL, sslstrength ) != 0) {
return ( -1 );
}
return( ldapssl_clientauth_init( certdbpath, certdbhandle,
0, NULL, NULL ));
}
/*
* Function that makes an asynchronous Start TLS extended operation request.
*/
static int ldapssl_tls_start(LDAP *ld, int *msgidp)
{
int version, rc;
BerValue extreq_data;
/* Start TLS extended operation requires an absent "requestValue" field. */
extreq_data.bv_val = NULL;
extreq_data.bv_len = 0;
/* Make sure version is set to LDAPv3 for extended operations to be
supported. */
version = LDAP_VERSION3;
ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version );
/* Send the Start TLS request (OID: 1.3.6.1.4.1.1466.20037) */
rc = ldap_extended_operation( ld, START_TLS_OID, &extreq_data,
NULL, NULL, msgidp );
return rc;
}
/*
* Function that enables SSL on an already open non-secured LDAP connection.
* (i.e. the connection is henceforth secured)
*/
static int ldapssl_enableSSL_on_open_connection(LDAP *ld, int defsecure,
char *certdbpath, char *keydbpath)
{
PRLDAPSocketInfo soi;
if ( ldapssl_clientauth_init( certdbpath, NULL, 1, keydbpath, NULL ) < 0 ) {
goto ssl_setup_failure;
}
/*
* Retrieve socket info. so we have the PRFileDesc.
*/
memset( &soi, 0, sizeof(soi));
soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE;
if ( prldap_get_default_socket_info( ld, &soi ) < 0 ) {
goto ssl_setup_failure;
}
if ( ldapssl_install_routines( ld ) < 0 ) {
goto ssl_setup_failure;
}
if (soi.soinfo_prfd == NULL) {
int sd;
ldap_get_option( ld, LDAP_OPT_DESC, &sd );
soi.soinfo_prfd = (PRFileDesc *) PR_ImportTCPSocket( sd );
}
/* set the socket information back into the connection handle,
* because ldapssl_install_routines() resets the socket_arg info in the
* socket buffer. */
if ( prldap_set_default_socket_info( ld, &soi ) != LDAP_SUCCESS ) {
goto ssl_setup_failure;
}
if ( ldap_set_option( ld, LDAP_OPT_SSL,
defsecure ? LDAP_OPT_ON : LDAP_OPT_OFF ) < 0 ) {
goto ssl_setup_failure;
}
if ( ldapssl_import_fd( ld, defsecure ) < 0 ) {
goto ssl_setup_failure;
}
return 0;
ssl_setup_failure:
ldapssl_reset_to_nonsecure( ld );
/* we should here warn the server that we switch back to a non-secure
connection */
return( -1 );
}
/*
* ldapssl_tls_start_s() performs a synchronous Start TLS extended operation
* request.
*
* The function returns the result code of the extended operation response
* sent by the server.
*
* In case of a successfull response (LDAP_SUCCESS returned), by the time
* this function returns the LDAP session designed by ld will have been
* secured, i.e. the connection will have been imported into SSL.
*
* Should the Start TLS request be rejected by the server, the result code
* returned will be one of the following:
* LDAP_OPERATIONS_ERROR,
* LDAP_PROTOCOL_ERROR,
* LDAP_REFERRAL,
* LDAP_UNAVAILABLE.
*
* Any other error code returned will be due to a failure in the course
* of operations done on the client side.
*
* "certdbpath" and "keydbpath" should contain the path to the client's
* certificate and key databases respectively. Either the path to the
* directory containing "default name" databases (i.e. cert7.db and key3.db)
* can be specified or the actual filenames can be included.
* If any of these parameters is NULL, the function will assume the database
* is the same used by Netscape Communicator, which is usually under
* ~/.netsca /)
*
* "referralsp" is a pointer to a list of referrals the server might
* eventually send back with an LDAP_REFERRAL result code.
*
*/
int
LDAP_CALL
ldapssl_tls_start_s(LDAP *ld,int defsecure, char *certdbpath, char *keydbpath,
char ***referralsp)
{
int rc, resultCode, msgid;
char *extresp_oid;
BerValue *extresp_data;
LDAPMessage *res;
rc = ldapssl_tls_start( ld, &msgid );
if ( rc != LDAP_SUCCESS ) {
return rc;
}
rc = ldap_result( ld, msgid, 1, (struct timeval *) NULL, &res );
if ( rc != LDAP_RES_EXTENDED ) {
/* the first response received must be an extended response to an
Start TLS request */
ldap_msgfree( res );
return( -1 );
}
rc = ldap_parse_extended_result( ld, res, &extresp_oid, &extresp_data, 0 );
if ( rc != LDAP_SUCCESS ) {
ldap_msgfree( res );
return rc;
}
if ( strcasecmp( extresp_oid, START_TLS_OID ) != 0 ) {
/* the extended response received doesn't correspond to the
Start TLS request */
ldap_msgfree( res );
return -1;
}
resultCode = ldap_get_lderrno( ld, NULL, NULL );
/* Analyze the server's response */
switch (resultCode) {
case LDAP_REFERRAL:
{
rc = ldap_parse_result( ld, res, NULL, NULL, NULL, referralsp, NULL, 0 );
if ( rc != LDAP_SUCCESS ) {
ldap_msgfree( res );
return rc;
}
}
case LDAP_OPERATIONS_ERROR:
case LDAP_PROTOCOL_ERROR:
case LDAP_UNAVAILABLE:
goto free_msg_and_return;
case LDAP_SUCCESS:
{
/*
* If extended response successfull, get connection ready for
* communicating with the server over SSL/TLS.
*/
if ( ldapssl_enableSSL_on_open_connection( ld, defsecure,
certdbpath, keydbpath ) < 0 ) {
resultCode = -1;
}
} /* case LDAP_SUCCESS */
default:
goto free_msg_and_return;
} /* switch */
free_msg_and_return:
ldap_msgfree( res );
return resultCode;
}
#endif /* NET_SSL */