1 /* tls_g.c - Handle tls/ssl using GNUTLS. */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2008-2009 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* ACKNOWLEDGEMENTS: GNUTLS support written by Howard Chu and
17 * Matt Backes; sponsored by The Written Word (thewrittenword.com)
18 * and Stanford University (stanford.edu).
25 #include "ldap_config.h"
29 #include <ac/stdlib.h>
31 #include <ac/socket.h>
32 #include <ac/string.h>
35 #include <ac/unistd.h>
37 #include <ac/dirent.h>
43 #include <ldap_pvt_thread.h>
46 #include <gnutls/gnutls.h>
47 #include <gnutls/x509.h>
50 #define DH_BITS (1024)
52 #if LIBGNUTLS_VERSION_NUMBER >= 0x020200
53 #define HAVE_CIPHERSUITES 1
54 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x
55 * but that dependency isn't reflected in their configure script, resulting in
56 * build errors on older gcrypt. So, if they have a working build environment,
57 * assume gcrypt is new enough.
59 #define HAVE_GCRYPT_RAND 1
61 #undef HAVE_CIPHERSUITES
62 #undef HAVE_GCRYPT_RAND
65 #ifndef HAVE_CIPHERSUITES
66 /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
67 * kludge them ourselves.
69 typedef struct tls_cipher_suite {
71 gnutls_kx_algorithm_t kx;
72 gnutls_cipher_algorithm_t cipher;
73 gnutls_mac_algorithm_t mac;
74 gnutls_protocol_t version;
78 typedef struct tlsg_ctx {
79 struct ldapoptions *lo;
80 gnutls_certificate_credentials_t cred;
81 gnutls_dh_params_t dh_params;
82 unsigned long verify_depth;
84 #ifdef HAVE_CIPHERSUITES
85 gnutls_priority_t prios;
92 ldap_pvt_thread_mutex_t ref_mutex;
96 typedef struct tlsg_session {
97 gnutls_session_t session;
99 struct berval peer_der_dn;
102 #ifndef HAVE_CIPHERSUITES
103 static tls_cipher_suite *tlsg_ciphers;
104 static int tlsg_n_ciphers;
107 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
108 static int tlsg_cert_verify( tlsg_session *s );
110 #ifdef LDAP_R_COMPILE
113 tlsg_mutex_init( void **priv )
116 ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
121 err = ldap_pvt_thread_mutex_init( lock );
131 tlsg_mutex_destroy( void **lock )
133 int err = ldap_pvt_thread_mutex_destroy( *lock );
139 tlsg_mutex_lock( void **lock )
141 return ldap_pvt_thread_mutex_lock( *lock );
145 tlsg_mutex_unlock( void **lock )
147 return ldap_pvt_thread_mutex_unlock( *lock );
150 static struct gcry_thread_cbs tlsg_thread_cbs = {
151 GCRY_THREAD_OPTION_USER,
157 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
161 tlsg_thr_init( void )
163 gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
165 #endif /* LDAP_R_COMPILE */
168 * Initialize TLS subsystem. Should be called only once.
173 #ifdef HAVE_GCRYPT_RAND
174 struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
175 if ( lo->ldo_tls_randfile &&
176 gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile )) {
177 Debug( LDAP_DEBUG_ANY,
178 "TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed\n",
184 gnutls_global_init();
186 #ifndef HAVE_CIPHERSUITES
187 /* GNUtls cipher suite handling: The library ought to parse suite
188 * names for us, but it doesn't. It will return a list of suite names
189 * that it supports, so we can do parsing ourselves. It ought to tell
190 * us how long the list is, but it doesn't do that either, so we just
191 * have to count it manually...
195 tls_cipher_suite *ptr, tmp;
198 while ( gnutls_cipher_suite_info( i, cs_id, &tmp.kx, &tmp.cipher,
199 &tmp.mac, &tmp.version ))
204 tlsg_ciphers = LDAP_MALLOC(tlsg_n_ciphers * sizeof(tls_cipher_suite));
207 for ( i=0; i<tlsg_n_ciphers; i++ ) {
208 tlsg_ciphers[i].name = gnutls_cipher_suite_info( i, cs_id,
209 &tlsg_ciphers[i].kx, &tlsg_ciphers[i].cipher, &tlsg_ciphers[i].mac,
210 &tlsg_ciphers[i].version );
218 * Tear down the TLS subsystem. Should only be called once.
223 #ifndef HAVE_CIPHERSUITES
224 LDAP_FREE( tlsg_ciphers );
228 gnutls_global_deinit();
232 tlsg_ctx_new ( struct ldapoptions *lo )
236 ctx = ber_memcalloc ( 1, sizeof (*ctx) );
239 if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
244 #ifdef HAVE_CIPHERSUITES
245 gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
247 #ifdef LDAP_R_COMPILE
248 ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
251 return (tls_ctx *)ctx;
255 tlsg_ctx_ref( tls_ctx *ctx )
257 tlsg_ctx *c = (tlsg_ctx *)ctx;
258 #ifdef LDAP_R_COMPILE
259 ldap_pvt_thread_mutex_lock( &c->ref_mutex );
262 #ifdef LDAP_R_COMPILE
263 ldap_pvt_thread_mutex_unlock( &c->ref_mutex );
268 tlsg_ctx_free ( tls_ctx *ctx )
270 tlsg_ctx *c = (tlsg_ctx *)ctx;
275 #ifdef LDAP_R_COMPILE
276 ldap_pvt_thread_mutex_lock( &c->ref_mutex );
278 refcount = --c->refcount;
279 #ifdef LDAP_R_COMPILE
280 ldap_pvt_thread_mutex_unlock( &c->ref_mutex );
284 #ifdef HAVE_CIPHERSUITES
285 gnutls_priority_deinit( c->prios );
287 LDAP_FREE( c->kx_list );
289 gnutls_certificate_free_credentials( c->cred );
294 * initialize a new TLS context
297 tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
299 tlsg_ctx *ctx = lo->ldo_tls_ctx;
302 if ( lo->ldo_tls_ciphersuite &&
303 tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
304 Debug( LDAP_DEBUG_ANY,
305 "TLS: could not set cipher list %s.\n",
306 lo->ldo_tls_ciphersuite, 0, 0 );
310 if (lo->ldo_tls_cacertdir != NULL) {
311 Debug( LDAP_DEBUG_ANY,
312 "TLS: warning: cacertdir not implemented for gnutls\n",
316 if (lo->ldo_tls_cacertfile != NULL) {
317 rc = gnutls_certificate_set_x509_trust_file(
320 GNUTLS_X509_FMT_PEM );
321 if ( rc < 0 ) return -1;
324 if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
325 rc = gnutls_certificate_set_x509_key_file(
329 GNUTLS_X509_FMT_PEM );
331 } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
332 Debug( LDAP_DEBUG_ANY,
333 "TLS: only one of certfile and keyfile specified\n",
338 if ( lo->ldo_tls_dhfile ) {
339 Debug( LDAP_DEBUG_ANY,
340 "TLS: warning: ignoring dhfile\n",
344 if ( lo->ldo_tls_crlfile ) {
345 rc = gnutls_certificate_set_x509_crl_file(
348 GNUTLS_X509_FMT_PEM );
349 if ( rc < 0 ) return -1;
353 gnutls_dh_params_init(&ctx->dh_params);
354 gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
360 tlsg_session_new ( tls_ctx * ctx, int is_server )
362 tlsg_ctx *c = (tlsg_ctx *)ctx;
363 tlsg_session *session;
365 session = ber_memcalloc ( 1, sizeof (*session) );
370 gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
371 #ifdef HAVE_CIPHERSUITES
372 gnutls_priority_set( session->session, c->prios );
374 gnutls_set_default_priority( session->session );
376 gnutls_kx_set_priority( session->session, c->kx_list );
377 gnutls_cipher_set_priority( session->session, c->cipher_list );
378 gnutls_mac_set_priority( session->session, c->mac_list );
382 gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
386 if ( c->lo->ldo_tls_require_cert ) {
387 flag = GNUTLS_CERT_REQUEST;
388 if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
389 c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
390 flag = GNUTLS_CERT_REQUIRE;
391 gnutls_certificate_server_set_request( session->session, flag );
394 return (tls_session *)session;
398 tlsg_session_accept( tls_session *session )
400 tlsg_session *s = (tlsg_session *)session;
403 rc = gnutls_handshake( s->session );
404 if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
405 const gnutls_datum_t *peer_cert_list;
406 unsigned int list_size;
408 peer_cert_list = gnutls_certificate_get_peers( s->session,
410 if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
413 rc = tlsg_cert_verify( s );
414 if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
422 tlsg_session_connect( LDAP *ld, tls_session *session )
424 return tlsg_session_accept( session);
428 tlsg_session_upflags( Sockbuf *sb, tls_session *session, int rc )
430 tlsg_session *s = (tlsg_session *)session;
432 if ( rc != GNUTLS_E_INTERRUPTED && rc != GNUTLS_E_AGAIN )
435 switch (gnutls_record_get_direction (s->session)) {
437 sb->sb_trans_needs_read = 1;
440 sb->sb_trans_needs_write = 1;
447 tlsg_session_errmsg( int rc, char *buf, size_t len )
449 return (char *)gnutls_strerror( rc );
453 tlsg_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
455 BerElementBuffer berbuf;
456 BerElement *ber = (BerElement *)&berbuf;
461 ber_init2( ber, cert, LBER_USE_DER );
462 tag = ber_skip_tag( ber, &len ); /* Sequence */
463 tag = ber_skip_tag( ber, &len ); /* Sequence */
464 tag = ber_skip_tag( ber, &len ); /* Context + Constructed (version) */
465 if ( tag == 0xa0 ) /* Version is optional */
466 tag = ber_get_int( ber, &i ); /* Int: Version */
467 tag = ber_get_int( ber, &i ); /* Int: Serial */
468 tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
469 ber_skip_data( ber, len );
470 if ( !get_subject ) {
471 tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
473 tag = ber_skip_tag( ber, &len );
474 ber_skip_data( ber, len );
475 tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
476 ber_skip_data( ber, len );
477 tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
479 len = ber_ptrlen( ber );
480 dn->bv_val = cert->bv_val + len;
481 dn->bv_len = cert->bv_len - len;
485 tlsg_session_my_dn( tls_session *session, struct berval *der_dn )
487 tlsg_session *s = (tlsg_session *)session;
488 const gnutls_datum_t *x;
491 x = gnutls_certificate_get_ours( s->session );
493 if (!x) return LDAP_INVALID_CREDENTIALS;
495 bv.bv_val = (char *) x->data;
498 tlsg_x509_cert_dn( &bv, der_dn, 1 );
503 tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
505 tlsg_session *s = (tlsg_session *)session;
506 if ( !s->peer_der_dn.bv_val ) {
507 const gnutls_datum_t *peer_cert_list;
508 unsigned int list_size;
511 peer_cert_list = gnutls_certificate_get_peers( s->session,
513 if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
515 bv.bv_len = peer_cert_list->size;
516 bv.bv_val = (char *) peer_cert_list->data;
518 tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
520 *der_dn = s->peer_der_dn;
524 /* what kind of hostname were we given? */
529 #define CN_OID "2.5.4.3"
532 tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
534 tlsg_session *s = (tlsg_session *)session;
536 const gnutls_datum_t *peer_cert_list;
537 unsigned int list_size;
538 char altname[NI_MAXHOST];
541 gnutls_x509_crt_t cert;
546 struct in6_addr addr;
550 int len1 = 0, len2 = 0;
553 if( ldap_int_hostname &&
554 ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
556 name = ldap_int_hostname;
561 peer_cert_list = gnutls_certificate_get_peers( s->session,
563 if ( !peer_cert_list ) {
564 Debug( LDAP_DEBUG_ANY,
565 "TLS: unable to get peer certificate.\n",
567 /* If this was a fatal condition, things would have
568 * aborted long before now.
572 ret = gnutls_x509_crt_init( &cert );
574 return LDAP_LOCAL_ERROR;
575 ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
577 gnutls_x509_crt_deinit( cert );
578 return LDAP_LOCAL_ERROR;
582 if (name[0] == '[' && strchr(name, ']')) {
583 char *n2 = ldap_strdup(name+1);
584 *strchr(n2, ']') = 0;
585 if (inet_pton(AF_INET6, n2, &addr))
590 if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
591 if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
594 if (ntype == IS_DNS) {
596 domain = strchr(name, '.');
598 len2 = len1 - (domain-name);
602 for ( i=0, ret=0; ret >= 0; i++ ) {
603 altnamesize = sizeof(altname);
604 ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
605 altname, &altnamesize, NULL );
606 if ( ret < 0 ) break;
609 if ( altnamesize == 0 ) continue;
611 if ( ret == GNUTLS_SAN_DNSNAME ) {
612 if (ntype != IS_DNS) continue;
614 /* Is this an exact match? */
615 if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
619 /* Is this a wildcard match? */
620 if (domain && (altname[0] == '*') && (altname[1] == '.') &&
621 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
625 } else if ( ret == GNUTLS_SAN_IPADDRESS ) {
626 if (ntype == IS_DNS) continue;
629 if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
633 if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
636 if (!memcmp(altname, &addr, altnamesize)) {
644 altnamesize = sizeof(altname);
645 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
646 0, 0, altname, &altnamesize );
648 Debug( LDAP_DEBUG_ANY,
649 "TLS: unable to get common name from peer certificate.\n",
651 ret = LDAP_CONNECT_ERROR;
652 if ( ld->ld_error ) {
653 LDAP_FREE( ld->ld_error );
655 ld->ld_error = LDAP_STRDUP(
656 _("TLS: unable to get CN from peer certificate"));
659 ret = LDAP_LOCAL_ERROR;
660 if ( !len1 ) len1 = strlen( name );
661 if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
664 } else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
665 /* Is this a wildcard match? */
667 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
673 if( ret == LDAP_LOCAL_ERROR ) {
674 altname[altnamesize] = '\0';
675 Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
676 "common name in certificate (%s).\n",
678 ret = LDAP_CONNECT_ERROR;
679 if ( ld->ld_error ) {
680 LDAP_FREE( ld->ld_error );
682 ld->ld_error = LDAP_STRDUP(
683 _("TLS: hostname does not match CN in peer certificate"));
686 gnutls_x509_crt_deinit( cert );
691 tlsg_session_strength( tls_session *session )
693 tlsg_session *s = (tlsg_session *)session;
694 gnutls_cipher_algorithm_t c;
696 c = gnutls_cipher_get( s->session );
697 return gnutls_cipher_get_key_size( c ) * 8;
700 /* suites is a string of colon-separated cipher suite names. */
702 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
704 #ifdef HAVE_CIPHERSUITES
706 return gnutls_priority_init( &ctx->prios, suites, &err );
710 int *list, nkx = 0, ncipher = 0, nmac = 0;
711 int *kx, *cipher, *mac;
716 end = strchr(ptr, ':');
721 for (i=0; i<tlsg_n_ciphers; i++) {
722 if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
727 if ( i == tlsg_n_ciphers ) {
728 /* unrecognized cipher suite */
734 /* Space for all 3 lists */
735 list = LDAP_MALLOC( (num+1) * sizeof(int) * 3 );
744 end = strchr(ptr, ':');
749 for (i=0; i<tlsg_n_ciphers; i++) {
750 /* For each cipher suite, insert its algorithms into
751 * their respective priority lists. Make sure they
752 * only appear once in each list.
754 if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
755 for (j=0; j<nkx; j++)
756 if ( kx[j] == tlsg_ciphers[i].kx )
759 kx[nkx++] = tlsg_ciphers[i].kx;
760 for (j=0; j<ncipher; j++)
761 if ( cipher[j] == tlsg_ciphers[i].cipher )
764 cipher[ncipher++] = tlsg_ciphers[i].cipher;
765 for (j=0; j<nmac; j++)
766 if ( mac[j] == tlsg_ciphers[i].mac )
769 mac[nmac++] = tlsg_ciphers[i].mac;
779 ctx->cipher_list = cipher;
786 * TLS support for LBER Sockbufs
790 tlsg_session *session;
791 Sockbuf_IO_Desc *sbiod;
795 tlsg_recv( gnutls_transport_ptr_t ptr, void *buf, size_t len )
799 if ( buf == NULL || len <= 0 ) return 0;
801 p = (struct tls_data *)ptr;
803 if ( p == NULL || p->sbiod == NULL ) {
807 return LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
811 tlsg_send( gnutls_transport_ptr_t ptr, const void *buf, size_t len )
815 if ( buf == NULL || len <= 0 ) return 0;
817 p = (struct tls_data *)ptr;
819 if ( p == NULL || p->sbiod == NULL ) {
823 return LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
827 tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
830 tlsg_session *session = arg;
832 assert( sbiod != NULL );
834 p = LBER_MALLOC( sizeof( *p ) );
839 gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
840 gnutls_transport_set_pull_function( session->session, tlsg_recv );
841 gnutls_transport_set_push_function( session->session, tlsg_send );
842 p->session = session;
844 sbiod->sbiod_pvt = p;
849 tlsg_sb_remove( Sockbuf_IO_Desc *sbiod )
853 assert( sbiod != NULL );
854 assert( sbiod->sbiod_pvt != NULL );
856 p = (struct tls_data *)sbiod->sbiod_pvt;
857 gnutls_deinit ( p->session->session );
858 LBER_FREE( p->session );
859 LBER_FREE( sbiod->sbiod_pvt );
860 sbiod->sbiod_pvt = NULL;
865 tlsg_sb_close( Sockbuf_IO_Desc *sbiod )
869 assert( sbiod != NULL );
870 assert( sbiod->sbiod_pvt != NULL );
872 p = (struct tls_data *)sbiod->sbiod_pvt;
873 gnutls_bye ( p->session->session, GNUTLS_SHUT_RDWR );
878 tlsg_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
882 assert( sbiod != NULL );
883 assert( sbiod->sbiod_pvt != NULL );
885 p = (struct tls_data *)sbiod->sbiod_pvt;
887 if ( opt == LBER_SB_OPT_GET_SSL ) {
888 *((tlsg_session **)arg) = p->session;
891 } else if ( opt == LBER_SB_OPT_DATA_READY ) {
892 if( gnutls_record_check_pending( p->session->session ) > 0 ) {
897 return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
901 tlsg_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
906 assert( sbiod != NULL );
907 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
909 p = (struct tls_data *)sbiod->sbiod_pvt;
911 ret = gnutls_record_recv ( p->session->session, buf, len );
913 case GNUTLS_E_INTERRUPTED:
915 sbiod->sbiod_sb->sb_trans_needs_read = 1;
916 sock_errset(EWOULDBLOCK);
919 case GNUTLS_E_REHANDSHAKE:
920 for ( ret = gnutls_handshake ( p->session->session );
921 ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN;
922 ret = gnutls_handshake ( p->session->session ) );
923 sbiod->sbiod_sb->sb_trans_needs_read = 1;
927 sbiod->sbiod_sb->sb_trans_needs_read = 0;
933 tlsg_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
938 assert( sbiod != NULL );
939 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
941 p = (struct tls_data *)sbiod->sbiod_pvt;
943 ret = gnutls_record_send ( p->session->session, (char *)buf, len );
945 if ( ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN ) {
946 sbiod->sbiod_sb->sb_trans_needs_write = 1;
947 sock_errset(EWOULDBLOCK);
950 sbiod->sbiod_sb->sb_trans_needs_write = 0;
955 static Sockbuf_IO tlsg_sbio =
957 tlsg_sb_setup, /* sbi_setup */
958 tlsg_sb_remove, /* sbi_remove */
959 tlsg_sb_ctrl, /* sbi_ctrl */
960 tlsg_sb_read, /* sbi_read */
961 tlsg_sb_write, /* sbi_write */
962 tlsg_sb_close /* sbi_close */
965 /* Certs are not automatically varified during the handshake */
967 tlsg_cert_verify( tlsg_session *ssl )
969 unsigned int status = 0;
971 time_t now = time(0);
974 err = gnutls_certificate_verify_peers2( ssl->session, &status );
976 Debug( LDAP_DEBUG_ANY,"TLS: gnutls_certificate_verify_peers2 failed %d\n",
981 Debug( LDAP_DEBUG_TRACE,"TLS: peer cert untrusted or revoked (0x%x)\n",
985 peertime = gnutls_certificate_expiration_time_peers( ssl->session );
986 if ( peertime == (time_t) -1 ) {
987 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_expiration_time_peers failed\n",
991 if ( peertime < now ) {
992 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
996 peertime = gnutls_certificate_activation_time_peers( ssl->session );
997 if ( peertime == (time_t) -1 ) {
998 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_activation_time_peers failed\n",
1002 if ( peertime > now ) {
1003 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
1010 tls_impl ldap_int_tls_impl = {
1022 tlsg_session_connect,
1023 tlsg_session_accept,
1024 tlsg_session_upflags,
1025 tlsg_session_errmsg,
1027 tlsg_session_peer_dn,
1028 tlsg_session_chkhost,
1029 tlsg_session_strength,
1033 #ifdef LDAP_R_COMPILE
1042 #endif /* HAVE_GNUTLS */