From: Howard Chu Date: Sat, 8 Apr 2017 23:13:42 +0000 (+0100) Subject: Add options to use DER format cert+keys directly X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=b402a2805f8b96d2751a7315ea5e70e5082965ed;p=openldap Add options to use DER format cert+keys directly Instead of loading from files. --- diff --git a/include/ldap.h b/include/ldap.h index 4caacb15b3..588e9066dc 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -162,6 +162,9 @@ LDAP_BEGIN_DECL #define LDAP_OPT_X_TLS_VERSION 0x6013 /* read-only */ #define LDAP_OPT_X_TLS_CIPHER 0x6014 /* read-only */ #define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */ +#define LDAP_OPT_X_TLS_CACERT 0x6016 +#define LDAP_OPT_X_TLS_CERT 0x6017 +#define LDAP_OPT_X_TLS_KEY 0x6018 #define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_HARD 1 diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h index db100c8058..bcd6118b5f 100644 --- a/libraries/libldap/ldap-int.h +++ b/libraries/libldap/ldap-int.h @@ -167,6 +167,9 @@ struct ldaptls { char *lt_randfile; /* OpenSSL only */ char *lt_ecname; /* OpenSSL only */ int lt_protocol_min; + struct berval lt_cacert; + struct berval lt_cert; + struct berval lt_key; }; #endif @@ -258,6 +261,9 @@ struct ldapoptions { #define ldo_tls_protocol_min ldo_tls_info.lt_protocol_min #define ldo_tls_crlfile ldo_tls_info.lt_crlfile #define ldo_tls_randfile ldo_tls_info.lt_randfile +#define ldo_tls_cacert ldo_tls_info.lt_cacert +#define ldo_tls_cert ldo_tls_info.lt_cert +#define ldo_tls_key ldo_tls_info.lt_key int ldo_tls_mode; int ldo_tls_require_cert; int ldo_tls_impl; diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c index d6b36bbd36..732826b2e0 100644 --- a/libraries/libldap/tls2.c +++ b/libraries/libldap/tls2.c @@ -199,7 +199,9 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) tls_init( ti ); if ( is_server && !lts.lt_certfile && !lts.lt_keyfile && - !lts.lt_cacertfile && !lts.lt_cacertdir ) { + !lts.lt_cacertfile && !lts.lt_cacertdir && + !lts.lt_cacert.bv_val && !lts.lt_cert.bv_val && + !lts.lt_key.bv_val ) { /* minimum configuration not provided */ return LDAP_NOT_SUPPORTED; } @@ -864,6 +866,36 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); lo->ldo_tls_ctx = NULL; return ldap_int_tls_init_ctx( lo, *(int *)arg ); + case LDAP_OPT_X_TLS_CACERT: + if ( !arg ) return -1; + if ( lo->ldo_tls_cacert.bv_val ) + LDAP_FREE( lo->ldo_tls_cacert.bv_val ); + lo->ldo_tls_cacert.bv_len = ((struct berval *)arg)->bv_len; + lo->ldo_tls_cacert.bv_val = LDAP_MALLOC( lo->ldo_tls_cacert.bv_len ); + if ( !lo->ldo_tls_cacert.bv_val ) + return -1; + AC_MEMCPY( lo->ldo_tls_cacert.bv_val, ((struct berval *)arg)->bv_val, lo->ldo_tls_cacert.bv_len ); + break; + case LDAP_OPT_X_TLS_CERT: + if ( !arg ) return -1; + if ( lo->ldo_tls_cert.bv_val ) + LDAP_FREE( lo->ldo_tls_cert.bv_val ); + lo->ldo_tls_cert.bv_len = ((struct berval *)arg)->bv_len; + lo->ldo_tls_cert.bv_val = LDAP_MALLOC( lo->ldo_tls_cert.bv_len ); + if ( !lo->ldo_tls_cert.bv_val ) + return -1; + AC_MEMCPY( lo->ldo_tls_cert.bv_val, ((struct berval *)arg)->bv_val, lo->ldo_tls_cert.bv_len ); + break; + case LDAP_OPT_X_TLS_KEY: + if ( !arg ) return -1; + if ( lo->ldo_tls_key.bv_val ) + LDAP_FREE( lo->ldo_tls_key.bv_val ); + lo->ldo_tls_key.bv_len = ((struct berval *)arg)->bv_len; + lo->ldo_tls_key.bv_val = LDAP_MALLOC( lo->ldo_tls_key.bv_len ); + if ( !lo->ldo_tls_key.bv_val ) + return -1; + AC_MEMCPY( lo->ldo_tls_key.bv_val, ((struct berval *)arg)->bv_val, lo->ldo_tls_key.bv_len ); + break; default: return -1; } diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index 795278d30d..ce0663b66b 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -114,7 +114,7 @@ static void tlso_thr_init( void ) {} #endif /* OpenSSL 1.1 */ static STACK_OF(X509_NAME) * -tlso_ca_list( char * bundle, char * dir ) +tlso_ca_list( char * bundle, char * dir, X509 *cert ) { STACK_OF(X509_NAME) *ca_list = NULL; @@ -136,6 +136,12 @@ tlso_ca_list( char * bundle, char * dir ) } } #endif + if ( cert ) { + X509_NAME *xn = X509_get_subject_name( cert ); + xn = X509_NAME_dup( xn ); + if ( xn ) + sk_X509_NAME_push( ca_list, xn ); + } return ca_list; } @@ -266,7 +272,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) return -1; } - if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) { + if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL && + lo->ldo_tls_cacert.bv_val == NULL ) { if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { Debug( LDAP_DEBUG_ANY, "TLS: " "could not use default certificate paths", 0, 0, 0 ); @@ -274,7 +281,19 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) return -1; } } else { - if ( !SSL_CTX_load_verify_locations( ctx, + X509 *cert = NULL; + if ( lo->ldo_tls_cacert.bv_val ) { + const unsigned char *pp = lo->ldo_tls_cacert.bv_val; + cert = d2i_X509( NULL, &pp, lo->ldo_tls_cacert.bv_len ); + X509_STORE *store = SSL_CTX_get_cert_store( ctx ); + if ( !X509_STORE_add_cert( store, cert )) { + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not use CA certificate", 0, 0, 0 ); + tlso_report_error(); + return -1; + } + } + if (( lt->lt_cacertfile || lt->lt_cacertdir ) && !SSL_CTX_load_verify_locations( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) { Debug( LDAP_DEBUG_ANY, "TLS: " @@ -289,7 +308,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) if ( is_server ) { STACK_OF(X509_NAME) *calist; /* List of CA names to send to a client */ - calist = tlso_ca_list( lt->lt_cacertfile, lt->lt_cacertdir ); + calist = tlso_ca_list( lt->lt_cacertfile, lt->lt_cacertdir, cert ); if ( !calist ) { Debug( LDAP_DEBUG_ANY, "TLS: " "could not load client CA list (file:`%s',dir:`%s').\n", @@ -302,20 +321,47 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) SSL_CTX_set_client_CA_list( ctx, calist ); } + if ( cert ) + X509_free( cert ); } + if ( lo->ldo_tls_cert.bv_val ) + { + const unsigned char *pp = lo->ldo_tls_cert.bv_val; + X509 *cert = d2i_X509( NULL, &pp, lo->ldo_tls_cert.bv_len ); + if ( !SSL_CTX_use_certificate( ctx, cert )) { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use certificate.\n", 0,0,0); + tlso_report_error(); + return -1; + } + X509_free( cert ); + } else if ( lo->ldo_tls_certfile && !SSL_CTX_use_certificate_file( ctx, lt->lt_certfile, SSL_FILETYPE_PEM ) ) { Debug( LDAP_DEBUG_ANY, - "TLS: could not use certificate `%s'.\n", + "TLS: could not use certificate file `%s'.\n", lo->ldo_tls_certfile,0,0); tlso_report_error(); return -1; } /* Key validity is checked automatically if cert has already been set */ + if ( lo->ldo_tls_key.bv_val ) + { + const unsigned char *pp = lo->ldo_tls_key.bv_val; + EVP_PKEY *pkey = d2i_AutoPrivateKey( NULL, &pp, lo->ldo_tls_key.bv_len ); + if ( !SSL_CTX_use_PrivateKey( ctx, pkey )) + { + Debug( LDAP_DEBUG_ANY, + "TLS: could not use private key.\n", 0,0,0); + tlso_report_error(); + return -1; + } + EVP_PKEY_free( pkey ); + } else if ( lo->ldo_tls_keyfile && !SSL_CTX_use_PrivateKey_file( ctx, lt->lt_keyfile, SSL_FILETYPE_PEM ) )