X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls_g.c;h=3bc62d9181a77dac3ab319e7943b6f1a96b55ed0;hb=e56a849e5d1ebde21092b9ff8a8cf4b9c5f8dfb6;hp=7396804392fd0e1f3a2015dffd639655dd89ad44;hpb=0a438aaf4361027adf02499ff1eb2ec072e127e3;p=openldap

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 7396804392..3bc62d9181 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2008-2013 The OpenLDAP Foundation.
+ * Copyright 2008-2017 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43,47 +43,14 @@
 
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
-#include <gcrypt.h>
-
-#if LIBGNUTLS_VERSION_NUMBER >= 0x020200
-#define	HAVE_CIPHERSUITES	1
-/* This is a kludge. gcrypt 1.4.x has support. Recent GnuTLS requires gcrypt 1.4.x
- * but that dependency isn't reflected in their configure script, resulting in
- * build errors on older gcrypt. So, if they have a working build environment,
- * assume gcrypt is new enough.
- */
-#define HAVE_GCRYPT_RAND	1
-#else
-#undef HAVE_CIPHERSUITES
-#undef HAVE_GCRYPT_RAND
-#endif
-
-#ifndef HAVE_CIPHERSUITES
-/* Versions prior to 2.2.0 didn't handle cipher suites, so we had to
- * kludge them ourselves.
- */
-typedef struct tls_cipher_suite {
-	const char *name;
-	gnutls_kx_algorithm_t kx;
-	gnutls_cipher_algorithm_t cipher;
-	gnutls_mac_algorithm_t mac;
-	gnutls_protocol_t version;
-} tls_cipher_suite;
-#endif
 
 typedef struct tlsg_ctx {
-	struct ldapoptions *lo;
 	gnutls_certificate_credentials_t cred;
 	gnutls_dh_params_t dh_params;
 	unsigned long verify_depth;
 	int refcount;
-#ifdef HAVE_CIPHERSUITES
+	int reqcert;
 	gnutls_priority_t prios;
-#else
-	int *kx_list;
-	int *cipher_list;
-	int *mac_list;
-#endif
 #ifdef LDAP_R_COMPILE
 	ldap_pvt_thread_mutex_t ref_mutex;
 #endif
@@ -95,11 +62,6 @@ typedef struct tlsg_session {
 	struct berval peer_der_dn;
 } tlsg_session;
 
-#ifndef HAVE_CIPHERSUITES
-static tls_cipher_suite *tlsg_ciphers;
-static int tlsg_n_ciphers;
-#endif
-
 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
 static int tlsg_cert_verify( tlsg_session *s );
 
@@ -143,20 +105,13 @@ tlsg_mutex_unlock( void **lock )
 	return ldap_pvt_thread_mutex_unlock( *lock );
 }
 
-static struct gcry_thread_cbs tlsg_thread_cbs = {
-	GCRY_THREAD_OPTION_USER,
-	NULL,
-	tlsg_mutex_init,
-	tlsg_mutex_destroy,
-	tlsg_mutex_lock,
-	tlsg_mutex_unlock,
-	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
-};
-
 static void
 tlsg_thr_init( void )
 {
-	gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
+	gnutls_global_set_mutex (tlsg_mutex_init,
+		tlsg_mutex_destroy,
+		tlsg_mutex_lock,
+		tlsg_mutex_unlock);
 }
 #endif /* LDAP_R_COMPILE */
 
@@ -166,47 +121,7 @@ tlsg_thr_init( void )
 static int
 tlsg_init( void )
 {
-#ifdef HAVE_GCRYPT_RAND
-	struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
-	if ( lo->ldo_tls_randfile &&
-		gcry_control( GCRYCTL_SET_RNDEGD_SOCKET, lo->ldo_tls_randfile )) {
-		Debug( LDAP_DEBUG_ANY,
-		"TLS: gcry_control GCRYCTL_SET_RNDEGD_SOCKET failed\n",
-		0, 0, 0);
-		return -1;
-	}
-#endif
-
 	gnutls_global_init();
-
-#ifndef HAVE_CIPHERSUITES
-	/* GNUtls cipher suite handling: The library ought to parse suite
-	 * names for us, but it doesn't. It will return a list of suite names
-	 * that it supports, so we can do parsing ourselves. It ought to tell
-	 * us how long the list is, but it doesn't do that either, so we just
-	 * have to count it manually...
-	 */
-	{
-		int i = 0;
-		tls_cipher_suite *ptr, tmp;
-		char cs_id[2];
-
-		while ( gnutls_cipher_suite_info( i, cs_id, &tmp.kx, &tmp.cipher,
-			&tmp.mac, &tmp.version ))
-			i++;
-		tlsg_n_ciphers = i;
-
-		/* Store a copy */
-		tlsg_ciphers = LDAP_MALLOC(tlsg_n_ciphers * sizeof(tls_cipher_suite));
-		if ( !tlsg_ciphers )
-			return -1;
-		for ( i=0; i<tlsg_n_ciphers; i++ ) {
-			tlsg_ciphers[i].name = gnutls_cipher_suite_info( i, cs_id,
-				&tlsg_ciphers[i].kx, &tlsg_ciphers[i].cipher, &tlsg_ciphers[i].mac,
-				&tlsg_ciphers[i].version );
-		}
-	}
-#endif
 	return 0;
 }
 
@@ -216,11 +131,6 @@ tlsg_init( void )
 static void
 tlsg_destroy( void )
 {
-#ifndef HAVE_CIPHERSUITES
-	LDAP_FREE( tlsg_ciphers );
-	tlsg_ciphers = NULL;
-	tlsg_n_ciphers = 0;
-#endif
 	gnutls_global_deinit();
 }
 
@@ -231,15 +141,12 @@ tlsg_ctx_new ( struct ldapoptions *lo )
 
 	ctx = ber_memcalloc ( 1, sizeof (*ctx) );
 	if ( ctx ) {
-		ctx->lo = lo;
 		if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
 			ber_memfree( ctx );
 			return NULL;
 		}
 		ctx->refcount = 1;
-#ifdef HAVE_CIPHERSUITES
 		gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
-#endif
 #ifdef LDAP_R_COMPILE
 		ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
 #endif
@@ -269,11 +176,7 @@ tlsg_ctx_free ( tls_ctx *ctx )
 	LDAP_MUTEX_UNLOCK( &c->ref_mutex );
 	if ( refcount )
 		return;
-#ifdef HAVE_CIPHERSUITES
 	gnutls_priority_deinit( c->prios );
-#else
-	LDAP_FREE( c->kx_list );
-#endif
 	gnutls_certificate_free_credentials( c->cred );
 	if ( c->dh_params )
 		gnutls_dh_params_deinit( c->dh_params );
@@ -368,7 +271,6 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		 * then we have to build the cert chain.
 		 */
 		if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
-#if GNUTLS_VERSION_NUMBER >= 0x020c00
 			unsigned int i;
 			for ( i = 1; i<VERIFY_DEPTH; i++ ) {
 				if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
@@ -378,27 +280,6 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 				if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
 					break;
 			}
-#else
-			gnutls_x509_crt_t *cas;
-			unsigned int i, j, ncas;
-
-			gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
-			for ( i = 1; i<VERIFY_DEPTH; i++ ) {
-				for ( j = 0; j<ncas; j++ ) {
-					if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
-						certs[i] = cas[j];
-						max++;
-						/* If this CA is self-signed, we're done */
-						if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
-							j = ncas;
-						break;
-					}
-				}
-				/* only continue if we found a CA and it was not self-signed */
-				if ( j == ncas )
-					break;
-			}
-#endif
 		}
 		rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
 		if ( rc ) return -1;
@@ -436,6 +317,9 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 		if ( rc ) return -1;
 		gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
 	}
+
+	ctx->reqcert = lo->ldo_tls_require_cert;
+
 	return 0;
 }
 
@@ -451,25 +335,16 @@ tlsg_session_new ( tls_ctx * ctx, int is_server )
 
 	session->ctx = c;
 	gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
-#ifdef HAVE_CIPHERSUITES
 	gnutls_priority_set( session->session, c->prios );
-#else
-	gnutls_set_default_priority( session->session );
-	if ( c->kx_list ) {
-		gnutls_kx_set_priority( session->session, c->kx_list );
-		gnutls_cipher_set_priority( session->session, c->cipher_list );
-		gnutls_mac_set_priority( session->session, c->mac_list );
-	}
-#endif
 	if ( c->cred )
 		gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
 	
 	if ( is_server ) {
 		int flag = 0;
-		if ( c->lo->ldo_tls_require_cert ) {
+		if ( c->reqcert ) {
 			flag = GNUTLS_CERT_REQUEST;
-			if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
-				c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
+			if ( c->reqcert == LDAP_OPT_X_TLS_DEMAND ||
+				c->reqcert == LDAP_OPT_X_TLS_HARD )
 				flag = GNUTLS_CERT_REQUIRE;
 			gnutls_certificate_server_set_request( session->session, flag );
 		}
@@ -484,17 +359,17 @@ tlsg_session_accept( tls_session *session )
 	int rc;
 
 	rc = gnutls_handshake( s->session );
-	if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
+	if ( rc == 0 && s->ctx->reqcert != LDAP_OPT_X_TLS_NEVER ) {
 		const gnutls_datum_t *peer_cert_list;
 		unsigned int list_size;
 
 		peer_cert_list = gnutls_certificate_get_peers( s->session, 
 						&list_size );
-		if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY ) 
+		if ( !peer_cert_list && s->ctx->reqcert == LDAP_OPT_X_TLS_TRY )
 			rc = 0;
 		else {
 			rc = tlsg_cert_verify( s );
-			if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
+			if ( rc && s->ctx->reqcert == LDAP_OPT_X_TLS_ALLOW )
 				rc = 0;
 		}
 	}
@@ -797,8 +672,6 @@ tlsg_session_strength( tls_session *session )
 static int
 tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
 {
-/* channel bindings added in 2.12.0 */
-#if GNUTLS_VERSION_NUMBER >= 0x020c00
 	tlsg_session *s = (tlsg_session *)sess;
 	gnutls_datum_t cb;
 	int rc;
@@ -812,7 +685,6 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
 		memcpy( buf->bv_val, cb.data, len );
 		return len;
 	}
-#endif
 	return 0;
 }
 
@@ -852,88 +724,11 @@ tlsg_session_peercert( tls_session *sess, struct berval *der )
 static int
 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
 {
-#ifdef HAVE_CIPHERSUITES
 	const char *err;
 	int rc = gnutls_priority_init( &ctx->prios, suites, &err );
 	if ( rc )
 		ctx->prios = NULL;
 	return rc;
-#else
-	char *ptr, *end;
-	int i, j, len, num;
-	int *list, nkx = 0, ncipher = 0, nmac = 0;
-	int *kx, *cipher, *mac;
-
-	num = 0;
-	ptr = suites;
-	do {
-		end = strchr(ptr, ':');
-		if ( end )
-			len = end - ptr;
-		else
-			len = strlen(ptr);
-		for (i=0; i<tlsg_n_ciphers; i++) {
-			if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
-				num++;
-				break;
-			}
-		}
-		if ( i == tlsg_n_ciphers ) {
-			/* unrecognized cipher suite */
-			return -1;
-		}
-		ptr += len + 1;
-	} while (end);
-
-	/* Space for all 3 lists */
-	list = LDAP_MALLOC( (num+1) * sizeof(int) * 3 );
-	if ( !list )
-		return -1;
-	kx = list;
-	cipher = kx+num+1;
-	mac = cipher+num+1;
-
-	ptr = suites;
-	do {
-		end = strchr(ptr, ':');
-		if ( end )
-			len = end - ptr;
-		else
-			len = strlen(ptr);
-		for (i=0; i<tlsg_n_ciphers; i++) {
-			/* For each cipher suite, insert its algorithms into
-			 * their respective priority lists. Make sure they
-			 * only appear once in each list.
-			 */
-			if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
-				for (j=0; j<nkx; j++)
-					if ( kx[j] == tlsg_ciphers[i].kx )
-						break;
-				if ( j == nkx )
-					kx[nkx++] = tlsg_ciphers[i].kx;
-				for (j=0; j<ncipher; j++)
-					if ( cipher[j] == tlsg_ciphers[i].cipher )
-						break;
-				if ( j == ncipher ) 
-					cipher[ncipher++] = tlsg_ciphers[i].cipher;
-				for (j=0; j<nmac; j++)
-					if ( mac[j] == tlsg_ciphers[i].mac )
-						break;
-				if ( j == nmac )
-					mac[nmac++] = tlsg_ciphers[i].mac;
-				break;
-			}
-		}
-		ptr += len + 1;
-	} while (end);
-	kx[nkx] = 0;
-	cipher[ncipher] = 0;
-	mac[nmac] = 0;
-	ctx->kx_list = kx;
-	ctx->cipher_list = cipher;
-	ctx->mac_list = mac;
-	return 0;
-#endif
 }
 
 /*