Implement OPT_X_TLS_PEERCERT

tiran · tiran · commit f5d29eae8a72 · 2021-09-15T13:19:19.000+02:00
LDAP_OPT_X_TLS_PEERCERT requires a non-NULL berval. Its bv_val must be
de-allocated with ber_memfree().

Signed-off-by: Christian Heimes &lt;cheimes@redhat.com&gt;
diff --git a/Modules/options.c b/Modules/options.c
@@ -59,6 +59,9 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
     case LDAP_OPT_API_FEATURE_INFO:
 #ifdef HAVE_SASL
     case LDAP_OPT_X_SASL_SSF:
+#endif
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+    case LDAP_OPT_X_TLS_PEERCERT:
 #endif
         /* Read-only options */
         PyErr_SetString(PyExc_ValueError, "read-only option");
@@ -250,14 +253,16 @@ LDAP_get_option(LDAPObject *self, int option)
 {
     int res;
     int intval;
-    struct berval *bv;
     struct timeval *tv;
     LDAPAPIInfo apiinfo;
     LDAPControl **lcs;
     char *strval;
 #if HAVE_SASL
     /* unsigned long */
     ber_len_t blen;
+#endif
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+    struct berval bv = {0, 0};
 #endif
     PyObject *extensions, *v;
     Py_ssize_t i, num_extensions;
@@ -428,18 +433,20 @@ LDAP_get_option(LDAPObject *self, int option)
         return v;
 #ifdef LDAP_OPT_X_TLS_PEERCERT
     case LDAP_OPT_X_TLS_PEERCERT:
-#endif
-        /* Berval-valued options */
         res = LDAP_int_get_option(self, option, &bv);
-        if (res != LDAP_OPT_SUCCESS)
+        if (res != LDAP_OPT_SUCCESS) {
             return option_error(res, "ldap_get_option");
-        if (bv == NULL) {
-            Py_INCREF(Py_None);
-            return Py_None;
         }
-        v = LDAPberval_to_object(bv);
-        ldap_memfree(bv);
-        return v;
+        if (bv.bv_len == 0) {
+            Py_RETURN_NONE;
+        } else {
+            v = LDAPberval_to_object(&bv);
+            /* bv_val memory is allocated with ber_memalloc_x()
+             * context allocation/dealloc is a private API. */
+            ber_memfree(bv.bv_val);
+            return v;
+        }
+#endif
     default:
         PyErr_Format(PyExc_ValueError, "unknown option %d", option);
         return NULL;
diff --git a/Tests/t_ldapobject.py b/Tests/t_ldapobject.py
@@ -20,6 +20,11 @@
 from slapdtest import requires_ldapi, requires_sasl, requires_tls
 from slapdtest import requires_init_fd
 
+try:
+    from ssl import PEM_cert_to_DER_cert
+except ImportError:
+    PEM_cert_to_DER_cert = None
+
 
 LDIF_TEMPLATE = """dn: %(suffix)s
 objectClass: dcObject
@@ -416,9 +421,38 @@ def test_multiple_starttls(self):
             l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
             l.start_tls_s()
             l.simple_bind_s(self.server.root_dn, self.server.root_pw)
-            self.assertEqual(l.get_option(ldap.OPT_X_TLS_PEERCERT), b"eg")
             self.assertEqual(l.whoami_s(), 'dn:' + self.server.root_dn)
 
+    @requires_tls()
+    @unittest.skipUnless(
+        hasattr(ldap, "OPT_X_TLS_PEERCERT"),
+        reason="Requires OPT_X_TLS_PEERCERT"
+    )
+    def test_get_tls_peercert(self):
+        l = self.ldap_object_class(self.server.ldap_uri)
+        peercert = l.get_option(ldap.OPT_X_TLS_PEERCERT)
+        self.assertEqual(peercert, None)
+        with self.assertRaises(ValueError):
+            l.set_option(ldap.OPT_X_TLS_PEERCERT, b"")
+
+        l.set_option(ldap.OPT_X_TLS_CACERTFILE, self.server.cafile)
+        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+        l.start_tls_s()
+
+        peercert = l.get_option(ldap.OPT_X_TLS_PEERCERT)
+        self.assertTrue(peercert)
+        self.assertIsInstance(peercert, bytes)
+
+        if PEM_cert_to_DER_cert is not None:
+            with open(self.server.servercert) as f:
+                server_pem = f.read()
+            # remove text
+            begin = server_pem.find("-----BEGIN CERTIFICATE-----")
+            server_pem = server_pem[begin:-1]
+
+            server_der = PEM_cert_to_DER_cert(server_pem)
+            self.assertEqual(server_der, peercert)
+
     def test_dse(self):
         dse = self._ldap_conn.read_rootdse_s()
         self.assertIsInstance(dse, dict)
