[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)



Title: Message
Hello Group,
 
After I got suggestions from the OpenLdap Developers group, I have incorporated
changes to set all the options through "ldap_set_options" API. The new tar ball
is "prashant-kumar-031016.tgz".
 
Please give me feedback.
 
Regards,
Prashant Kumar.
-----Original Message-----
From: Kumar, Prashant [BL60:437:EXCH]
Sent: Wednesday, October 15, 2003 9:19 AM
To: Howard Chu; 'Kurt D. Zeilenga'
Cc: openldap-devel@OpenLDAP.org
Subject: RE: Flexibility to use customized "verify_callback" while using OpenLdap with TLS (ITS#2767)

Howard,

I don't think doing:

        ldap_pvt_tls_init();
        ldap_pvt_tls_init_def_ctx();
        ldap_get_option(NULL, TLS_CTX, &ctx);

will give the user enough flexibility to do  whatever he wants
unless we fix ldap_start_tls_s because this is the execution
sequence of ldap_start_tls_s:

ldap_start_tls_s->ldap_int_tls_start->ldap_int_tls_connect->alloc_handle
->ldap_pvt_tls_int_def_ctx () which will overwrite whatever the user
has done before.

The right solution will be is to fix ldap_start_tls_s so that before
doing ldap_pvt_tls_int_def_ctx it checks whether the user has done
any of his customization to "tls_def_ctx".

Also, as I said before, ldap_pvt_tls_int_def_ctx forces the user
to use one of the two possible callbacks, tls_verify_cb or tls_verify_ok
which should be fixed. Also, there is no call to specify the verify_depth!.

Regards,
Prashant.


> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> >How about we add a ld->ld_def_tls_ctx, which is set by
> >ldap_set_option.
When
> >ld->ld_defconn is created, it will use ld_def_tls_ctx if it was set,
> >otherwise it behaves as before.
>
> This allows one to install a context, but it doesn't seem to allow one
> to modify the context created by the library before use by the
> library.

Well, if they need to do that they just have to be explicit about it:
        ldap_pvt_tls_init();
        ldap_pvt_tls_init_def_ctx();
        ldap_get_option(NULL, TLS_CTX, &ctx);
will retrieve the global tls_def_ctx, which can then be munged directly using the OpenSSL API.

That should already work in the current code...

> >On ldap_set_option, if the ld->ld_defconn exists, its
> lconn_tls_ctx is set at
> >the same time.
> >
> >> Kurt
> >>
> >> At 01:28 PM 10/14/2003, Howard Chu wrote:
> >> >I believe a related issue was recently raised on the
> >> -software list; the
> >> >ldap_set_option  TLS_CTX doesn't work on a fresh LDAP*
> >> because ld->ld_defconn
> >> >doesn't get created until an actual request is made that
> >> needs a connection.
> >> >The ld_defconn then gets used right away, without giving an
> >> opportunity to
> >> >reconfigure it. So you can't override things on a
> >> per-session basis, you must
> >> >override the global tls_def_ctx.
> >> >
> >> >Given that we have this unusable ldap_set_option function at
> >> the moment, we
> >> >can either remove it or make it work by adding a ld_tls_ctx
> >> pointer to the
> >> >LDAP*, so it can be set before the ld_defconn is created.
> >> But this creates an
> >> >ambiguity in the ldap_get_option side... What next?
> >> >
> >> >  -- Howard Chu
> >> >  Chief Architect, Symas Corp.       Director, Highland Sun
> >> >  http://www.symas.com               http://highlandsun.com/hyc
> >> >  Symas: Premier OpenSource Development and Support
> >> >
> >> >> -----Original Message-----
> >> >> From: owner-openldap-bugs@OpenLDAP.org
> >> >> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> >> >> Kurt@OpenLDAP.org
> >> >> Sent: Tuesday, October 14, 2003 12:06 PM
> >> >> To: openldap-its@OpenLDAP.org
> >> >> Subject: Re: Flexibility to use customized "verify_callback"
> >> >> while using OpenLdap with TLS (ITS#2767)
> >> >>
> >> >>
> >> >> A couple of quick comments (without really look at your tls.c
> >> >> patch... I'll leave most of that to others who are more familiar
> >> >> with that code).
> >> >>
> >> >> Setting of options should be done through the
> >> ldap_set_option(3) API.
> >> >> Likely should support global and per-session callbacks.
> >> >> ldap_set_option(3)
> >> >> supports both.  Also, we shouldn't provide options for
> things which
> >> >> can be managed through the TLS_CTX option.  That is,
> -lldap should
> >> >> avoid knowing too much about OpenSSL and/or TLS details.
> >> >>
> >> >> Lastly, no file in the tarball include a notice  See
> >> >> <http://www.openldap.org/devel/contributing.html> for
> guidelines.
> >> >> I suggest you provide a notice in a separate COPYRIGHT file.
> >> >>
> >> >> Kurt
> >> >>
> >> >>
> >> >> At 08:14 AM 10/14/2003, prkumar@nortelnetworks.com wrote:
> >> >> >Full_Name: Prashant Kumar.
> >> >> >Version: 2.1.22 (20030709)
> >> >> >OS: Linux
> >> >> >URL: ftp://ftp.openldap.org/incoming/
> >> >> >Submission from: (NULL) (47.234.0.52)
> >> >> >
> >> >> >
> >> >> >Right now, while using OpenLdap with TLS/SSL, there are no
> >> >> API's to specify user
> >> >> >customized "verify_callback" and "verify_depth". Also, there
> >> >> are no API's to
> >> >> >input the CA cert, client cert and client cert key onto the
> >> >> SSL context in the
> >> >> >binary (DER) format (right now, OpenLdap reads all these
> >> >> info from PEM files
> >> >> >whose path is specified in the "ldap.conf").
> >> >> >
> >> >> >This enhancement adds following API's to OpenLdap library
> >> >> which will allow the
> >> >> >user to do all the above things:
> >> >> >
> >> >> >/*To set the verify callback*/ ldap_set_tls_verify_callback (
> >> >> >      int (*tls_verify_callback)(int, struct
> x509_store_ctx_s *));
> >> >> >
> >> >> >/*To set the verify depth*/
> >> >> >ldap_set_tls_verify_depth (unsigned int verify_depth);
> >> >> >
> >> >> >/*To set the CA cert*/
> >> >> >ldap_set_tls_cacert_bin (unsigned char
> *caCert,unsigned int len);
> >> >> >
> >> >> >/*To set the client cert*/
> >> >> >ldap_set_tls_clientcert_bin (unsigned char *clientcert,
> >> >> unsigned int len);
> >> >> >
> >> >> >/*To set the client cert key*/ ldap_set_tls_clientcert_key_bin
> >> >> >(unsigned char *clientkey,
> >> >> unsigned int len);
> >> >> >
> >> >> >I have changed two files "include/ldap.h" and
> >> >> "libraries/libldap/tls.c" to
> >> >> >accommodate these features and I have uploaded these changes
> >> >> as a tar ball (this
> >> >> >tar ball has 2 patches, one for ldap.h and other one for
> >> tls.c) onto
> >> >> >"ftp://ftp.openldap.org/incoming/". The tar ball name is
> >> >> >"prashant-kumar-openldap-031014.tgz"
> >> >> >
> >> >> >
> >> >> >Thank you,
> >> >> >Prashant Kumar
> >> >>
> >> >>
> >> >>
> >>
> >>
>
>