We Keep Coding

OpenLDAP - Enabling CRL check for LDAP TLS connections

I have a client that connects to LDAP server using TLS. For this connection, I want to enable CRL check and reject the connection only if any server/client certificates are revoked.
In special cases (like CRL missing, CRL expired) I want to ignore the error and establish the connection.
So I though to overwrite the default SSL verify call back to ignore the specific errors.
But the call back is not called at all. Always only default call-back is called.
Here is my call back:
static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
X509* cert = X509_STORE_CTX_get_current_cert(ctx);
if (ok)
return ok;
int sslRet = X509_STORE_CTX_get_error(ctx);
const char* err = NULL;
switch (sslRet)
{
case X509_V_ERR_UNABLE_TO_GET_CRL:
case X509_V_ERR_CRL_HAS_EXPIRED:
case X509_V_ERR_CRL_NOT_YET_VALID:
printf( "CRL: Verification failed... but ignored : %d\n", sslRet);
return 1;
default:
err = X509_verify_cert_error_string(sslRet);
if (err)
printf( "CRL: Failed to verify : %s\n",err);
return 0;
}
return sslRet;
}
Default verify call-back is overwritten using the ldap call-back set option:
void ldap_tls_cb(LDAP * ld, SSL * ssl, SSL_CTX * ctx, void * arg)
{
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER , verify_callback);
printf("verify call back is set...\n");
return;
}
Main Program:
int main( int argc, char **argv )
{
LDAP *ldap;
int auth_method = LDAP_AUTH_SIMPLE; //LDAP_AUTH_SASL
int ldap_version = LDAP_VERSION3;
char *ldap_host = "10.104.40.35";
int ldap_port = 389;
if ( (ldap = ldap_init(ldap_host, ldap_port)) == NULL ) {
perror( "ldap_init failed" );
return( EXIT_FAILURE );
}
int result = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &ldap_version);
if (result != LDAP_OPT_SUCCESS ) {
ldap_perror(ldap, "ldap_set_option failed!");
return(EXIT_FAILURE);
}
int requireCert = LDAP_OPT_X_TLS_DEMAND;
result = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &requireCert);
if (result != LDAP_OPT_SUCCESS ) {
ldap_perror(ldap, "ldap_set_option - req cert -failed!");
return(EXIT_FAILURE);
}
result = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, "/etc/certs/Cert.pem");
if (result != LDAP_OPT_SUCCESS ) {
ldap_perror(ldap, "ldap_set_option - cert file - failed!");
return(EXIT_FAILURE);
}
int crlvalue = LDAP_OPT_X_TLS_CRL_ALL;
result =ldap_set_option(NULL, LDAP_OPT_X_TLS_CRLCHECK, &crlvalue);
if (result != LDAP_OPT_SUCCESS ) {
ldap_perror(ldap, "ldap_set_option failed!");
return(EXIT_FAILURE);
}
int debug = 7;
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &debug);
result = ldap_set_option(ldap, LDAP_OPT_X_TLS_CONNECT_CB, (void *)ldap_tls_cb);
if (result != LDAP_SUCCESS) {
fprintf(stderr, "ldap_set_option(LDAP_OPT_X_TLS_CONNECT_CB): %s\n", ldap_err2string(result));
return(1);
}
int msgidp = 0;
result = ldap_start_tls(ldap,NULL,NULL,&msgidp);
if (result != LDAP_OPT_SUCCESS ) {
ldap_perror(ldap, "start tls failed!");
return result;
} else {
printf("Start tls success.\n");
}
LDAPMessage *resultm;
struct timeval timeout;
result = ldap_result(ldap, msgidp, 0, &timeout, &resultm );
if ( result == -1 || result == 0 ) {
printf("ldap_result failed;retC=%d \n", result);
return result;
}
result = ldap_parse_extended_result(ldap, resultm, NULL, NULL, 0 );
if ( result == LDAP_SUCCESS ) {
result = ldap_install_tls (ldap);
printf("installing tls... %s\n", ldap_err2string(result));
}
int request_id = 0;
result = ldap_sasl_bind(ldap, "", LDAP_SASL_SIMPLE, NULL, 0, 0, &request_id);
if ( result != LDAP_SUCCESS ) {
fprintf(stderr, "ldap_x_bind_s: %s\n", ldap_err2string(result));
printf("LDAP bind error .. %d\n", result);
return(EXIT_FAILURE);
} else {
printf("LDAP connection successful.\n");
}
ldap_unbind(ldap);
return(EXIT_SUCCESS);
}
can someone help to check why my verify call-back is not called?

I think you need to set the callback on the SSL object directly instead of the context, so
void ldap_tls_cb(LDAP * ld, SSL * ssl, SSL_CTX * ctx, void * arg)
{
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_callback);
printf("verify call back is set...\n");
return;
}
The reason for this is that the SSL handle has already been initialised by the time your connect callback is called (see the OpenLDAP code), and
it's too late to set this callback through the context at that point:
If no special callback was set before, the default callback for the underlying ctx is used, that was valid at the time ssl was created with SSL_new(3).
OpenLDAP can be built with GnuTLS, so you may need to check that it's using OpenSSL before setting the callback. The LDAP_OPT_X_TLS_PACKAGE option could be used for this (note that I haven't tested this code):
char* package = NULL;
int result = ldap_get_option(NULL, LDAP_OPT_X_TLS_PACKAGE, (void *)&package);
if (result != LDAP_OPT_SUCCESS) {
ldap_perror(ldap, "ldap_get_option failed!");
return(EXIT_FAILURE);
} else {
if (strcmp(package, "OpenSSL") == 0) {
// Set your callback
}
ldap_memfree(package);
}

can t connect my ssh client to the remote machine

I've downloaded and compiled libssh 0.6.1 from libSSH and linked the ssh.lib,ssh.dll to a visual c++ project .
The code below compiles and run fine , but when calling ssh_connect() , it return -1 : Failed to connect : No error.
Also, I used putty to connect to my remote machine and it works fine.
here is my code:
// sshClient.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <stdlib.h>
#include <libssh/libssh.h>
int _tmain(int argc, _TCHAR* argv[])
{
ssh_session my_ssh_session;
int verbosity = SSH_LOG_PROTOCOL;
int port = 22;
char* host="127.0.0.1";
ssh_channel channel;
int rc;
//I create a session
my_ssh_session = ssh_new();
if (my_ssh_session == NULL)
exit(-1);
ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, host);
ssh_options_set(my_ssh_session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
ssh_options_set(my_ssh_session, SSH_OPTIONS_PORT, &port);
ssh_options_set(my_ssh_session, SSH_OPTIONS_USER,"true");
rc = ssh_connect(my_ssh_session);
if (rc != SSH_OK) {
fprintf(stderr, "Error connecting to 192.168.78.131 : %s\n", ssh_get_error(my_ssh_session));
exit(-1);
}
ssh_disconnect(my_ssh_session);
ssh_free(my_ssh_session);
//Here I create a channel
channel = ssh_channel_new(my_ssh_session);
if (channel == NULL)
return SSH_ERROR;
if (SSH_OK != ssh_channel_open_session(channel)) {
printf("ssh_channel_open_session");
ssh_channel_free(channel);
return rc;
}
//My remote command ls -l under true Folder
rc = ssh_channel_request_exec(channel, "ls -l");
if (rc != SSH_OK){ ssh_channel_close(channel);
ssh_channel_free(channel);
return rc;
}
char buffer[256];
unsigned int nbytes;
nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
while (nbytes > 0){
if (fwrite(buffer, 1, nbytes, stdout) != nbytes)
{ ssh_channel_close(channel);
ssh_channel_free(channel);
return SSH_ERROR;
}
nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
}
if (nbytes < 0){
ssh_channel_close(channel);
ssh_channel_free(channel);
return SSH_ERROR;
}
ssh_channel_send_eof(channel);
ssh_channel_close(channel);
ssh_channel_free(channel);
ssh_free(my_ssh_session);
system("pause");
return 0;
}

Check your host IP address. I guess you forgot to change the IP address in the example source file.

libssh2: How to send data through libssh2_channel_write

EDIT:
Here's the complete code. modified the code to work with a router but the use case is same. Once i issue the password using libssh2_channel_write() subsequent libssh2_channel_read() fails with LIBSSH2_ERROR_SOCKET_RECV. Not sure why. I am unable to send subsequent commands to the remote device and get their output.
Logic was to execute a command on the remote device ( libssh2_channel_exec ). This command execution would throw a password to be entered by the client. Now read the stream via libssh2_channel_read() and ensure that the password is being asked and write the password to the channel via libssh2_channel_write(). Ensure the password is accepted on the remote device by doing subsequent reads [ THIS IS WHERE THE LIB IS FAILING WITH ERROR_SOCKET_RECV ] and then send the command to be executed via libssh2_channel_write() and read the command output. Am i missing something ?
for( ;; )
{
/* loop until we block */
int rc;
do
{
char buffer[0x4000];
rc = libssh2_channel_read( channel, buffer, sizeof(buffer) );
if( rc > 0 )
{
int i;
char *enable = "check-password\n";
int ret;
bytecount += rc;
fprintf(stderr, "We read [%d] bytes:\n", bytecount);
fputc('[', stderr);
for( i=0; i < rc; ++i )
fputc( buffer[i], stderr);
fputc(']', stderr);
if ( strstr(buffer, "Password:") != NULL ){
fprintf(stderr, "Sending the password now\n");
while((ret = libssh2_channel_write(channel, enable, strlen(enable))) == LIBSSH2_ERROR_EAGAIN) {
printf("ERROR_EAGAIN - sending password again\n");
}
fprintf(stderr, "Wrote [%d] bytes: \n", ret);
flag = 1;
continue;
}
if (!flag){ // start
char *cmd = "show clock\n";
int ret;
fprintf(stderr, "THIS Fetching show clock command now\n");
while((ret = libssh2_channel_write(channel, cmd, strlen(cmd))) == LIBSSH2_ERROR_EAGAIN) {
printf("ERROR_EAGAIN - sending show clock again\n");
}
flag = 1;
} // end
}
else {
if(rc != LIBSSH2_ERROR_EAGAIN)
fprintf(stderr, "libssh2_channel_read returned [%d]:\n ", rc);
}
}
while( rc > 0 );
/* this is due to blocking that would occur otherwise so we loop on
this condition */
if( rc == LIBSSH2_ERROR_EAGAIN )
{
int check;
check = waitsocket(sock, session);
}
else
break;
}

Unable to capture the IPv6 multicast traffic for Windows 8

Following is the function I wrote to capture IPv6 multicast data coming on multicast address ff02::1 and port 9154.
This code works fine on Windows Vista and Windows 7. But I am unable to capture the same traffic for Windows 8 (none of the winsock functions returns error for Win8).
Using netstat I am able to verify that my application is using this port.
Can any one help?
void func()
{
int multicastChannel = 0;
char multicastIP[] = "FF02::1";
char multicastPort[] = "9154";
ADDRINFO* multicastAddr = NULL;
ADDRINFO* localAddr = NULL;
ADDRINFO hints = { 0 };
struct ipv6_mreq multicastRequest6;
hints.ai_family = PF_UNSPEC;
hints.ai_flags = AI_NUMERICHOST;
if ( getaddrinfo(multicastIP, NULL, &hints, &multicastAddr) != 0 )
{
printf("getaddrinfo() failed");
return;
}
hints.ai_family = multicastAddr->ai_family;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_flags = AI_PASSIVE;
if ( getaddrinfo(NULL, multicastPort, &hints, &localAddr) != 0 )
{
printf("getaddrinfo() failed");
return;
}
multicastChannel = socket(localAddr->ai_family, localAddr->ai_socktype, 0);
if ( bind(multicastChannel, localAddr->ai_addr, localAddr->ai_addrlen) != 0 )
{
printf("bind() failed");
return;
}
memcpy(&multicastRequest6.ipv6mr_multiaddr,
&((struct sockaddr_in6*)(multicastAddr->ai_addr))->sin6_addr,
sizeof(multicastRequest6.ipv6mr_multiaddr));
multicastRequest6.ipv6mr_interface = 0;
if ( setsockopt(multicastChannel,
IPPROTO_IPV6,
IPV6_ADD_MEMBERSHIP,
(char*) &multicastRequest6,
sizeof(multicastRequest6)) != 0 )
{
ERROR_ReportError("setsockopt() failed");
}
freeaddrinfo(localAddr);
freeaddrinfo(multicastAddr);
ioctlsocket(multicastChannel, FIONBIO, &arg);
sockaddr_in6 fromAddr;
while(1)
{
read = recvfrom(multicastChannel,
data,
1500,
0,
(struct sockaddr*)&fromAddr,
&sizeof(sockaddr_in6);
if (read > 0) {
function();
}
}
}

udp winsock programming

I'm the beginner in socket programming. I want to receive udp packets continuously from the port. For that I created socket and using bind and recv calls I have done with my program. In a buffer I'm storing the udp packets. How to receive packet by packet. How to put condition for particular time interval? Thanks in advance.
static int recvData = 1;
sockID = socket(AF_INET, SOCK_DGRAM, 0);
if(sockID < 0)
{
printf("Socket creation error\n");
WSACleanup();
}
else
{
printf("Socket Created\n");
}
fepAddr.sin_family = AF_INET;
fepAddr.sin_port = htons(inputData.portNo);
fepAddr.sin_addr.s_addr = inet_addr(inputData.destIPAddr);
if (bind(sockID, (struct sockaddr *)&fepAddr, sizeof(fepAddr)) == SOCKET_ERROR)
{
printf("bind() failed: %ld.\n", WSAGetLastError());
closesocket(sockID);
return 0;
}
else
{
printf("bind() is OK!\n");
}
memset(udpBuf,sizeof(udpBuf),0);
while (recvData)
{
printf("receiving data\n");
recvResult = recvfrom( sockID, udpBuf, sizeof(udpBuf), 0,(struct sockaddr *)&fepAddr, &sock_len);
fprintf(udp, "%s", udpBuf);
//fwrite(udpBuf, sizeof(udpBuf), 1, udp);
recvData-- ;
}
exit:
if(udp)
{
fclose(udp);
udp = 0;
}
//shutdown socket
closesocket(sockID);
fclose(udp);

recvfrom() receives UDP data packet-by-packet. If a given packet is too large, recvfrom() will return an error. As for timing, you can use select() to know when the socket is readable.
Try something like this:
sockID = socket(AF_INET, SOCK_DGRAM, 0);
if (sockID == INVALID_SOCKET)
{
printf("Socket creation error\n");
goto exit;
}
printf("Socket Created\n");
memset(&fepAddr, 0, sizeof(fepAddr));
fepAddr.sin_family = AF_INET;
fepAddr.sin_port = htons(inputData.portNo);
fepAddr.sin_addr.s_addr = inet_addr(inputData.destIPAddr);
if (bind(sockID, (struct sockaddr *)&fepAddr, sizeof(fepAddr)) == SOCKET_ERROR)
{
printf("bind() failed: %ld.\n", WSAGetLastError());
goto exit;
}
printf("bind() is OK!\n");
memset(udpBuf, 0, sizeof(udpBuf));
printf("receiving data\n");
while (...)
{
printf(".");
recvResult = recvfrom(sockID, udpBuf, sizeof(udpBuf), 0, (struct sockaddr *)&fepAddr, &addr_len);
if (recvResult == SOCKET_ERROR)
{
if (WSAGetLastError() != WSAEWOULDBLOCK)
{
printf("\nrecvfrom() failed: %ld.\n", WSAGetLastError());
goto exit;
}
fd_set fd;
FD_ZERO(&fd);
FD_SET(sockID, &fd);
timeval t;
t.tv_sec = ...; // seconds
t.tv_usec = ...; // microseconds
selectResult = select(0, &fd, NULL, NULL, &t);
if (selectResult == SOCKET_ERROR)
{
printf("\nselect() failed: %ld.\n", WSAGetLastError());
goto exit;
}
if (selectResult == 0)
{
printf("\nsocket timed out.\n");
goto exit;
}
continue;
}
if (recvResult > 0)
fwrite(udpBuf, recvResult, 1, udp);
}
exit:
if (udp != 0)
{
fclose(udp);
udp = 0;
}
if (sockID != INVALID_SOCKET)
{
closesocket(sockID);
sockID = INVALID_SOCKET;
}