Implement verify server cert on linux

src/libraries/Common/src/Interop/Interop.Ldap.cs

@@ -159,6 +159,8 @@ internal enum LdapOption
         LDAP_OPT_NETWORK_TIMEOUT = 0x5005, // Not Supported in Windows
         LDAP_OPT_URI = 0x5006, // Not Supported in Windows
         LDAP_OPT_X_TLS_CACERTDIR = 0x6003, // Not Supported in Windows
+        LDAP_OPT_X_TLS_CONNECT_CB = 0x600c, // Not Supported in Windows
+        LDAP_OPT_X_TLS_CONNECT_ARG = 0x600d, // Not Supported in Windows
         LDAP_OPT_X_TLS_NEWCTX = 0x600F, // Not Supported in Windows
         LDAP_OPT_X_SASL_REALM = 0x6101,
         LDAP_OPT_X_SASL_AUTHCID = 0x6102,

src/libraries/Common/src/Interop/Linux/OpenLdap/Interop.Ldap.cs

@@ -61,6 +61,9 @@ internal enum SaslChallengeType
 
 internal delegate int LDAP_SASL_INTERACT_PROC(IntPtr ld, uint flags, IntPtr defaults, IntPtr interact);
 
+[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
+internal delegate int LDAP_TLS_CONNECT_CB(IntPtr ld, IntPtr ssl, IntPtr ctx, IntPtr arg);
+
 internal static partial class Interop
 {
     public const string LDAP_SASL_SIMPLE = null;
@@ -156,15 +159,18 @@ public static partial int ldap_search(
         [LibraryImport(Libraries.OpenLdap, EntryPoint = "ldap_set_option")]
         public static partial int ldap_set_option_clientcert(ConnectionHandle ldapHandle, LdapOption option, QUERYCLIENTCERT outValue);
 
-        [LibraryImport(Libraries.OpenLdap, EntryPoint = "ldap_set_option")]
-        public static partial int ldap_set_option_servercert(ConnectionHandle ldapHandle, LdapOption option, VERIFYSERVERCERT outValue);
-
         [LibraryImport(Libraries.OpenLdap, EntryPoint = "ldap_set_option", SetLastError = true)]
         public static partial int ldap_set_option_int(ConnectionHandle ld, LdapOption option, ref int inValue);
 
         [LibraryImport(Libraries.OpenLdap, EntryPoint = "ldap_set_option")]
         public static partial int ldap_set_option_ptr(ConnectionHandle ldapHandle, LdapOption option, ref IntPtr inValue);
 
+        //[LibraryImport(Libraries.OpenLdap, EntryPoint = "ldap_set_option")]
+        //public static partial int ldap_set_option_ptr(IntPtr ldapHandle, LdapOption option, ref IntPtr inValue);
+
+        [LibraryImport(Libraries.OpenLdap, EntryPoint = "ldap_set_option")]
+        internal static partial int ldap_set_option_ptr_value(ConnectionHandle ldapHandle, LdapOption option, IntPtr inValue);
+
         [LibraryImport(Libraries.OpenLdap, EntryPoint = "ldap_set_option")]
         public static partial int ldap_set_option_string(ConnectionHandle ldapHandle, LdapOption option, [MarshalAs(UnmanagedType.LPUTF8Str)] string inValue);
 

src/libraries/Common/src/Interop/Linux/OpenSsl/Interop.OpenSsl.cs

@@ -0,0 +1,53 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Runtime.InteropServices;
+
+internal static partial class Interop
+{
+    internal static partial class OpenSsl
+    {
+        // Targeting OpenSSL 3
+        private const string LibSsl = "libssl.so.3";
+        private const string LibCrypto = "libcrypto.so.3";
+
+        internal const int SSL_VERIFY_NONE = 0x00;
+        internal const int SSL_VERIFY_PEER = 0x01;
+
+        // OpenSSL: int (*callback)(int preverify_ok, X509_STORE_CTX *x509_ctx);
+        [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
+        internal delegate int VerifyCallback(int preverify_ok, IntPtr x509StoreCtx);
+
+        [LibraryImport(LibSsl, EntryPoint = "SSL_set_verify")]
+        internal static partial void SSL_set_verify(
+            IntPtr ssl,
+            int mode,
+            VerifyCallback callback);
+
+        // Reserved for future use
+        [LibraryImport(LibSsl, EntryPoint = "SSL_CTX_set_verify")]
+        internal static partial void SSL_CTX_set_verify(
+            IntPtr ctx,
+            int mode,
+            VerifyCallback callback);
+
+        [LibraryImport(LibCrypto, EntryPoint = "X509_STORE_CTX_get_current_cert")]
+        internal static partial IntPtr X509_STORE_CTX_get_current_cert(IntPtr ctx);
+
+        [LibraryImport(LibCrypto, EntryPoint = "X509_STORE_CTX_get_error_depth")]
+        internal static partial int X509_STORE_CTX_get_error_depth(IntPtr ctx);
+
+        // Reserved for future use
+        [LibraryImport(LibCrypto, EntryPoint = "X509_STORE_CTX_get_error")]
+        internal static partial int X509_STORE_CTX_get_error(IntPtr ctx);
+
+        // int i2d_X509(X509 *a, unsigned char **out);
+        [LibraryImport(LibCrypto, EntryPoint = "i2d_X509")]
+        internal static partial int i2d_X509(IntPtr x509, ref IntPtr pp);
+
+        // void CRYPTO_free(void *ptr, const char *file, int line);
+        [LibraryImport(LibCrypto, EntryPoint = "CRYPTO_free")]
+        internal static partial void CRYPTO_free(IntPtr ptr, IntPtr file, int line);
+    }
+}

src/libraries/Common/src/Interop/Windows/Wldap32/Interop.Ldap.cs

@@ -6,6 +6,9 @@
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
+[UnmanagedFunctionPointer(CallingConvention.Cdecl)]
+internal delegate Interop.BOOL VERIFYSERVERCERT(IntPtr Connection, IntPtr pServerCert);
+
 internal static partial class Interop
 {
     internal static partial class Ldap

src/libraries/System.DirectoryServices.Protocols/src/System.DirectoryServices.Protocols.csproj

@@ -85,6 +85,7 @@
     <Compile Include="$(CommonPath)System\LocalAppContextSwitches.Common.cs" Link="Common\System\LocalAppContextSwitches.Common.cs" />
     <Compile Include="$(CommonPath)Interop\Linux\OpenLdap\Interop.Ldap.cs" Link="Common\Interop\Linux\OpenLdap\Interop.Ldap.cs" />
     <Compile Include="$(CommonPath)Interop\Linux\OpenLdap\Interop.Ber.cs" Link="Common\Interop\Linux\OpenLdap\Interop.Ber.cs" />
+    <Compile Include="$(CommonPath)Interop\Linux\OpenSsl\Interop.OpenSsl.cs" Link="Common\Interop\Linux\OpenSsl\Interop.OpenSsl.cs" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetPlatformIdentifier)' == 'linux'">

src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/Interop/LdapPal.Linux.cs

@@ -117,8 +117,11 @@ internal static int SearchDirectory(ConnectionHandle ldapHandle, string dn, int
 
         internal static int SetTimevalOption(ConnectionHandle ldapHandle, LdapOption option, ref LDAP_TIMEVAL inValue) => Interop.Ldap.ldap_set_option_timeval(ldapHandle, option, ref inValue);
 
-        // This option is not supported in Linux, so it would most likely throw.
-        internal static int SetServerCertOption(ConnectionHandle ldapHandle, LdapOption option, VERIFYSERVERCERT outValue) => Interop.Ldap.ldap_set_option_servercert(ldapHandle, option, outValue);
+        internal static int SetServerCertOption(ConnectionHandle ldapHandle, LdapOption option, IntPtr inValue)
+        {
+            IntPtr functionPointer = inValue;
+            return Interop.Ldap.ldap_set_option_ptr(ldapHandle, option, ref functionPointer);
+        }
 
         internal static unsafe int BindToDirectory(ConnectionHandle ld, string who, string passwd)
         {

src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapSessionOptions.Linux.cs

@@ -3,14 +3,105 @@
 
 using System.ComponentModel;
 using System.IO;
+using System.Security.Cryptography.X509Certificates;
+using System.Runtime.InteropServices;
 using System.Runtime.Versioning;
 
 namespace System.DirectoryServices.Protocols
 {
     public partial class LdapSessionOptions
     {
+        private int _verifyCallbackInvoked;
+        private int _verifyCallbackResult;
+        private LDAP_TLS_CONNECT_CB _serverCertificateRoutine;
+        private Interop.OpenSsl.VerifyCallback? _openSslVerifyRoutine;
+
+        private void InitializeServerCertificateDelegate()
+        {
+            _verifyCallbackInvoked = 0;
+            _verifyCallbackResult = 0;
+            _serverCertificateRoutine = new LDAP_TLS_CONNECT_CB(SetOpenSslCallback);
+            _openSslVerifyRoutine ??= new Interop.OpenSsl.VerifyCallback(ProcessServerCertificate);
+        }
+
         static partial void PALCertFreeCRLContext(IntPtr certPtr);
 
+        private int SetOpenSslCallback(IntPtr ld, IntPtr ssl, IntPtr ctx, IntPtr arg)
+        {
+            Interop.OpenSsl.SSL_set_verify(ssl, Interop.OpenSsl.SSL_VERIFY_PEER, _openSslVerifyRoutine);
+
+            return 1; // continue the handshake
+        }
+
+        private int ProcessServerCertificate(int preverify_ok, IntPtr x509StoreCtx)
+        {
+            if (_serverCertificateDelegate == null)
+            {
+                return preverify_ok;
+            }
+
+            int depth = Interop.OpenSsl.X509_STORE_CTX_get_error_depth(x509StoreCtx);
+            if (depth != 0)
+            {
+                return 1;
+            }
+
+            // The callback is only expected to be invoked once per connection, but if it is invoked multiple times, the result from the first invocation will be returned.
+            // This emulates Windows behavior.
+            if (System.Threading.Interlocked.CompareExchange(ref _verifyCallbackInvoked, 1, 0) != 0)
+            {
+                return System.Threading.Volatile.Read(ref _verifyCallbackResult);
+            }
+
+            int result = 0;
+            X509Certificate? cert = TryGetX509Certificate2FromStoreCtx(x509StoreCtx);
+            if (cert == null)
+            {
+                System.Threading.Volatile.Write(ref _verifyCallbackResult, 0);
+                return 0;
+            }
+
+            try
+            {
+                result = _serverCertificateDelegate(_connection, cert) ? 1 : 0;
+                return result;
+            }
+            catch
+            {
+                result = 0;
+                return 0;
+            }
+            finally
+            {
+                cert.Dispose();
+                System.Threading.Volatile.Write(ref _verifyCallbackResult, result);
+            }
+        }
+
+        private static X509Certificate2? TryGetX509Certificate2FromStoreCtx(IntPtr x509StoreCtx)
+        {
+            IntPtr x509 = Interop.OpenSsl.X509_STORE_CTX_get_current_cert(x509StoreCtx);
+            if (x509 == IntPtr.Zero)
+                return null;
+
+            // OpenSSL will allocate a buffer and write its address into pp if pp starts as NULL.
+            IntPtr pDer = IntPtr.Zero;
+            int len = Interop.OpenSsl.i2d_X509(x509, ref pDer);
+            if (len <= 0 || pDer == IntPtr.Zero)
+                return null;
+
+            try
+            {
+                byte[] der = new byte[len];
+                Marshal.Copy(pDer, der, 0, len);
+                return X509CertificateLoader.LoadCertificate(der);
+            }
+            finally
+            {
+                Interop.OpenSsl.CRYPTO_free(pDer, IntPtr.Zero, 0);
+            }
+        }
+
         private bool _secureSocketLayer;
 
         /// <summary>
@@ -76,6 +167,36 @@ public ReferralChasingOptions ReferralChasing
             }
         }
 
+        public VerifyServerCertificateCallback? VerifyServerCertificate
+        {
+            get
+            {
+                if (_connection._disposed)
+                {
+                    throw new ObjectDisposedException(GetType().Name);
+                }
+
+                return _serverCertificateDelegate;
+            }
+            set
+            {
+                if (_connection._disposed)
+                {
+                    throw new ObjectDisposedException(GetType().Name);
+                }
+
+                if (value != null)
+                {
+                    IntPtr functionPointer = Marshal.GetFunctionPointerForDelegate(_serverCertificateRoutine);
+                    int error = Interop.Ldap.ldap_set_option_ptr_value(_connection._ldapHandle, LdapOption.LDAP_OPT_X_TLS_CONNECT_CB, functionPointer);
+
+                    ErrorChecking.CheckAndSetLdapError(error);
+                }
+
+                _serverCertificateDelegate = value;
+            }
+        }
+
         /// <summary>
         /// Create a new TLS library context.
         /// Calling this is necessary after setting TLS-based options, such as <c>TrustedCertificatesDirectory</c>.

src/libraries/System.DirectoryServices.Protocols/src/System/DirectoryServices/Protocols/ldap/LdapSessionOptions.Windows.cs

@@ -3,13 +3,48 @@
 
 using System.ComponentModel;
 using System.Runtime.Versioning;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography.X509Certificates;
 
 namespace System.DirectoryServices.Protocols
 {
     public partial class LdapSessionOptions
     {
+        private VERIFYSERVERCERT _serverCertificateRoutine;
+
+        private void InitializeServerCertificateDelegate()
+        {
+            _serverCertificateRoutine = new VERIFYSERVERCERT(ProcessServerCertificate);
+        }
+
         private static void PALCertFreeCRLContext(IntPtr certPtr) => Interop.Ldap.CertFreeCRLContext(certPtr);
 
+        private Interop.BOOL ProcessServerCertificate(IntPtr connection, IntPtr serverCert)
+        {
+            // If callback is not specified by user, it means the server certificate is accepted.
+            bool value = true;
+            if (_serverCertificateDelegate != null)
+            {
+                IntPtr certPtr = IntPtr.Zero;
+                X509Certificate certificate = null;
+                try
+                {
+                    Debug.Assert(serverCert != IntPtr.Zero);
+                    certPtr = Marshal.ReadIntPtr(serverCert);
+                    certificate = new X509Certificate(certPtr);
+                }
+                finally
+                {
+                    PALCertFreeCRLContext(certPtr);
+                }
+
+                value = _serverCertificateDelegate(_connection, certificate);
+            }
+
+            return value ? Interop.BOOL.TRUE : Interop.BOOL.FALSE;
+        }
+
         [UnsupportedOSPlatform("windows")]
         public string TrustedCertificatesDirectory
         {
@@ -52,6 +87,34 @@ public ReferralChasingOptions ReferralChasing
             }
         }
 
+        public VerifyServerCertificateCallback VerifyServerCertificate
+        {
+            get
+            {
+                if (_connection._disposed)
+                {
+                    throw new ObjectDisposedException(GetType().Name);
+                }
+
+                return _serverCertificateDelegate;
+            }
+            set
+            {
+                if (_connection._disposed)
+                {
+                    throw new ObjectDisposedException(GetType().Name);
+                }
+
+                if (value != null)
+                {
+                    int error = LdapPal.SetServerCertOption(_connection._ldapHandle, LdapOption.LDAP_OPT_SERVER_CERTIFICATE, _serverCertificateRoutine);
+                    ErrorChecking.CheckAndSetLdapError(error);
+                }
+
+                _serverCertificateDelegate = value;
+            }
+        }
+
         // In practice, this apparently rarely if ever contains useful text
         internal string ServerErrorMessage => GetStringValueHelper(LdapOption.LDAP_OPT_SERVER_ERROR, true);
     }