1 /* tls_g.c - Handle tls/ssl using GNUTLS. */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2008-2014 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* ACKNOWLEDGEMENTS: GNUTLS support written by Howard Chu and
17 * Emily Backes; sponsored by The Written Word (thewrittenword.com)
18 * and Stanford University (stanford.edu).
25 #include "ldap_config.h"
29 #include <ac/stdlib.h>
31 #include <ac/socket.h>
32 #include <ac/string.h>
35 #include <ac/unistd.h>
37 #include <ac/dirent.h>
44 #include <gnutls/gnutls.h>
45 #include <gnutls/x509.h>
47 #if LIBGNUTLS_VERSION_NUMBER >= 0x020200
48 #define HAVE_CIPHERSUITES 1
50 #undef HAVE_CIPHERSUITES
53 #ifndef HAVE_CIPHERSUITES
54 /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
55 * kludge them ourselves.
57 typedef struct tls_cipher_suite {
59 gnutls_kx_algorithm_t kx;
60 gnutls_cipher_algorithm_t cipher;
61 gnutls_mac_algorithm_t mac;
62 gnutls_protocol_t version;
66 typedef struct tlsg_ctx {
67 struct ldapoptions *lo;
68 gnutls_certificate_credentials_t cred;
69 gnutls_dh_params_t dh_params;
70 unsigned long verify_depth;
72 #ifdef HAVE_CIPHERSUITES
73 gnutls_priority_t prios;
80 ldap_pvt_thread_mutex_t ref_mutex;
84 typedef struct tlsg_session {
85 gnutls_session_t session;
87 struct berval peer_der_dn;
90 #ifndef HAVE_CIPHERSUITES
91 static tls_cipher_suite *tlsg_ciphers;
92 static int tlsg_n_ciphers;
95 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
96 static int tlsg_cert_verify( tlsg_session *s );
101 tlsg_mutex_init( void **priv )
104 ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
109 err = ldap_pvt_thread_mutex_init( lock );
119 tlsg_mutex_destroy( void **lock )
121 int err = ldap_pvt_thread_mutex_destroy( *lock );
127 tlsg_mutex_lock( void **lock )
129 return ldap_pvt_thread_mutex_lock( *lock );
133 tlsg_mutex_unlock( void **lock )
135 return ldap_pvt_thread_mutex_unlock( *lock );
139 tlsg_thr_init( void )
141 gnutls_global_set_mutex (tlsg_mutex_init,
146 #endif /* LDAP_R_COMPILE */
149 * Initialize TLS subsystem. Should be called only once.
154 gnutls_global_init();
156 #ifndef HAVE_CIPHERSUITES
157 /* GNUtls cipher suite handling: The library ought to parse suite
158 * names for us, but it doesn't. It will return a list of suite names
159 * that it supports, so we can do parsing ourselves. It ought to tell
160 * us how long the list is, but it doesn't do that either, so we just
161 * have to count it manually...
165 tls_cipher_suite *ptr, tmp;
168 while ( gnutls_cipher_suite_info( i, cs_id, &tmp.kx, &tmp.cipher,
169 &tmp.mac, &tmp.version ))
174 tlsg_ciphers = LDAP_MALLOC(tlsg_n_ciphers * sizeof(tls_cipher_suite));
177 for ( i=0; i<tlsg_n_ciphers; i++ ) {
178 tlsg_ciphers[i].name = gnutls_cipher_suite_info( i, cs_id,
179 &tlsg_ciphers[i].kx, &tlsg_ciphers[i].cipher, &tlsg_ciphers[i].mac,
180 &tlsg_ciphers[i].version );
188 * Tear down the TLS subsystem. Should only be called once.
193 #ifndef HAVE_CIPHERSUITES
194 LDAP_FREE( tlsg_ciphers );
198 gnutls_global_deinit();
202 tlsg_ctx_new ( struct ldapoptions *lo )
206 ctx = ber_memcalloc ( 1, sizeof (*ctx) );
209 if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
214 #ifdef HAVE_CIPHERSUITES
215 gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
217 #ifdef LDAP_R_COMPILE
218 ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
221 return (tls_ctx *)ctx;
225 tlsg_ctx_ref( tls_ctx *ctx )
227 tlsg_ctx *c = (tlsg_ctx *)ctx;
228 LDAP_MUTEX_LOCK( &c->ref_mutex );
230 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
234 tlsg_ctx_free ( tls_ctx *ctx )
236 tlsg_ctx *c = (tlsg_ctx *)ctx;
241 LDAP_MUTEX_LOCK( &c->ref_mutex );
242 refcount = --c->refcount;
243 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
246 #ifdef HAVE_CIPHERSUITES
247 gnutls_priority_deinit( c->prios );
249 LDAP_FREE( c->kx_list );
251 gnutls_certificate_free_credentials( c->cred );
253 gnutls_dh_params_deinit( c->dh_params );
258 tlsg_getfile( const char *path, gnutls_datum_t *buf )
263 fd = open( path, O_RDONLY );
264 if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
265 buf->size = st.st_size;
266 buf->data = LDAP_MALLOC( st.st_size + 1 );
268 rc = read( fd, buf->data, st.st_size );
270 if ( rc < st.st_size )
279 /* This is the GnuTLS default */
280 #define VERIFY_DEPTH 6
283 * initialize a new TLS context
286 tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
288 tlsg_ctx *ctx = lo->ldo_tls_ctx;
291 if ( lo->ldo_tls_ciphersuite &&
292 tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
293 Debug( LDAP_DEBUG_ANY,
294 "TLS: could not set cipher list %s.\n",
295 lo->ldo_tls_ciphersuite, 0, 0 );
299 if (lo->ldo_tls_cacertdir != NULL) {
300 Debug( LDAP_DEBUG_ANY,
301 "TLS: warning: cacertdir not implemented for gnutls\n",
305 if (lo->ldo_tls_cacertfile != NULL) {
306 rc = gnutls_certificate_set_x509_trust_file(
309 GNUTLS_X509_FMT_PEM );
310 if ( rc < 0 ) return -1;
313 if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
314 gnutls_x509_privkey_t key;
316 gnutls_x509_crt_t certs[VERIFY_DEPTH];
317 unsigned int max = VERIFY_DEPTH;
319 rc = gnutls_x509_privkey_init( &key );
322 /* OpenSSL builds the cert chain for us, but GnuTLS
323 * expects it to be present in the certfile. If it's
324 * not, we have to build it ourselves. So we have to
325 * do some special checks here...
327 rc = tlsg_getfile( lt->lt_keyfile, &buf );
329 rc = gnutls_x509_privkey_import( key, &buf,
330 GNUTLS_X509_FMT_PEM );
331 LDAP_FREE( buf.data );
332 if ( rc < 0 ) return rc;
334 rc = tlsg_getfile( lt->lt_certfile, &buf );
336 rc = gnutls_x509_crt_list_import( certs, &max, &buf,
337 GNUTLS_X509_FMT_PEM, 0 );
338 LDAP_FREE( buf.data );
339 if ( rc < 0 ) return rc;
341 /* If there's only one cert and it's not self-signed,
342 * then we have to build the cert chain.
344 if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
345 #if GNUTLS_VERSION_NUMBER >= 0x020c00
347 for ( i = 1; i<VERIFY_DEPTH; i++ ) {
348 if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
351 /* If this CA is self-signed, we're done */
352 if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
356 gnutls_x509_crt_t *cas;
357 unsigned int i, j, ncas;
359 gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
360 for ( i = 1; i<VERIFY_DEPTH; i++ ) {
361 for ( j = 0; j<ncas; j++ ) {
362 if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
365 /* If this CA is self-signed, we're done */
366 if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
371 /* only continue if we found a CA and it was not self-signed */
377 rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
379 } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
380 Debug( LDAP_DEBUG_ANY,
381 "TLS: only one of certfile and keyfile specified\n",
386 if ( lo->ldo_tls_crlfile ) {
387 rc = gnutls_certificate_set_x509_crl_file(
390 GNUTLS_X509_FMT_PEM );
391 if ( rc < 0 ) return -1;
395 /* FIXME: ITS#5992 - this should be configurable,
396 * and V1 CA certs should be phased out ASAP.
398 gnutls_certificate_set_verify_flags( ctx->cred,
399 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
401 if ( is_server && lo->ldo_tls_dhfile ) {
403 rc = tlsg_getfile( lo->ldo_tls_dhfile, &buf );
405 rc = gnutls_dh_params_init( &ctx->dh_params );
407 rc = gnutls_dh_params_import_pkcs3( ctx->dh_params, &buf,
408 GNUTLS_X509_FMT_PEM );
409 LDAP_FREE( buf.data );
411 gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
417 tlsg_session_new ( tls_ctx * ctx, int is_server )
419 tlsg_ctx *c = (tlsg_ctx *)ctx;
420 tlsg_session *session;
422 session = ber_memcalloc ( 1, sizeof (*session) );
427 gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
428 #ifdef HAVE_CIPHERSUITES
429 gnutls_priority_set( session->session, c->prios );
431 gnutls_set_default_priority( session->session );
433 gnutls_kx_set_priority( session->session, c->kx_list );
434 gnutls_cipher_set_priority( session->session, c->cipher_list );
435 gnutls_mac_set_priority( session->session, c->mac_list );
439 gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
443 if ( c->lo->ldo_tls_require_cert ) {
444 flag = GNUTLS_CERT_REQUEST;
445 if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
446 c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
447 flag = GNUTLS_CERT_REQUIRE;
448 gnutls_certificate_server_set_request( session->session, flag );
451 return (tls_session *)session;
455 tlsg_session_accept( tls_session *session )
457 tlsg_session *s = (tlsg_session *)session;
460 rc = gnutls_handshake( s->session );
461 if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
462 const gnutls_datum_t *peer_cert_list;
463 unsigned int list_size;
465 peer_cert_list = gnutls_certificate_get_peers( s->session,
467 if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
470 rc = tlsg_cert_verify( s );
471 if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
479 tlsg_session_connect( LDAP *ld, tls_session *session )
481 return tlsg_session_accept( session);
485 tlsg_session_upflags( Sockbuf *sb, tls_session *session, int rc )
487 tlsg_session *s = (tlsg_session *)session;
489 if ( rc != GNUTLS_E_INTERRUPTED && rc != GNUTLS_E_AGAIN )
492 switch (gnutls_record_get_direction (s->session)) {
494 sb->sb_trans_needs_read = 1;
497 sb->sb_trans_needs_write = 1;
504 tlsg_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
506 return (char *)gnutls_strerror( rc );
510 tlsg_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
512 BerElementBuffer berbuf;
513 BerElement *ber = (BerElement *)&berbuf;
518 ber_init2( ber, cert, LBER_USE_DER );
519 tag = ber_skip_tag( ber, &len ); /* Sequence */
520 tag = ber_skip_tag( ber, &len ); /* Sequence */
521 tag = ber_peek_tag( ber, &len ); /* Context + Constructed (version) */
522 if ( tag == 0xa0 ) { /* Version is optional */
523 tag = ber_skip_tag( ber, &len );
524 tag = ber_get_int( ber, &i ); /* Int: Version */
526 tag = ber_skip_tag( ber, &len ); /* Int: Serial (can be longer than ber_int_t) */
527 ber_skip_data( ber, len );
528 tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
529 ber_skip_data( ber, len );
530 if ( !get_subject ) {
531 tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
533 tag = ber_skip_tag( ber, &len );
534 ber_skip_data( ber, len );
535 tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
536 ber_skip_data( ber, len );
537 tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
539 len = ber_ptrlen( ber );
540 dn->bv_val = cert->bv_val + len;
541 dn->bv_len = cert->bv_len - len;
545 tlsg_session_my_dn( tls_session *session, struct berval *der_dn )
547 tlsg_session *s = (tlsg_session *)session;
548 const gnutls_datum_t *x;
551 x = gnutls_certificate_get_ours( s->session );
553 if (!x) return LDAP_INVALID_CREDENTIALS;
555 bv.bv_val = (char *) x->data;
558 tlsg_x509_cert_dn( &bv, der_dn, 1 );
563 tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
565 tlsg_session *s = (tlsg_session *)session;
566 if ( !s->peer_der_dn.bv_val ) {
567 const gnutls_datum_t *peer_cert_list;
568 unsigned int list_size;
571 peer_cert_list = gnutls_certificate_get_peers( s->session,
573 if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
575 bv.bv_len = peer_cert_list->size;
576 bv.bv_val = (char *) peer_cert_list->data;
578 tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
580 *der_dn = s->peer_der_dn;
584 /* what kind of hostname were we given? */
589 #define CN_OID "2.5.4.3"
592 tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
594 tlsg_session *s = (tlsg_session *)session;
596 const gnutls_datum_t *peer_cert_list;
597 unsigned int list_size;
598 char altname[NI_MAXHOST];
601 gnutls_x509_crt_t cert;
606 struct in6_addr addr;
610 int len1 = 0, len2 = 0;
613 if( ldap_int_hostname &&
614 ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
616 name = ldap_int_hostname;
621 peer_cert_list = gnutls_certificate_get_peers( s->session,
623 if ( !peer_cert_list ) {
624 Debug( LDAP_DEBUG_ANY,
625 "TLS: unable to get peer certificate.\n",
627 /* If this was a fatal condition, things would have
628 * aborted long before now.
632 ret = gnutls_x509_crt_init( &cert );
634 return LDAP_LOCAL_ERROR;
635 ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
637 gnutls_x509_crt_deinit( cert );
638 return LDAP_LOCAL_ERROR;
642 if (inet_pton(AF_INET6, name, &addr)) {
646 if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
647 if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
650 if (ntype == IS_DNS) {
652 domain = strchr(name, '.');
654 len2 = len1 - (domain-name);
658 for ( i=0, ret=0; ret >= 0; i++ ) {
659 altnamesize = sizeof(altname);
660 ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
661 altname, &altnamesize, NULL );
662 if ( ret < 0 ) break;
665 if ( altnamesize == 0 ) continue;
667 if ( ret == GNUTLS_SAN_DNSNAME ) {
668 if (ntype != IS_DNS) continue;
670 /* Is this an exact match? */
671 if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
675 /* Is this a wildcard match? */
676 if (domain && (altname[0] == '*') && (altname[1] == '.') &&
677 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
681 } else if ( ret == GNUTLS_SAN_IPADDRESS ) {
682 if (ntype == IS_DNS) continue;
685 if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
689 if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
692 if (!memcmp(altname, &addr, altnamesize)) {
700 /* find the last CN */
704 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
705 i, 1, altname, &altnamesize );
706 if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER )
713 altnamesize = sizeof(altname);
714 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
715 i-1, 0, altname, &altnamesize );
719 Debug( LDAP_DEBUG_ANY,
720 "TLS: unable to get common name from peer certificate.\n",
722 ret = LDAP_CONNECT_ERROR;
723 if ( ld->ld_error ) {
724 LDAP_FREE( ld->ld_error );
726 ld->ld_error = LDAP_STRDUP(
727 _("TLS: unable to get CN from peer certificate"));
730 ret = LDAP_LOCAL_ERROR;
731 if ( !len1 ) len1 = strlen( name );
732 if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
735 } else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
736 /* Is this a wildcard match? */
738 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
744 if( ret == LDAP_LOCAL_ERROR ) {
745 altname[altnamesize] = '\0';
746 Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
747 "common name in certificate (%s).\n",
749 ret = LDAP_CONNECT_ERROR;
750 if ( ld->ld_error ) {
751 LDAP_FREE( ld->ld_error );
753 ld->ld_error = LDAP_STRDUP(
754 _("TLS: hostname does not match CN in peer certificate"));
757 gnutls_x509_crt_deinit( cert );
762 tlsg_session_strength( tls_session *session )
764 tlsg_session *s = (tlsg_session *)session;
765 gnutls_cipher_algorithm_t c;
767 c = gnutls_cipher_get( s->session );
768 return gnutls_cipher_get_key_size( c ) * 8;
772 tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
774 /* channel bindings added in 2.12.0 */
775 #if GNUTLS_VERSION_NUMBER >= 0x020c00
776 tlsg_session *s = (tlsg_session *)sess;
780 rc = gnutls_session_channel_binding( s->session, GNUTLS_CB_TLS_UNIQUE, &cb );
783 if ( len > buf->bv_len )
786 memcpy( buf->bv_val, cb.data, len );
794 tlsg_session_version( tls_session *sess )
796 tlsg_session *s = (tlsg_session *)sess;
797 return gnutls_protocol_get_name(gnutls_protocol_get_version( s->session ));
801 tlsg_session_cipher( tls_session *sess )
803 tlsg_session *s = (tlsg_session *)sess;
804 return gnutls_cipher_get_name(gnutls_cipher_get( s->session ));
808 tlsg_session_peercert( tls_session *sess, struct berval *der )
810 tlsg_session *s = (tlsg_session *)sess;
811 const gnutls_datum_t *peer_cert_list;
812 unsigned int list_size;
814 peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
817 der->bv_len = peer_cert_list[0].size;
818 der->bv_val = LDAP_MALLOC( der->bv_len );
821 memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
825 /* suites is a string of colon-separated cipher suite names. */
827 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
829 #ifdef HAVE_CIPHERSUITES
831 int rc = gnutls_priority_init( &ctx->prios, suites, &err );
838 int *list, nkx = 0, ncipher = 0, nmac = 0;
839 int *kx, *cipher, *mac;
844 end = strchr(ptr, ':');
849 for (i=0; i<tlsg_n_ciphers; i++) {
850 if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
855 if ( i == tlsg_n_ciphers ) {
856 /* unrecognized cipher suite */
862 /* Space for all 3 lists */
863 list = LDAP_MALLOC( (num+1) * sizeof(int) * 3 );
872 end = strchr(ptr, ':');
877 for (i=0; i<tlsg_n_ciphers; i++) {
878 /* For each cipher suite, insert its algorithms into
879 * their respective priority lists. Make sure they
880 * only appear once in each list.
882 if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
883 for (j=0; j<nkx; j++)
884 if ( kx[j] == tlsg_ciphers[i].kx )
887 kx[nkx++] = tlsg_ciphers[i].kx;
888 for (j=0; j<ncipher; j++)
889 if ( cipher[j] == tlsg_ciphers[i].cipher )
892 cipher[ncipher++] = tlsg_ciphers[i].cipher;
893 for (j=0; j<nmac; j++)
894 if ( mac[j] == tlsg_ciphers[i].mac )
897 mac[nmac++] = tlsg_ciphers[i].mac;
907 ctx->cipher_list = cipher;
914 * TLS support for LBER Sockbufs
918 tlsg_session *session;
919 Sockbuf_IO_Desc *sbiod;
923 tlsg_recv( gnutls_transport_ptr_t ptr, void *buf, size_t len )
927 if ( buf == NULL || len <= 0 ) return 0;
929 p = (struct tls_data *)ptr;
931 if ( p == NULL || p->sbiod == NULL ) {
935 return LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
939 tlsg_send( gnutls_transport_ptr_t ptr, const void *buf, size_t len )
943 if ( buf == NULL || len <= 0 ) return 0;
945 p = (struct tls_data *)ptr;
947 if ( p == NULL || p->sbiod == NULL ) {
951 return LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
955 tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
958 tlsg_session *session = arg;
960 assert( sbiod != NULL );
962 p = LBER_MALLOC( sizeof( *p ) );
967 gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
968 gnutls_transport_set_pull_function( session->session, tlsg_recv );
969 gnutls_transport_set_push_function( session->session, tlsg_send );
970 p->session = session;
972 sbiod->sbiod_pvt = p;
977 tlsg_sb_remove( Sockbuf_IO_Desc *sbiod )
981 assert( sbiod != NULL );
982 assert( sbiod->sbiod_pvt != NULL );
984 p = (struct tls_data *)sbiod->sbiod_pvt;
985 gnutls_deinit ( p->session->session );
986 LBER_FREE( p->session );
987 LBER_FREE( sbiod->sbiod_pvt );
988 sbiod->sbiod_pvt = NULL;
993 tlsg_sb_close( Sockbuf_IO_Desc *sbiod )
997 assert( sbiod != NULL );
998 assert( sbiod->sbiod_pvt != NULL );
1000 p = (struct tls_data *)sbiod->sbiod_pvt;
1001 gnutls_bye ( p->session->session, GNUTLS_SHUT_WR );
1006 tlsg_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
1010 assert( sbiod != NULL );
1011 assert( sbiod->sbiod_pvt != NULL );
1013 p = (struct tls_data *)sbiod->sbiod_pvt;
1015 if ( opt == LBER_SB_OPT_GET_SSL ) {
1016 *((tlsg_session **)arg) = p->session;
1019 } else if ( opt == LBER_SB_OPT_DATA_READY ) {
1020 if( gnutls_record_check_pending( p->session->session ) > 0 ) {
1025 return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
1029 tlsg_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
1034 assert( sbiod != NULL );
1035 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
1037 p = (struct tls_data *)sbiod->sbiod_pvt;
1039 ret = gnutls_record_recv ( p->session->session, buf, len );
1041 case GNUTLS_E_INTERRUPTED:
1042 case GNUTLS_E_AGAIN:
1043 sbiod->sbiod_sb->sb_trans_needs_read = 1;
1044 sock_errset(EWOULDBLOCK);
1047 case GNUTLS_E_REHANDSHAKE:
1048 for ( ret = gnutls_handshake ( p->session->session );
1049 ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN;
1050 ret = gnutls_handshake ( p->session->session ) );
1051 sbiod->sbiod_sb->sb_trans_needs_read = 1;
1055 sbiod->sbiod_sb->sb_trans_needs_read = 0;
1061 tlsg_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
1066 assert( sbiod != NULL );
1067 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
1069 p = (struct tls_data *)sbiod->sbiod_pvt;
1071 ret = gnutls_record_send ( p->session->session, (char *)buf, len );
1073 if ( ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN ) {
1074 sbiod->sbiod_sb->sb_trans_needs_write = 1;
1075 sock_errset(EWOULDBLOCK);
1078 sbiod->sbiod_sb->sb_trans_needs_write = 0;
1083 static Sockbuf_IO tlsg_sbio =
1085 tlsg_sb_setup, /* sbi_setup */
1086 tlsg_sb_remove, /* sbi_remove */
1087 tlsg_sb_ctrl, /* sbi_ctrl */
1088 tlsg_sb_read, /* sbi_read */
1089 tlsg_sb_write, /* sbi_write */
1090 tlsg_sb_close /* sbi_close */
1093 /* Certs are not automatically varified during the handshake */
1095 tlsg_cert_verify( tlsg_session *ssl )
1097 unsigned int status = 0;
1099 time_t now = time(0);
1102 err = gnutls_certificate_verify_peers2( ssl->session, &status );
1104 Debug( LDAP_DEBUG_ANY,"TLS: gnutls_certificate_verify_peers2 failed %d\n",
1109 Debug( LDAP_DEBUG_TRACE,"TLS: peer cert untrusted or revoked (0x%x)\n",
1113 peertime = gnutls_certificate_expiration_time_peers( ssl->session );
1114 if ( peertime == (time_t) -1 ) {
1115 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_expiration_time_peers failed\n",
1119 if ( peertime < now ) {
1120 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
1124 peertime = gnutls_certificate_activation_time_peers( ssl->session );
1125 if ( peertime == (time_t) -1 ) {
1126 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_activation_time_peers failed\n",
1130 if ( peertime > now ) {
1131 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
1138 tls_impl ldap_int_tls_impl = {
1150 tlsg_session_connect,
1151 tlsg_session_accept,
1152 tlsg_session_upflags,
1153 tlsg_session_errmsg,
1155 tlsg_session_peer_dn,
1156 tlsg_session_chkhost,
1157 tlsg_session_strength,
1158 tlsg_session_unique,
1159 tlsg_session_version,
1160 tlsg_session_cipher,
1161 tlsg_session_peercert,
1165 #ifdef LDAP_R_COMPILE
1174 #endif /* HAVE_GNUTLS */