1N/A * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. 1N/A * The contents of this file are subject to the Netscape Public 1N/A * License Version 1.1 (the "License"); you may not use this file 1N/A * except in compliance with the License. You may obtain a copy of 1N/A * Software distributed under the License is distributed on an "AS 1N/A * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or 1N/A * implied. See the License for the specific language governing 1N/A * rights and limitations under the License. 1N/A * The Original Code is Mozilla Communicator client code, released 1N/A * The Initial Developer of the Original Code is Netscape 1N/A * Communications Corporation. Portions created by Netscape are 1N/A * Copyright (C) 1998-1999 Netscape Communications Corporation. All 1N/A/* XXX:mhein The following is a workaround for the redefinition of */ 1N/A/* const problem on OSF. Fix to be provided by NSS */ 1N/A/* This is a pretty benign workaround for us which */ 1N/A/* should not cause problems in the future even if */ 1N/A/* we forget to take it out :-) */ 1N/A#
endif /* __STDC__ */ 1N/A * This little tricky guy keeps us from initializing twice 1N/A#
endif /* _SOLARIS_SDK */ 1N/A#
if 0
/* UNNEEDED BY LIBLDAP */ 1N/Astatic char tokDes[
34] =
"Internal (Software) Database ";
1N/Astatic char ptokDes[
34] =
"Internal (Software) Token ";
1N/A#
endif /* UNNEEDED BY LIBLDAP */ 1N/A /* goto the end of the string, and walk backwards until */ 1N/A /* you get to the first pathseparator */ 1N/A while (l !=
string && *l !=
'/' && *l !=
'\\')
1N/A /* search for the .db */ 1N/A /* now we are sitting on . of .db */ 1N/A /* move backward to the first 'c' or 'k' */ 1N/A /* indicating cert or key */ 1N/A while (k != l && *k !=
'c' && *k !=
'k')
1N/A /* move backwards to the first path separator */ 1N/A if (k != d && k > d)
1N/A while (s != d && *s !=
'/' && *s !=
'\\')
1N/A /* if we are sitting on top of a path */ 1N/A /* separator there is no prefix */ 1N/A /* we know there is no prefix */ 1N/A /* grab the prefix */ 1N/A /* neither *key[0-9].db nor *cert[0=9].db found */ 1N/A * NSPR is initialized in .init on SOLARIS 1N/A /* PR_Init() must to be called before everything else... */ 1N/A * Cover functions for malloc(), calloc(), strdup() and free() that are 1N/A * compatible with the NSS libraries (they seem to use the C runtime 1N/A * library malloc/free so these functions are quite simple right now). 1N/A * Disable strict fork detection of NSS library to allow safe fork of 1N/A * consumers. Otherwise NSS will not work after fork because it was not 1N/A * deinitialized before fork and there is no safe way how to do it after fork. 1N/A * 1 - DISABLED was already set, no modification to environment 1N/A * 0 - successfully modified environment, old value saved to enval if there 1N/A * -1 - setenv or strdup failed, the environment was left unchanged 1N/A /* Do not need to set as DISABLED, it is already set. */ 1N/A return (
setenv(
"NSS_STRICT_NOFORK",
"DISABLED",
1));
1N/A * Reset environment variable NSS_STRICT_NOFORK to value before 1N/A * update_nss_strict_fork_env() call or remove it from environment if it did 1N/A * NSS_STRICT_NOFORK=DISABLED is needed only during NSS initialization to 1N/A * disable activation of atfork handler in NSS which is invalidating 1N/A * initialization in child process after fork. 1N/A * return database name by appending "dbname" to "path". 1N/A * this code doesn't need to be terribly efficient (not called often). 1N/A/* XXXceb this is the old function. To be removed eventually */ 1N/A * Initialize ns/security so it can be used for SSL client authentication. 1N/A * It is safe to call this more than once. 1N/A * If needkeydb == 0, no key database is opened and SSL server authentication 1N/A * is supported but not client authentication. 1N/A * If "certdbpath" is NULL or "", the default cert. db is used (typically 1N/A * If "certdbpath" ends with ".db" (case-insensitive compare), then 1N/A * it is assumed to be a full path to the cert. db file; otherwise, 1N/A * it is assumed to be a directory that contains a file called 1N/A * "cert7.db" or "cert.db". 1N/A * If certdbhandle is non-NULL, it is assumed to be a pointer to a 1N/A * SECCertDBHandle structure. It is fine to pass NULL since this 1N/A * routine will allocate one for you (CERT_GetDefaultDB() can be 1N/A * used to retrieve the cert db handle). 1N/A * If "keydbpath" is NULL or "", the default key db is used (typically 1N/A * If "keydbpath" ends with ".db" (case-insensitive compare), then 1N/A * it is assumed to be a full path to the key db file; otherwise, 1N/A * it is assumed to be a directory that contains a file called 1N/A * If certdbhandle is non-NULL< it is assumed to be a pointed to a 1N/A * SECKEYKeyDBHandle structure. It is fine to pass NULL since this 1N/A * routine will allocate one for you (SECKEY_GetDefaultDB() can be 1N/A * used to retrieve the cert db handle). 1N/A * LDAPDebug(LDAP_DEBUG_TRACE, "ldapssl_clientauth_init\n",0 ,0 ,0); 1N/A /* Open the certificate database */ 1N/A /* Error from NSS_Init() more important! */ 1N/A * Initialize ns/security so it can be used for SSL client authentication. 1N/A * It is safe to call this more than once. 1N/A * If needkeydb == 0, no key database is opened and SSL server authentication 1N/A * is supported but not client authentication. 1N/A * If "certdbpath" is NULL or "", the default cert. db is used (typically 1N/A * If "certdbpath" ends with ".db" (case-insensitive compare), then 1N/A * it is assumed to be a full path to the cert. db file; otherwise, 1N/A * it is assumed to be a directory that contains a file called 1N/A * "cert7.db" or "cert.db". 1N/A * If certdbhandle is non-NULL, it is assumed to be a pointer to a 1N/A * SECCertDBHandle structure. It is fine to pass NULL since this 1N/A * routine will allocate one for you (CERT_GetDefaultDB() can be 1N/A * used to retrieve the cert db handle). 1N/A * If "keydbpath" is NULL or "", the default key db is used (typically 1N/A * If "keydbpath" ends with ".db" (case-insensitive compare), then 1N/A * it is assumed to be a full path to the key db file; otherwise, 1N/A * it is assumed to be a directory that contains a file called 1N/A * If certdbhandle is non-NULL< it is assumed to be a pointed to a 1N/A * SECKEYKeyDBHandle structure. It is fine to pass NULL since this 1N/A * routine will allocate one for you (SECKEY_GetDefaultDB() can be 1N/A * used to retrieve the cert db handle). */ 1N/A * LDAPDebug(LDAP_DEBUG_TRACE, "ldapssl_advclientauth_init\n",0 ,0 ,0); 1N/A /* Error from NSS_Init() more important! */ 1N/A * Initialize ns/security so it can be used for SSL client authentication. 1N/A * It is safe to call this more than once. 1N/A * XXXceb This is a hack until the new IO functions are done. 1N/A * XXXceb This is a hack until the new IO functions are done. 1N/A * this function MUST be called before ldap_enable_clienauth. 1N/A * LDAPDebug(LDAP_DEBUG_TRACE, "ldapssl_pkcs_init\n",0 ,0 ,0); 1N/A /* verify confDir == keydbpath and adjust as necessary */ 1N/A /* Error from NSS_Initialize() more important! */ 1N/A#
if 0
/* UNNEEDED BY LIBLDAP */ 1N/A#
endif /* UNNEEDED BY LIBLDAP */ 1N/A * ldapssl_client_init() is a server-authentication only version of 1N/A * ldapssl_clientauth_init(). 1N/A * ldapssl_serverauth_init() is a server-authentication only version of 1N/A * ldapssl_clientauth_init(). This function allows the sslstrength 1N/A * to be passed in. The sslstrength can take one of the following 1N/A * LDAPSSL_AUTH_WEAK: indicate that you accept the server's 1N/A * certificate without checking the CA who 1N/A * issued the certificate 1N/A * LDAPSSL_AUTH_CERT: indicates that you accept the server's 1N/A * certificate only if you trust the CA who 1N/A * issued the certificate 1N/A * LDAPSSL_AUTH_CNCHECK: 1N/A indicates that you accept the server's 1N/A * certificate only if you trust the CA who 1N/A * issued the certificate and if the value 1N/A * of the cn attribute in the DNS hostname 1N/A * Function that makes an asynchronous Start TLS extended operation request. 1N/A /* Start TLS extended operation requires an absent "requestValue" field. */ 1N/A /* Make sure version is set to LDAPv3 for extended operations to be 1N/A /* Send the Start TLS request (OID: 1.3.6.1.4.1.1466.20037) */ 1N/A * Function that enables SSL on an already open non-secured LDAP connection. 1N/A * (i.e. the connection is henceforth secured) 1N/A * Retrieve socket info. so we have the PRFileDesc. 1N/A /* set the socket information back into the connection handle, 1N/A * because ldapssl_install_routines() resets the socket_arg info in the 1N/A /* we should here warn the server that we switch back to a non-secure 1N/A * ldapssl_tls_start_s() performs a synchronous Start TLS extended operation 1N/A * The function returns the result code of the extended operation response 1N/A * sent by the server. 1N/A * In case of a successfull response (LDAP_SUCCESS returned), by the time 1N/A * this function returns the LDAP session designed by ld will have been 1N/A * secured, i.e. the connection will have been imported into SSL. 1N/A * Should the Start TLS request be rejected by the server, the result code 1N/A * returned will be one of the following: 1N/A * LDAP_OPERATIONS_ERROR, 1N/A * LDAP_PROTOCOL_ERROR, 1N/A * Any other error code returned will be due to a failure in the course 1N/A * of operations done on the client side. 1N/A * "certdbpath" and "keydbpath" should contain the path to the client's 1N/A * certificate and key databases respectively. Either the path to the 1N/A * directory containing "default name" databases (i.e. cert7.db and key3.db) 1N/A * can be specified or the actual filenames can be included. 1N/A * If any of these parameters is NULL, the function will assume the database 1N/A * is the same used by Netscape Communicator, which is usually under 1N/A * "referralsp" is a pointer to a list of referrals the server might 1N/A * eventually send back with an LDAP_REFERRAL result code. 1N/A /* the first response received must be an extended response to an 1N/A Start TLS request */ 1N/A /* the extended response received doesn't correspond to the 1N/A Start TLS request */ 1N/A /* Analyze the server's response */ 1N/A * If extended response successfull, get connection ready for 1N/A * communicating with the server over SSL/TLS. 1N/A }
/* case LDAP_SUCCESS */