Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL.

Added ldap_pvt_tls_get_strength() - return encryption strength, for use as a SASL session security factor.

Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL.
0f8047b9 · Howard Chu · c243a6fa · 0f8047b9 · 0f8047b9 · 0f8047b9
Commit 0f8047b9 authored 24 years ago by Howard Chu
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -164,6 +164,8 @@ LDAP_F (int) ldap_pvt_tls_connect LDAP_P(( struct ldap *ld, Sockbuf *sb, void *c
 LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
 LDAP_F (void *) ldap_pvt_tls_sb_handle LDAP_P(( Sockbuf *sb ));
 LDAP_F (void *) ldap_pvt_tls_get_handle LDAP_P(( struct ldap *ld ));
+LDAP_F (const char *) ldap_pvt_tls_get_peer LDAP_P(( void *handle ));
+LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *handle ));
 LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
 LDAP_F (int) ldap_pvt_tls_start LDAP_P(( struct ldap *ld, Sockbuf *sb, void *ctx_arg ));


--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -658,16 +658,54 @@ ldap_pvt_tls_get_handle( LDAP *ld )
 	return ldap_pvt_tls_sb_handle( ld->ld_sb );
 }

+int
+ldap_pvt_tls_get_strength( void *s )
+{
+    SSL_CIPHER *c;
+
+    c = SSL_get_current_cipher((SSL *)s);
+    return SSL_CIPHER_get_bits(c, NULL);
+}
+
+
 const char *
-ldap_pvt_tls_get_peer( LDAP *ld )
+ldap_pvt_tls_get_peer( void *s )
 {
-    return NULL;
+    X509 *x;
+    X509_NAME *xn;
+    char buf[2048], *p;
+
+    x = SSL_get_peer_certificate((SSL *)s);
+
+    if (!x)
+    	return NULL;
+    
+    xn = X509_get_subject_name(x);
+    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+    X509_free(x);
+    return p;
 }

 const char *
-ldap_pvt_tls_get_peer_issuer( LDAP *ld )
+ldap_pvt_tls_get_peer_issuer( void *s )
 {
+#if 0	/* currently unused; see ldap_pvt_tls_get_peer() if needed */
+    X509 *x;
+    X509_NAME *xn;
+    char buf[2048], *p;
+
+    x = SSL_get_peer_certificate((SSL *)s);
+
+    if (!x)
+    	return NULL;
+    
+    xn = X509_get_issuer_name(x);
+    p = LDAP_STRDUP(X509_NAME_oneline(xn, buf, sizeof(buf)));
+    X509_free(x);
+    return p;
+#else
    return NULL;
+#endif
 }

 int

--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -919,12 +919,17 @@ int connection_read(ber_socket_t s)
 			connection_close( c );

 		} else if ( rc == 0 ) {
+			void *ssl;
+			unsigned ssf;
+			char *authid;
+
 			c->c_needs_tls_accept = 0;

-#if 0
 			/* we need to let SASL know */
+			ssl = (void *)ldap_pvt_tls_sb_handle( c->c_sb );
+			ssf = (unsigned)ldap_pvt_tls_get_strength( ssl );
+			authid = (char *)ldap_pvt_tls_get_peer( ssl );
 			slap_sasl_external( c, ssf, authid );
-#endif
 		}
 		connection_return( c );
 		ldap_pvt_thread_mutex_unlock( &connections_mutex );