/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2008-2013 The OpenLDAP Foundation.
+ * Copyright 2008-2017 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
-#include <gcrypt.h>
-
-#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
-#define HAVE_CIPHERSUITES 1
-/* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x
- * but that dependency isn't reflected in their configure script, resulting in
- * build errors on older gcrypt. So, if they have a working build environment,
- * assume gcrypt is new enough.
- */
-#define HAVE_GCRYPT_RAND 1
-#else
-#undef HAVE_CIPHERSUITES
-#undef HAVE_GCRYPT_RAND
-#endif
-
-#ifndef HAVE_CIPHERSUITES
-/* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
- * kludge them ourselves.
- */
-typedef struct tls_cipher_suite {
- const char *name;
- gnutls_kx_algorithm_t kx;
- gnutls_cipher_algorithm_t cipher;
- gnutls_mac_algorithm_t mac;
- gnutls_protocol_t version;
-} tls_cipher_suite;
-#endif
typedef struct tlsg_ctx {
- struct ldapoptions *lo;
gnutls_certificate_credentials_t cred;
gnutls_dh_params_t dh_params;
unsigned long verify_depth;
int refcount;
-#ifdef HAVE_CIPHERSUITES
+ int reqcert;
gnutls_priority_t prios;
-#else
- int *kx_list;
- int *cipher_list;
- int *mac_list;
-#endif
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_t ref_mutex;
#endif
struct berval peer_der_dn;
} tlsg_session;
-#ifndef HAVE_CIPHERSUITES
-static tls_cipher_suite *tlsg_ciphers;
-static int tlsg_n_ciphers;
-#endif
-
static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
static int tlsg_cert_verify( tlsg_session *s );
return ldap_pvt_thread_mutex_unlock( *lock );
}
-static struct gcry_thread_cbs tlsg_thread_cbs = {
- GCRY_THREAD_OPTION_USER,
- NULL,
- tlsg_mutex_init,
- tlsg_mutex_destroy,
- tlsg_mutex_lock,
- tlsg_mutex_unlock,
- NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-};
-
static void
tlsg_thr_init( void )
{
- gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
+ gnutls_global_set_mutex (tlsg_mutex_init,
+ tlsg_mutex_destroy,
+ tlsg_mutex_lock,
+ tlsg_mutex_unlock);
}
#endif /* LDAP_R_COMPILE */
static int
tlsg_init( void )
{
-#ifdef HAVE_GCRYPT_RAND
- struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
- if ( lo->ldo_tls_randfile &&
- gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile )) {
- Debug( LDAP_DEBUG_ANY,
- "TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed\n",
- 0, 0, 0);
- return -1;
- }
-#endif
-
gnutls_global_init();
-
-#ifndef HAVE_CIPHERSUITES
- /* GNUtls cipher suite handling: The library ought to parse suite
- * names for us, but it doesn't. It will return a list of suite names
- * that it supports, so we can do parsing ourselves. It ought to tell
- * us how long the list is, but it doesn't do that either, so we just
- * have to count it manually...
- */
- {
- int i = 0;
- tls_cipher_suite *ptr, tmp;
- char cs_id[2];
-
- while ( gnutls_cipher_suite_info( i, cs_id, &tmp.kx, &tmp.cipher,
- &tmp.mac, &tmp.version ))
- i++;
- tlsg_n_ciphers = i;
-
- /* Store a copy */
- tlsg_ciphers = LDAP_MALLOC(tlsg_n_ciphers * sizeof(tls_cipher_suite));
- if ( !tlsg_ciphers )
- return -1;
- for ( i=0; i<tlsg_n_ciphers; i++ ) {
- tlsg_ciphers[i].name = gnutls_cipher_suite_info( i, cs_id,
- &tlsg_ciphers[i].kx, &tlsg_ciphers[i].cipher, &tlsg_ciphers[i].mac,
- &tlsg_ciphers[i].version );
- }
- }
-#endif
return 0;
}
static void
tlsg_destroy( void )
{
-#ifndef HAVE_CIPHERSUITES
- LDAP_FREE( tlsg_ciphers );
- tlsg_ciphers = NULL;
- tlsg_n_ciphers = 0;
-#endif
gnutls_global_deinit();
}
ctx = ber_memcalloc ( 1, sizeof (*ctx) );
if ( ctx ) {
- ctx->lo = lo;
if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
ber_memfree( ctx );
return NULL;
}
ctx->refcount = 1;
-#ifdef HAVE_CIPHERSUITES
gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
-#endif
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
#endif
LDAP_MUTEX_UNLOCK( &c->ref_mutex );
if ( refcount )
return;
-#ifdef HAVE_CIPHERSUITES
gnutls_priority_deinit( c->prios );
-#else
- LDAP_FREE( c->kx_list );
-#endif
gnutls_certificate_free_credentials( c->cred );
if ( c->dh_params )
gnutls_dh_params_deinit( c->dh_params );
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
}
+ if (lo->ldo_tls_cacert.bv_val != NULL ) {
+ gnutls_datum_t buf;
+ buf.data = (unsigned char *)lo->ldo_tls_cacert.bv_val;
+ buf.size = lo->ldo_tls_cacert.bv_len;
+ rc = gnutls_certificate_set_x509_trust_mem(
+ ctx->cred,
+ &buf,
+ GNUTLS_X509_FMT_DER );
+ if ( rc < 0 ) return -1;
+ }
- if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
+ if (( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) ||
+ ( lo->ldo_tls_cert.bv_val && lo->ldo_tls_key.bv_val )) {
gnutls_x509_privkey_t key;
gnutls_datum_t buf;
gnutls_x509_crt_t certs[VERIFY_DEPTH];
* not, we have to build it ourselves. So we have to
* do some special checks here...
*/
- rc = tlsg_getfile( lt->lt_keyfile, &buf );
- if ( rc ) return -1;
- rc = gnutls_x509_privkey_import( key, &buf,
- GNUTLS_X509_FMT_PEM );
- LDAP_FREE( buf.data );
+ if ( lo->ldo_tls_key.bv_val ) {
+ buf.data = (unsigned char *)lo->ldo_tls_key.bv_val;
+ buf.size = lo->ldo_tls_key.bv_len;
+ rc = gnutls_x509_privkey_import( key, &buf,
+ GNUTLS_X509_FMT_DER );
+ } else {
+ rc = tlsg_getfile( lt->lt_keyfile, &buf );
+ if ( rc ) return -1;
+ rc = gnutls_x509_privkey_import( key, &buf,
+ GNUTLS_X509_FMT_PEM );
+ LDAP_FREE( buf.data );
+ }
if ( rc < 0 ) return rc;
- rc = tlsg_getfile( lt->lt_certfile, &buf );
- if ( rc ) return -1;
- rc = gnutls_x509_crt_list_import( certs, &max, &buf,
- GNUTLS_X509_FMT_PEM, 0 );
- LDAP_FREE( buf.data );
+ if ( lo->ldo_tls_cert.bv_val ) {
+ buf.data = (unsigned char *)lo->ldo_tls_cert.bv_val;
+ buf.size = lo->ldo_tls_cert.bv_len;
+ rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+ GNUTLS_X509_FMT_DER, 0 );
+ } else {
+ rc = tlsg_getfile( lt->lt_certfile, &buf );
+ if ( rc ) return -1;
+ rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+ GNUTLS_X509_FMT_PEM, 0 );
+ LDAP_FREE( buf.data );
+ }
if ( rc < 0 ) return rc;
/* If there's only one cert and it's not self-signed,
* then we have to build the cert chain.
*/
if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
-#if GNUTLS_VERSION_NUMBER >= 0x020c00
unsigned int i;
for ( i = 1; i<VERIFY_DEPTH; i++ ) {
if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
break;
}
-#else
- gnutls_x509_crt_t *cas;
- unsigned int i, j, ncas;
-
- gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
- for ( i = 1; i<VERIFY_DEPTH; i++ ) {
- for ( j = 0; j<ncas; j++ ) {
- if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
- certs[i] = cas[j];
- max++;
- /* If this CA is self-signed, we're done */
- if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
- j = ncas;
- break;
- }
- }
- /* only continue if we found a CA and it was not self-signed */
- if ( j == ncas )
- break;
- }
-#endif
}
rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
if ( rc ) return -1;
- } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
- Debug( LDAP_DEBUG_ANY,
+ } else if (( lo->ldo_tls_certfile || lo->ldo_tls_keyfile )) {
+ Debug( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n",
NULL, NULL, NULL );
return -1;
+ } else if (( lo->ldo_tls_cert.bv_val || lo->ldo_tls_key.bv_val )) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: only one of cert and key specified\n",
+ NULL, NULL, NULL );
+ return -1;
}
if ( lo->ldo_tls_crlfile ) {
if ( rc ) return -1;
gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
}
+
+ ctx->reqcert = lo->ldo_tls_require_cert;
+
return 0;
}
session->ctx = c;
gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
-#ifdef HAVE_CIPHERSUITES
gnutls_priority_set( session->session, c->prios );
-#else
- gnutls_set_default_priority( session->session );
- if ( c->kx_list ) {
- gnutls_kx_set_priority( session->session, c->kx_list );
- gnutls_cipher_set_priority( session->session, c->cipher_list );
- gnutls_mac_set_priority( session->session, c->mac_list );
- }
-#endif
if ( c->cred )
gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
if ( is_server ) {
int flag = 0;
- if ( c->lo->ldo_tls_require_cert ) {
+ if ( c->reqcert ) {
flag = GNUTLS_CERT_REQUEST;
- if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
- c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
+ if ( c->reqcert == LDAP_OPT_X_TLS_DEMAND ||
+ c->reqcert == LDAP_OPT_X_TLS_HARD )
flag = GNUTLS_CERT_REQUIRE;
gnutls_certificate_server_set_request( session->session, flag );
}
tlsg_session *s = (tlsg_session *)session;
int rc;
- rc = gnutls_handshake( s->session );
- if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
+ for ( rc = gnutls_handshake ( s->session );
+ rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN;
+ rc = gnutls_handshake ( s->session ) );
+ if ( rc == 0 && s->ctx->reqcert != LDAP_OPT_X_TLS_NEVER ) {
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
- if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
+ if ( !peer_cert_list && s->ctx->reqcert == LDAP_OPT_X_TLS_TRY )
rc = 0;
else {
rc = tlsg_cert_verify( s );
- if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
+ if ( rc && s->ctx->reqcert == LDAP_OPT_X_TLS_ALLOW )
rc = 0;
}
}
static int
tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
{
-/* channel bindings added in 2.12.0 */
-#if GNUTLS_VERSION_NUMBER >= 0x020c00
tlsg_session *s = (tlsg_session *)sess;
gnutls_datum_t cb;
int rc;
memcpy( buf->bv_val, cb.data, len );
return len;
}
-#endif
return 0;
}
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
{
-#ifdef HAVE_CIPHERSUITES
const char *err;
int rc = gnutls_priority_init( &ctx->prios, suites, &err );
if ( rc )
ctx->prios = NULL;
return rc;
-#else
- char *ptr, *end;
- int i, j, len, num;
- int *list, nkx = 0, ncipher = 0, nmac = 0;
- int *kx, *cipher, *mac;
-
- num = 0;
- ptr = suites;
- do {
- end = strchr(ptr, ':');
- if ( end )
- len = end - ptr;
- else
- len = strlen(ptr);
- for (i=0; i<tlsg_n_ciphers; i++) {
- if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
- num++;
- break;
- }
- }
- if ( i == tlsg_n_ciphers ) {
- /* unrecognized cipher suite */
- return -1;
- }
- ptr += len + 1;
- } while (end);
-
- /* Space for all 3 lists */
- list = LDAP_MALLOC( (num+1) * sizeof(int) * 3 );
- if ( !list )
- return -1;
- kx = list;
- cipher = kx+num+1;
- mac = cipher+num+1;
-
- ptr = suites;
- do {
- end = strchr(ptr, ':');
- if ( end )
- len = end - ptr;
- else
- len = strlen(ptr);
- for (i=0; i<tlsg_n_ciphers; i++) {
- /* For each cipher suite, insert its algorithms into
- * their respective priority lists. Make sure they
- * only appear once in each list.
- */
- if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
- for (j=0; j<nkx; j++)
- if ( kx[j] == tlsg_ciphers[i].kx )
- break;
- if ( j == nkx )
- kx[nkx++] = tlsg_ciphers[i].kx;
- for (j=0; j<ncipher; j++)
- if ( cipher[j] == tlsg_ciphers[i].cipher )
- break;
- if ( j == ncipher )
- cipher[ncipher++] = tlsg_ciphers[i].cipher;
- for (j=0; j<nmac; j++)
- if ( mac[j] == tlsg_ciphers[i].mac )
- break;
- if ( j == nmac )
- mac[nmac++] = tlsg_ciphers[i].mac;
- break;
- }
- }
- ptr += len + 1;
- } while (end);
- kx[nkx] = 0;
- cipher[ncipher] = 0;
- mac[nmac] = 0;
- ctx->kx_list = kx;
- ctx->cipher_list = cipher;
- ctx->mac_list = mac;
- return 0;
-#endif
}
/*
return -1;
}
- gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
+ gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr_t)p );
gnutls_transport_set_pull_function( session->session, tlsg_recv );
gnutls_transport_set_push_function( session->session, tlsg_send );
p->session = session;