X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls_m.c;h=a8691c59776cbe51658ab23bff17eb579549d80c;hb=e56a849e5d1ebde21092b9ff8a8cf4b9c5f8dfb6;hp=1422ce26c0ab40c115edf91a7a948a36eae47168;hpb=6062cd9777bd2e1d9d99e5b3d5e25d0dab87f7ba;p=openldap diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index 1422ce26c0..a8691c5977 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -2,7 +2,7 @@ /* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * - * Copyright 2008-2012 The OpenLDAP Foundation. + * Copyright 2008-2017 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -912,6 +912,7 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx) int infd = PR_FileDesc2NativeHandle( PR_STDIN ); int isTTY = isatty( infd ); unsigned char phrase[200]; + char *dummy; /* Prompt for password */ if ( isTTY ) { fprintf( stdout, @@ -919,7 +920,8 @@ tlsm_get_pin(PK11SlotInfo *slot, PRBool retry, tlsm_ctx *ctx) token_name ? token_name : DEFAULT_TOKEN_NAME ); echoOff( infd ); } - fgets( (char*)phrase, sizeof(phrase), stdin ); + dummy = fgets( (char*)phrase, sizeof(phrase), stdin ); + (void) dummy; if ( isTTY ) { fprintf( stdout, "\n" ); echoOn( infd ); @@ -1639,6 +1641,8 @@ tlsm_deferred_init( void *arg ) NSSInitContext *initctx = NULL; PK11SlotInfo *certdb_slot = NULL; #endif + SSLVersionRange range; + SSLProtocolVariant variant; SECStatus rc; int done = 0; @@ -1823,6 +1827,16 @@ tlsm_deferred_init( void *arg ) ctx->tc_using_pem = PR_TRUE; } + /* + * Set the SSL version range. MozNSS SSL versions are the same as openldap's: + * + * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* + */ + SSL_VersionRangeGetSupported(ssl_variant_stream, &range); /* this sets the max */ + range.min = lt->lt_protocol_min ? lt->lt_protocol_min : range.min; + variant = ssl_variant_stream; + SSL_VersionRangeSetDefault(variant, &range); + NSS_SetDomesticPolicy(); PK11_SetPasswordFunc( tlsm_pin_prompt ); @@ -2064,8 +2078,10 @@ tlsm_ctx_free ( tls_ctx *ctx ) errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); } } - PL_strfree( c->tc_pin_file ); - c->tc_pin_file = NULL; + if ( c->tc_pin_file ) { + PL_strfree( c->tc_pin_file ); + c->tc_pin_file = NULL; + } tlsm_free_pem_objs( c ); #ifdef HAVE_NSS_INITCONTEXT if ( c->tc_initctx ) { @@ -2315,7 +2331,8 @@ tlsm_deferred_ctx_init( void *arg ) return rc; } } else { - PL_strfree( ctx->tc_pin_file ); + if ( ctx->tc_pin_file ) + PL_strfree( ctx->tc_pin_file ); ctx->tc_pin_file = PL_strdup( lt->lt_keyfile ); } } @@ -2838,6 +2855,79 @@ tlsm_session_strength( tls_session *session ) return rc ? 0 : keySize; } +static int +tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server) +{ + /* Need upstream support https://bugzilla.mozilla.org/show_bug.cgi?id=563276 */ + return 0; +} + +/* + * Yet again, we're pasting in glue that MozNSS ought to provide itself. + * + * SSL_LIBRARY_VERSION_TLS_1_* are equivalent to LDAP_OPT_X_TLS_PROTOCOL_TLS1_* + */ +static struct { + const char *name; + int num; +} pvers[] = { + { "SSLv2", SSL_LIBRARY_VERSION_2 }, + { "SSLv3", SSL_LIBRARY_VERSION_3_0 }, + { "TLSv1", SSL_LIBRARY_VERSION_TLS_1_0 }, + { "TLSv1.1", SSL_LIBRARY_VERSION_TLS_1_1 }, + { "TLSv1.2", SSL_LIBRARY_VERSION_TLS_1_2 }, + { "TLSv1.3", SSL_LIBRARY_VERSION_TLS_1_3 }, + { NULL, 0 } +}; + +static const char * +tlsm_session_version( tls_session *sess ) +{ + tlsm_session *s = (tlsm_session *)sess; + SSLChannelInfo info; + int rc; + rc = SSL_GetChannelInfo( s, &info, sizeof( info )); + if ( rc == 0 ) { + int i; + for (i=0; pvers[i].name; i++) + if (pvers[i].num == info.protocolVersion) + return pvers[i].name; + } + return "unknown"; +} + +static const char * +tlsm_session_cipher( tls_session *sess ) +{ + tlsm_session *s = (tlsm_session *)sess; + SSLChannelInfo info; + int rc; + rc = SSL_GetChannelInfo( s, &info, sizeof( info )); + if ( rc == 0 ) { + SSLCipherSuiteInfo csinfo; + rc = SSL_GetCipherSuiteInfo( info.cipherSuite, &csinfo, sizeof( csinfo )); + if ( rc == 0 ) + return csinfo.cipherSuiteName; + } + return "unknown"; +} + +static int +tlsm_session_peercert( tls_session *sess, struct berval *der ) +{ + tlsm_session *s = (tlsm_session *)sess; + CERTCertificate *cert; + cert = SSL_PeerCertificate( s ); + if (!cert) + return -1; + der->bv_len = cert->derCert.len; + der->bv_val = LDAP_MALLOC( der->bv_len ); + if (!der->bv_val) + return -1; + memcpy( der->bv_val, cert->derCert.data, der->bv_len ); + return 0; +} + /* * TLS support for LBER Sockbufs */ @@ -3266,6 +3356,10 @@ tls_impl ldap_int_tls_impl = { tlsm_session_peer_dn, tlsm_session_chkhost, tlsm_session_strength, + tlsm_session_unique, + tlsm_session_version, + tlsm_session_cipher, + tlsm_session_peercert, &tlsm_sbio,