1 /* tls_g.c - Handle tls/ssl using GNUTLS. */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2008-2009 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* ACKNOWLEDGEMENTS: GNUTLS support written by Howard Chu and
17 * Matt Backes; sponsored by The Written Word (thewrittenword.com)
18 * and Stanford University (stanford.edu).
25 #include "ldap_config.h"
29 #include <ac/stdlib.h>
31 #include <ac/socket.h>
32 #include <ac/string.h>
35 #include <ac/unistd.h>
37 #include <ac/dirent.h>
45 #include <ldap_pvt_thread.h>
48 #include <gnutls/gnutls.h>
49 #include <gnutls/x509.h>
52 #define DH_BITS (1024)
54 #if LIBGNUTLS_VERSION_NUMBER >= 0x020200
55 #define HAVE_CIPHERSUITES 1
56 /* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x
57 * but that dependency isn't reflected in their configure script, resulting in
58 * build errors on older gcrypt. So, if they have a working build environment,
59 * assume gcrypt is new enough.
61 #define HAVE_GCRYPT_RAND 1
63 #undef HAVE_CIPHERSUITES
64 #undef HAVE_GCRYPT_RAND
67 #ifndef HAVE_CIPHERSUITES
68 /* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
69 * kludge them ourselves.
71 typedef struct tls_cipher_suite {
73 gnutls_kx_algorithm_t kx;
74 gnutls_cipher_algorithm_t cipher;
75 gnutls_mac_algorithm_t mac;
76 gnutls_protocol_t version;
80 typedef struct tlsg_ctx {
81 struct ldapoptions *lo;
82 gnutls_certificate_credentials_t cred;
83 gnutls_dh_params_t dh_params;
84 unsigned long verify_depth;
86 #ifdef HAVE_CIPHERSUITES
87 gnutls_priority_t prios;
94 ldap_pvt_thread_mutex_t ref_mutex;
98 typedef struct tlsg_session {
99 gnutls_session_t session;
101 struct berval peer_der_dn;
104 #ifndef HAVE_CIPHERSUITES
105 static tls_cipher_suite *tlsg_ciphers;
106 static int tlsg_n_ciphers;
109 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
110 static int tlsg_cert_verify( tlsg_session *s );
112 #ifdef LDAP_R_COMPILE
115 tlsg_mutex_init( void **priv )
118 ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
123 err = ldap_pvt_thread_mutex_init( lock );
133 tlsg_mutex_destroy( void **lock )
135 int err = ldap_pvt_thread_mutex_destroy( *lock );
141 tlsg_mutex_lock( void **lock )
143 return ldap_pvt_thread_mutex_lock( *lock );
147 tlsg_mutex_unlock( void **lock )
149 return ldap_pvt_thread_mutex_unlock( *lock );
152 static struct gcry_thread_cbs tlsg_thread_cbs = {
153 GCRY_THREAD_OPTION_USER,
159 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
163 tlsg_thr_init( void )
165 gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
167 #endif /* LDAP_R_COMPILE */
170 * Initialize TLS subsystem. Should be called only once.
175 #ifdef HAVE_GCRYPT_RAND
176 struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
177 if ( lo->ldo_tls_randfile &&
178 gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile )) {
179 Debug( LDAP_DEBUG_ANY,
180 "TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed\n",
186 gnutls_global_init();
188 #ifndef HAVE_CIPHERSUITES
189 /* GNUtls cipher suite handling: The library ought to parse suite
190 * names for us, but it doesn't. It will return a list of suite names
191 * that it supports, so we can do parsing ourselves. It ought to tell
192 * us how long the list is, but it doesn't do that either, so we just
193 * have to count it manually...
197 tls_cipher_suite *ptr, tmp;
200 while ( gnutls_cipher_suite_info( i, cs_id, &tmp.kx, &tmp.cipher,
201 &tmp.mac, &tmp.version ))
206 tlsg_ciphers = LDAP_MALLOC(tlsg_n_ciphers * sizeof(tls_cipher_suite));
209 for ( i=0; i<tlsg_n_ciphers; i++ ) {
210 tlsg_ciphers[i].name = gnutls_cipher_suite_info( i, cs_id,
211 &tlsg_ciphers[i].kx, &tlsg_ciphers[i].cipher, &tlsg_ciphers[i].mac,
212 &tlsg_ciphers[i].version );
220 * Tear down the TLS subsystem. Should only be called once.
225 #ifndef HAVE_CIPHERSUITES
226 LDAP_FREE( tlsg_ciphers );
230 gnutls_global_deinit();
234 tlsg_ctx_new ( struct ldapoptions *lo )
238 ctx = ber_memcalloc ( 1, sizeof (*ctx) );
241 if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
246 #ifdef HAVE_CIPHERSUITES
247 gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
249 #ifdef LDAP_R_COMPILE
250 ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
253 return (tls_ctx *)ctx;
257 tlsg_ctx_ref( tls_ctx *ctx )
259 tlsg_ctx *c = (tlsg_ctx *)ctx;
260 #ifdef LDAP_R_COMPILE
261 ldap_pvt_thread_mutex_lock( &c->ref_mutex );
264 #ifdef LDAP_R_COMPILE
265 ldap_pvt_thread_mutex_unlock( &c->ref_mutex );
270 tlsg_ctx_free ( tls_ctx *ctx )
272 tlsg_ctx *c = (tlsg_ctx *)ctx;
277 #ifdef LDAP_R_COMPILE
278 ldap_pvt_thread_mutex_lock( &c->ref_mutex );
280 refcount = --c->refcount;
281 #ifdef LDAP_R_COMPILE
282 ldap_pvt_thread_mutex_unlock( &c->ref_mutex );
286 #ifdef HAVE_CIPHERSUITES
287 gnutls_priority_deinit( c->prios );
289 LDAP_FREE( c->kx_list );
291 gnutls_certificate_free_credentials( c->cred );
296 tlsg_getfile( const char *path, gnutls_datum_t *buf )
301 fd = open( path, O_RDONLY );
302 if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
303 buf->size = st.st_size;
304 buf->data = LDAP_MALLOC( st.st_size + 1 );
306 rc = read( fd, buf->data, st.st_size );
308 if ( rc < st.st_size )
317 /* This is the GnuTLS default */
318 #define VERIFY_DEPTH 6
321 * initialize a new TLS context
324 tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
326 tlsg_ctx *ctx = lo->ldo_tls_ctx;
329 if ( lo->ldo_tls_ciphersuite &&
330 tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
331 Debug( LDAP_DEBUG_ANY,
332 "TLS: could not set cipher list %s.\n",
333 lo->ldo_tls_ciphersuite, 0, 0 );
337 if (lo->ldo_tls_cacertdir != NULL) {
338 Debug( LDAP_DEBUG_ANY,
339 "TLS: warning: cacertdir not implemented for gnutls\n",
343 if (lo->ldo_tls_cacertfile != NULL) {
344 rc = gnutls_certificate_set_x509_trust_file(
347 GNUTLS_X509_FMT_PEM );
348 if ( rc < 0 ) return -1;
351 if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
352 gnutls_x509_privkey_t key;
354 gnutls_x509_crt_t certs[VERIFY_DEPTH];
355 unsigned int max = VERIFY_DEPTH;
357 rc = gnutls_x509_privkey_init( &key );
360 /* OpenSSL builds the cert chain for us, but GnuTLS
361 * expects it to be present in the certfile. If it's
362 * not, we have to build it ourselves. So we have to
363 * do some special checks here...
365 rc = tlsg_getfile( lt->lt_keyfile, &buf );
367 rc = gnutls_x509_privkey_import( key, &buf,
368 GNUTLS_X509_FMT_PEM );
369 LDAP_FREE( buf.data );
370 if ( rc < 0 ) return rc;
372 rc = tlsg_getfile( lt->lt_certfile, &buf );
374 rc = gnutls_x509_crt_list_import( certs, &max, &buf,
375 GNUTLS_X509_FMT_PEM, 0 );
376 LDAP_FREE( buf.data );
377 if ( rc < 0 ) return rc;
379 /* If there's only one cert and it's not self-signed,
380 * then we have to build the cert chain.
382 if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
383 gnutls_x509_crt_t *cas;
384 unsigned int i, j, ncas;
386 gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
387 for ( i = 1; i<VERIFY_DEPTH; i++ ) {
388 for ( j = 0; j<ncas; j++ ) {
389 if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
392 /* If this CA is self-signed, we're done */
393 if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
398 /* only continue if we found a CA and it was not self-signed */
403 rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
405 } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
406 Debug( LDAP_DEBUG_ANY,
407 "TLS: only one of certfile and keyfile specified\n",
412 if ( lo->ldo_tls_dhfile ) {
413 Debug( LDAP_DEBUG_ANY,
414 "TLS: warning: ignoring dhfile\n",
418 if ( lo->ldo_tls_crlfile ) {
419 rc = gnutls_certificate_set_x509_crl_file(
422 GNUTLS_X509_FMT_PEM );
423 if ( rc < 0 ) return -1;
427 /* FIXME: ITS#5992 - this should go be configurable,
428 * and V1 CA certs should be phased out ASAP.
430 gnutls_certificate_set_verify_flags( ctx->cred,
431 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
434 gnutls_dh_params_init(&ctx->dh_params);
435 gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
441 tlsg_session_new ( tls_ctx * ctx, int is_server )
443 tlsg_ctx *c = (tlsg_ctx *)ctx;
444 tlsg_session *session;
446 session = ber_memcalloc ( 1, sizeof (*session) );
451 gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
452 #ifdef HAVE_CIPHERSUITES
453 gnutls_priority_set( session->session, c->prios );
455 gnutls_set_default_priority( session->session );
457 gnutls_kx_set_priority( session->session, c->kx_list );
458 gnutls_cipher_set_priority( session->session, c->cipher_list );
459 gnutls_mac_set_priority( session->session, c->mac_list );
463 gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
467 if ( c->lo->ldo_tls_require_cert ) {
468 flag = GNUTLS_CERT_REQUEST;
469 if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
470 c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
471 flag = GNUTLS_CERT_REQUIRE;
472 gnutls_certificate_server_set_request( session->session, flag );
475 return (tls_session *)session;
479 tlsg_session_accept( tls_session *session )
481 tlsg_session *s = (tlsg_session *)session;
484 rc = gnutls_handshake( s->session );
485 if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
486 const gnutls_datum_t *peer_cert_list;
487 unsigned int list_size;
489 peer_cert_list = gnutls_certificate_get_peers( s->session,
491 if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
494 rc = tlsg_cert_verify( s );
495 if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
503 tlsg_session_connect( LDAP *ld, tls_session *session )
505 return tlsg_session_accept( session);
509 tlsg_session_upflags( Sockbuf *sb, tls_session *session, int rc )
511 tlsg_session *s = (tlsg_session *)session;
513 if ( rc != GNUTLS_E_INTERRUPTED && rc != GNUTLS_E_AGAIN )
516 switch (gnutls_record_get_direction (s->session)) {
518 sb->sb_trans_needs_read = 1;
521 sb->sb_trans_needs_write = 1;
528 tlsg_session_errmsg( int rc, char *buf, size_t len )
530 return (char *)gnutls_strerror( rc );
534 tlsg_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
536 BerElementBuffer berbuf;
537 BerElement *ber = (BerElement *)&berbuf;
542 ber_init2( ber, cert, LBER_USE_DER );
543 tag = ber_skip_tag( ber, &len ); /* Sequence */
544 tag = ber_skip_tag( ber, &len ); /* Sequence */
545 tag = ber_skip_tag( ber, &len ); /* Context + Constructed (version) */
546 if ( tag == 0xa0 ) /* Version is optional */
547 tag = ber_get_int( ber, &i ); /* Int: Version */
548 tag = ber_get_int( ber, &i ); /* Int: Serial */
549 tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
550 ber_skip_data( ber, len );
551 if ( !get_subject ) {
552 tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
554 tag = ber_skip_tag( ber, &len );
555 ber_skip_data( ber, len );
556 tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
557 ber_skip_data( ber, len );
558 tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
560 len = ber_ptrlen( ber );
561 dn->bv_val = cert->bv_val + len;
562 dn->bv_len = cert->bv_len - len;
566 tlsg_session_my_dn( tls_session *session, struct berval *der_dn )
568 tlsg_session *s = (tlsg_session *)session;
569 const gnutls_datum_t *x;
572 x = gnutls_certificate_get_ours( s->session );
574 if (!x) return LDAP_INVALID_CREDENTIALS;
576 bv.bv_val = (char *) x->data;
579 tlsg_x509_cert_dn( &bv, der_dn, 1 );
584 tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
586 tlsg_session *s = (tlsg_session *)session;
587 if ( !s->peer_der_dn.bv_val ) {
588 const gnutls_datum_t *peer_cert_list;
589 unsigned int list_size;
592 peer_cert_list = gnutls_certificate_get_peers( s->session,
594 if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
596 bv.bv_len = peer_cert_list->size;
597 bv.bv_val = (char *) peer_cert_list->data;
599 tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
601 *der_dn = s->peer_der_dn;
605 /* what kind of hostname were we given? */
610 #define CN_OID "2.5.4.3"
613 tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
615 tlsg_session *s = (tlsg_session *)session;
617 const gnutls_datum_t *peer_cert_list;
618 unsigned int list_size;
619 char altname[NI_MAXHOST];
622 gnutls_x509_crt_t cert;
627 struct in6_addr addr;
631 int len1 = 0, len2 = 0;
634 if( ldap_int_hostname &&
635 ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
637 name = ldap_int_hostname;
642 peer_cert_list = gnutls_certificate_get_peers( s->session,
644 if ( !peer_cert_list ) {
645 Debug( LDAP_DEBUG_ANY,
646 "TLS: unable to get peer certificate.\n",
648 /* If this was a fatal condition, things would have
649 * aborted long before now.
653 ret = gnutls_x509_crt_init( &cert );
655 return LDAP_LOCAL_ERROR;
656 ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
658 gnutls_x509_crt_deinit( cert );
659 return LDAP_LOCAL_ERROR;
663 if (name[0] == '[' && strchr(name, ']')) {
664 char *n2 = ldap_strdup(name+1);
665 *strchr(n2, ']') = 0;
666 if (inet_pton(AF_INET6, n2, &addr))
671 if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
672 if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
675 if (ntype == IS_DNS) {
677 domain = strchr(name, '.');
679 len2 = len1 - (domain-name);
683 for ( i=0, ret=0; ret >= 0; i++ ) {
684 altnamesize = sizeof(altname);
685 ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
686 altname, &altnamesize, NULL );
687 if ( ret < 0 ) break;
690 if ( altnamesize == 0 ) continue;
692 if ( ret == GNUTLS_SAN_DNSNAME ) {
693 if (ntype != IS_DNS) continue;
695 /* Is this an exact match? */
696 if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
700 /* Is this a wildcard match? */
701 if (domain && (altname[0] == '*') && (altname[1] == '.') &&
702 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
706 } else if ( ret == GNUTLS_SAN_IPADDRESS ) {
707 if (ntype == IS_DNS) continue;
710 if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
714 if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
717 if (!memcmp(altname, &addr, altnamesize)) {
725 /* find the last CN */
729 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
730 i, 1, altname, &altnamesize );
731 if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER )
738 altnamesize = sizeof(altname);
739 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
740 i-1, 0, altname, &altnamesize );
744 Debug( LDAP_DEBUG_ANY,
745 "TLS: unable to get common name from peer certificate.\n",
747 ret = LDAP_CONNECT_ERROR;
748 if ( ld->ld_error ) {
749 LDAP_FREE( ld->ld_error );
751 ld->ld_error = LDAP_STRDUP(
752 _("TLS: unable to get CN from peer certificate"));
755 ret = LDAP_LOCAL_ERROR;
756 if ( !len1 ) len1 = strlen( name );
757 if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
760 } else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
761 /* Is this a wildcard match? */
763 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
769 if( ret == LDAP_LOCAL_ERROR ) {
770 altname[altnamesize] = '\0';
771 Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
772 "common name in certificate (%s).\n",
774 ret = LDAP_CONNECT_ERROR;
775 if ( ld->ld_error ) {
776 LDAP_FREE( ld->ld_error );
778 ld->ld_error = LDAP_STRDUP(
779 _("TLS: hostname does not match CN in peer certificate"));
782 gnutls_x509_crt_deinit( cert );
787 tlsg_session_strength( tls_session *session )
789 tlsg_session *s = (tlsg_session *)session;
790 gnutls_cipher_algorithm_t c;
792 c = gnutls_cipher_get( s->session );
793 return gnutls_cipher_get_key_size( c ) * 8;
796 /* suites is a string of colon-separated cipher suite names. */
798 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
800 #ifdef HAVE_CIPHERSUITES
802 return gnutls_priority_init( &ctx->prios, suites, &err );
806 int *list, nkx = 0, ncipher = 0, nmac = 0;
807 int *kx, *cipher, *mac;
812 end = strchr(ptr, ':');
817 for (i=0; i<tlsg_n_ciphers; i++) {
818 if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
823 if ( i == tlsg_n_ciphers ) {
824 /* unrecognized cipher suite */
830 /* Space for all 3 lists */
831 list = LDAP_MALLOC( (num+1) * sizeof(int) * 3 );
840 end = strchr(ptr, ':');
845 for (i=0; i<tlsg_n_ciphers; i++) {
846 /* For each cipher suite, insert its algorithms into
847 * their respective priority lists. Make sure they
848 * only appear once in each list.
850 if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
851 for (j=0; j<nkx; j++)
852 if ( kx[j] == tlsg_ciphers[i].kx )
855 kx[nkx++] = tlsg_ciphers[i].kx;
856 for (j=0; j<ncipher; j++)
857 if ( cipher[j] == tlsg_ciphers[i].cipher )
860 cipher[ncipher++] = tlsg_ciphers[i].cipher;
861 for (j=0; j<nmac; j++)
862 if ( mac[j] == tlsg_ciphers[i].mac )
865 mac[nmac++] = tlsg_ciphers[i].mac;
875 ctx->cipher_list = cipher;
882 * TLS support for LBER Sockbufs
886 tlsg_session *session;
887 Sockbuf_IO_Desc *sbiod;
891 tlsg_recv( gnutls_transport_ptr_t ptr, void *buf, size_t len )
895 if ( buf == NULL || len <= 0 ) return 0;
897 p = (struct tls_data *)ptr;
899 if ( p == NULL || p->sbiod == NULL ) {
903 return LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
907 tlsg_send( gnutls_transport_ptr_t ptr, const void *buf, size_t len )
911 if ( buf == NULL || len <= 0 ) return 0;
913 p = (struct tls_data *)ptr;
915 if ( p == NULL || p->sbiod == NULL ) {
919 return LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
923 tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
926 tlsg_session *session = arg;
928 assert( sbiod != NULL );
930 p = LBER_MALLOC( sizeof( *p ) );
935 gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
936 gnutls_transport_set_pull_function( session->session, tlsg_recv );
937 gnutls_transport_set_push_function( session->session, tlsg_send );
938 p->session = session;
940 sbiod->sbiod_pvt = p;
945 tlsg_sb_remove( Sockbuf_IO_Desc *sbiod )
949 assert( sbiod != NULL );
950 assert( sbiod->sbiod_pvt != NULL );
952 p = (struct tls_data *)sbiod->sbiod_pvt;
953 gnutls_deinit ( p->session->session );
954 LBER_FREE( p->session );
955 LBER_FREE( sbiod->sbiod_pvt );
956 sbiod->sbiod_pvt = NULL;
961 tlsg_sb_close( Sockbuf_IO_Desc *sbiod )
965 assert( sbiod != NULL );
966 assert( sbiod->sbiod_pvt != NULL );
968 p = (struct tls_data *)sbiod->sbiod_pvt;
969 gnutls_bye ( p->session->session, GNUTLS_SHUT_RDWR );
974 tlsg_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
978 assert( sbiod != NULL );
979 assert( sbiod->sbiod_pvt != NULL );
981 p = (struct tls_data *)sbiod->sbiod_pvt;
983 if ( opt == LBER_SB_OPT_GET_SSL ) {
984 *((tlsg_session **)arg) = p->session;
987 } else if ( opt == LBER_SB_OPT_DATA_READY ) {
988 if( gnutls_record_check_pending( p->session->session ) > 0 ) {
993 return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
997 tlsg_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
1002 assert( sbiod != NULL );
1003 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
1005 p = (struct tls_data *)sbiod->sbiod_pvt;
1007 ret = gnutls_record_recv ( p->session->session, buf, len );
1009 case GNUTLS_E_INTERRUPTED:
1010 case GNUTLS_E_AGAIN:
1011 sbiod->sbiod_sb->sb_trans_needs_read = 1;
1012 sock_errset(EWOULDBLOCK);
1015 case GNUTLS_E_REHANDSHAKE:
1016 for ( ret = gnutls_handshake ( p->session->session );
1017 ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN;
1018 ret = gnutls_handshake ( p->session->session ) );
1019 sbiod->sbiod_sb->sb_trans_needs_read = 1;
1023 sbiod->sbiod_sb->sb_trans_needs_read = 0;
1029 tlsg_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
1034 assert( sbiod != NULL );
1035 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
1037 p = (struct tls_data *)sbiod->sbiod_pvt;
1039 ret = gnutls_record_send ( p->session->session, (char *)buf, len );
1041 if ( ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN ) {
1042 sbiod->sbiod_sb->sb_trans_needs_write = 1;
1043 sock_errset(EWOULDBLOCK);
1046 sbiod->sbiod_sb->sb_trans_needs_write = 0;
1051 static Sockbuf_IO tlsg_sbio =
1053 tlsg_sb_setup, /* sbi_setup */
1054 tlsg_sb_remove, /* sbi_remove */
1055 tlsg_sb_ctrl, /* sbi_ctrl */
1056 tlsg_sb_read, /* sbi_read */
1057 tlsg_sb_write, /* sbi_write */
1058 tlsg_sb_close /* sbi_close */
1061 /* Certs are not automatically varified during the handshake */
1063 tlsg_cert_verify( tlsg_session *ssl )
1065 unsigned int status = 0;
1067 time_t now = time(0);
1070 err = gnutls_certificate_verify_peers2( ssl->session, &status );
1072 Debug( LDAP_DEBUG_ANY,"TLS: gnutls_certificate_verify_peers2 failed %d\n",
1077 Debug( LDAP_DEBUG_TRACE,"TLS: peer cert untrusted or revoked (0x%x)\n",
1081 peertime = gnutls_certificate_expiration_time_peers( ssl->session );
1082 if ( peertime == (time_t) -1 ) {
1083 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_expiration_time_peers failed\n",
1087 if ( peertime < now ) {
1088 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
1092 peertime = gnutls_certificate_activation_time_peers( ssl->session );
1093 if ( peertime == (time_t) -1 ) {
1094 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_activation_time_peers failed\n",
1098 if ( peertime > now ) {
1099 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
1106 tls_impl ldap_int_tls_impl = {
1118 tlsg_session_connect,
1119 tlsg_session_accept,
1120 tlsg_session_upflags,
1121 tlsg_session_errmsg,
1123 tlsg_session_peer_dn,
1124 tlsg_session_chkhost,
1125 tlsg_session_strength,
1129 #ifdef LDAP_R_COMPILE
1138 #endif /* HAVE_GNUTLS */