1 /* tls_g.c - Handle tls/ssl using GNUTLS. */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2008-2017 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* ACKNOWLEDGEMENTS: GNUTLS support written by Howard Chu and
17 * Emily Backes; sponsored by The Written Word (thewrittenword.com)
18 * and Stanford University (stanford.edu).
25 #include "ldap_config.h"
29 #include <ac/stdlib.h>
31 #include <ac/socket.h>
32 #include <ac/string.h>
35 #include <ac/unistd.h>
37 #include <ac/dirent.h>
44 #include <gnutls/gnutls.h>
45 #include <gnutls/x509.h>
46 #include <gnutls/abstract.h>
47 #include <gnutls/crypto.h>
49 typedef struct tlsg_ctx {
50 gnutls_certificate_credentials_t cred;
51 gnutls_dh_params_t dh_params;
52 unsigned long verify_depth;
55 gnutls_priority_t prios;
57 ldap_pvt_thread_mutex_t ref_mutex;
61 typedef struct tlsg_session {
62 gnutls_session_t session;
64 struct berval peer_der_dn;
67 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
68 static int tlsg_cert_verify( tlsg_session *s );
73 tlsg_mutex_init( void **priv )
76 ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
81 err = ldap_pvt_thread_mutex_init( lock );
91 tlsg_mutex_destroy( void **lock )
93 int err = ldap_pvt_thread_mutex_destroy( *lock );
99 tlsg_mutex_lock( void **lock )
101 return ldap_pvt_thread_mutex_lock( *lock );
105 tlsg_mutex_unlock( void **lock )
107 return ldap_pvt_thread_mutex_unlock( *lock );
111 tlsg_thr_init( void )
113 gnutls_global_set_mutex (tlsg_mutex_init,
118 #endif /* LDAP_R_COMPILE */
121 * Initialize TLS subsystem. Should be called only once.
126 gnutls_global_init();
131 * Tear down the TLS subsystem. Should only be called once.
136 gnutls_global_deinit();
140 tlsg_ctx_new ( struct ldapoptions *lo )
144 ctx = ber_memcalloc ( 1, sizeof (*ctx) );
146 if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
151 gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
152 #ifdef LDAP_R_COMPILE
153 ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
156 return (tls_ctx *)ctx;
160 tlsg_ctx_ref( tls_ctx *ctx )
162 tlsg_ctx *c = (tlsg_ctx *)ctx;
163 LDAP_MUTEX_LOCK( &c->ref_mutex );
165 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
169 tlsg_ctx_free ( tls_ctx *ctx )
171 tlsg_ctx *c = (tlsg_ctx *)ctx;
176 LDAP_MUTEX_LOCK( &c->ref_mutex );
177 refcount = --c->refcount;
178 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
181 gnutls_priority_deinit( c->prios );
182 gnutls_certificate_free_credentials( c->cred );
184 gnutls_dh_params_deinit( c->dh_params );
189 tlsg_getfile( const char *path, gnutls_datum_t *buf )
194 fd = open( path, O_RDONLY );
195 if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
196 buf->size = st.st_size;
197 buf->data = LDAP_MALLOC( st.st_size + 1 );
199 rc = read( fd, buf->data, st.st_size );
201 if ( rc < st.st_size )
210 /* This is the GnuTLS default */
211 #define VERIFY_DEPTH 6
214 * initialize a new TLS context
217 tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
219 tlsg_ctx *ctx = lo->ldo_tls_ctx;
222 if ( lo->ldo_tls_ciphersuite &&
223 tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
224 Debug( LDAP_DEBUG_ANY,
225 "TLS: could not set cipher list %s.\n",
226 lo->ldo_tls_ciphersuite, 0, 0 );
230 if (lo->ldo_tls_cacertdir != NULL) {
231 Debug( LDAP_DEBUG_ANY,
232 "TLS: warning: cacertdir not implemented for gnutls\n",
236 if (lo->ldo_tls_cacertfile != NULL) {
237 rc = gnutls_certificate_set_x509_trust_file(
240 GNUTLS_X509_FMT_PEM );
241 if ( rc < 0 ) return -1;
243 if (lo->ldo_tls_cacert.bv_val != NULL ) {
245 buf.data = (unsigned char *)lo->ldo_tls_cacert.bv_val;
246 buf.size = lo->ldo_tls_cacert.bv_len;
247 rc = gnutls_certificate_set_x509_trust_mem(
250 GNUTLS_X509_FMT_DER );
251 if ( rc < 0 ) return -1;
254 if (( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) ||
255 ( lo->ldo_tls_cert.bv_val && lo->ldo_tls_key.bv_val )) {
256 gnutls_x509_privkey_t key;
258 gnutls_x509_crt_t certs[VERIFY_DEPTH];
259 unsigned int max = VERIFY_DEPTH;
261 rc = gnutls_x509_privkey_init( &key );
264 /* OpenSSL builds the cert chain for us, but GnuTLS
265 * expects it to be present in the certfile. If it's
266 * not, we have to build it ourselves. So we have to
267 * do some special checks here...
269 if ( lo->ldo_tls_key.bv_val ) {
270 buf.data = (unsigned char *)lo->ldo_tls_key.bv_val;
271 buf.size = lo->ldo_tls_key.bv_len;
272 rc = gnutls_x509_privkey_import( key, &buf,
273 GNUTLS_X509_FMT_DER );
275 rc = tlsg_getfile( lt->lt_keyfile, &buf );
277 rc = gnutls_x509_privkey_import( key, &buf,
278 GNUTLS_X509_FMT_PEM );
279 LDAP_FREE( buf.data );
281 if ( rc < 0 ) return rc;
283 if ( lo->ldo_tls_cert.bv_val ) {
284 buf.data = (unsigned char *)lo->ldo_tls_cert.bv_val;
285 buf.size = lo->ldo_tls_cert.bv_len;
286 rc = gnutls_x509_crt_list_import( certs, &max, &buf,
287 GNUTLS_X509_FMT_DER, 0 );
289 rc = tlsg_getfile( lt->lt_certfile, &buf );
291 rc = gnutls_x509_crt_list_import( certs, &max, &buf,
292 GNUTLS_X509_FMT_PEM, 0 );
293 LDAP_FREE( buf.data );
295 if ( rc < 0 ) return rc;
297 /* If there's only one cert and it's not self-signed,
298 * then we have to build the cert chain.
300 if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
302 for ( i = 1; i<VERIFY_DEPTH; i++ ) {
303 if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
306 /* If this CA is self-signed, we're done */
307 if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
311 rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
313 } else if (( lo->ldo_tls_certfile || lo->ldo_tls_keyfile )) {
314 Debug( LDAP_DEBUG_ANY,
315 "TLS: only one of certfile and keyfile specified\n",
318 } else if (( lo->ldo_tls_cert.bv_val || lo->ldo_tls_key.bv_val )) {
319 Debug( LDAP_DEBUG_ANY,
320 "TLS: only one of cert and key specified\n",
325 if ( lo->ldo_tls_crlfile ) {
326 rc = gnutls_certificate_set_x509_crl_file(
329 GNUTLS_X509_FMT_PEM );
330 if ( rc < 0 ) return -1;
334 /* FIXME: ITS#5992 - this should be configurable,
335 * and V1 CA certs should be phased out ASAP.
337 gnutls_certificate_set_verify_flags( ctx->cred,
338 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
340 if ( is_server && lo->ldo_tls_dhfile ) {
342 rc = tlsg_getfile( lo->ldo_tls_dhfile, &buf );
344 rc = gnutls_dh_params_init( &ctx->dh_params );
346 rc = gnutls_dh_params_import_pkcs3( ctx->dh_params, &buf,
347 GNUTLS_X509_FMT_PEM );
348 LDAP_FREE( buf.data );
350 gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
353 ctx->reqcert = lo->ldo_tls_require_cert;
359 tlsg_session_new ( tls_ctx * ctx, int is_server )
361 tlsg_ctx *c = (tlsg_ctx *)ctx;
362 tlsg_session *session;
364 session = ber_memcalloc ( 1, sizeof (*session) );
369 gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
370 gnutls_priority_set( session->session, c->prios );
372 gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
377 flag = GNUTLS_CERT_REQUEST;
378 if ( c->reqcert == LDAP_OPT_X_TLS_DEMAND ||
379 c->reqcert == LDAP_OPT_X_TLS_HARD )
380 flag = GNUTLS_CERT_REQUIRE;
381 gnutls_certificate_server_set_request( session->session, flag );
384 return (tls_session *)session;
388 tlsg_session_accept( tls_session *session )
390 tlsg_session *s = (tlsg_session *)session;
393 for ( rc = gnutls_handshake ( s->session );
394 rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN;
395 rc = gnutls_handshake ( s->session ) );
396 if ( rc == 0 && s->ctx->reqcert != LDAP_OPT_X_TLS_NEVER ) {
397 const gnutls_datum_t *peer_cert_list;
398 unsigned int list_size;
400 peer_cert_list = gnutls_certificate_get_peers( s->session,
402 if ( !peer_cert_list && s->ctx->reqcert == LDAP_OPT_X_TLS_TRY )
405 rc = tlsg_cert_verify( s );
406 if ( rc && s->ctx->reqcert == LDAP_OPT_X_TLS_ALLOW )
414 tlsg_session_connect( LDAP *ld, tls_session *session )
416 return tlsg_session_accept( session);
420 tlsg_session_upflags( Sockbuf *sb, tls_session *session, int rc )
422 tlsg_session *s = (tlsg_session *)session;
424 if ( rc != GNUTLS_E_INTERRUPTED && rc != GNUTLS_E_AGAIN )
427 switch (gnutls_record_get_direction (s->session)) {
429 sb->sb_trans_needs_read = 1;
432 sb->sb_trans_needs_write = 1;
439 tlsg_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
441 return (char *)gnutls_strerror( rc );
445 tlsg_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
447 BerElementBuffer berbuf;
448 BerElement *ber = (BerElement *)&berbuf;
453 ber_init2( ber, cert, LBER_USE_DER );
454 tag = ber_skip_tag( ber, &len ); /* Sequence */
455 tag = ber_skip_tag( ber, &len ); /* Sequence */
456 tag = ber_peek_tag( ber, &len ); /* Context + Constructed (version) */
457 if ( tag == 0xa0 ) { /* Version is optional */
458 tag = ber_skip_tag( ber, &len );
459 tag = ber_get_int( ber, &i ); /* Int: Version */
461 tag = ber_skip_tag( ber, &len ); /* Int: Serial (can be longer than ber_int_t) */
462 ber_skip_data( ber, len );
463 tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
464 ber_skip_data( ber, len );
465 if ( !get_subject ) {
466 tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
468 tag = ber_skip_tag( ber, &len );
469 ber_skip_data( ber, len );
470 tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
471 ber_skip_data( ber, len );
472 tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
474 len = ber_ptrlen( ber );
475 dn->bv_val = cert->bv_val + len;
476 dn->bv_len = cert->bv_len - len;
480 tlsg_session_my_dn( tls_session *session, struct berval *der_dn )
482 tlsg_session *s = (tlsg_session *)session;
483 const gnutls_datum_t *x;
486 x = gnutls_certificate_get_ours( s->session );
488 if (!x) return LDAP_INVALID_CREDENTIALS;
490 bv.bv_val = (char *) x->data;
493 tlsg_x509_cert_dn( &bv, der_dn, 1 );
498 tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
500 tlsg_session *s = (tlsg_session *)session;
501 if ( !s->peer_der_dn.bv_val ) {
502 const gnutls_datum_t *peer_cert_list;
503 unsigned int list_size;
506 peer_cert_list = gnutls_certificate_get_peers( s->session,
508 if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
510 bv.bv_len = peer_cert_list->size;
511 bv.bv_val = (char *) peer_cert_list->data;
513 tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
515 *der_dn = s->peer_der_dn;
519 /* what kind of hostname were we given? */
524 #define CN_OID "2.5.4.3"
527 tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
529 tlsg_session *s = (tlsg_session *)session;
531 const gnutls_datum_t *peer_cert_list;
532 unsigned int list_size;
533 char altname[NI_MAXHOST];
536 gnutls_x509_crt_t cert;
541 struct in6_addr addr;
545 int len1 = 0, len2 = 0;
548 if( ldap_int_hostname &&
549 ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
551 name = ldap_int_hostname;
556 peer_cert_list = gnutls_certificate_get_peers( s->session,
558 if ( !peer_cert_list ) {
559 Debug( LDAP_DEBUG_ANY,
560 "TLS: unable to get peer certificate.\n",
562 /* If this was a fatal condition, things would have
563 * aborted long before now.
567 ret = gnutls_x509_crt_init( &cert );
569 return LDAP_LOCAL_ERROR;
570 ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
572 gnutls_x509_crt_deinit( cert );
573 return LDAP_LOCAL_ERROR;
577 if (inet_pton(AF_INET6, name, &addr)) {
581 if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
582 if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
585 if (ntype == IS_DNS) {
587 domain = strchr(name, '.');
589 len2 = len1 - (domain-name);
593 for ( i=0, ret=0; ret >= 0; i++ ) {
594 altnamesize = sizeof(altname);
595 ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
596 altname, &altnamesize, NULL );
597 if ( ret < 0 ) break;
600 if ( altnamesize == 0 ) continue;
602 if ( ret == GNUTLS_SAN_DNSNAME ) {
603 if (ntype != IS_DNS) continue;
605 /* Is this an exact match? */
606 if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
610 /* Is this a wildcard match? */
611 if (domain && (altname[0] == '*') && (altname[1] == '.') &&
612 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
616 } else if ( ret == GNUTLS_SAN_IPADDRESS ) {
617 if (ntype == IS_DNS) continue;
620 if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
624 if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
627 if (!memcmp(altname, &addr, altnamesize)) {
635 /* find the last CN */
639 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
640 i, 1, altname, &altnamesize );
641 if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER )
648 altnamesize = sizeof(altname);
649 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
650 i-1, 0, altname, &altnamesize );
654 Debug( LDAP_DEBUG_ANY,
655 "TLS: unable to get common name from peer certificate.\n",
657 ret = LDAP_CONNECT_ERROR;
658 if ( ld->ld_error ) {
659 LDAP_FREE( ld->ld_error );
661 ld->ld_error = LDAP_STRDUP(
662 _("TLS: unable to get CN from peer certificate"));
665 ret = LDAP_LOCAL_ERROR;
666 if ( !len1 ) len1 = strlen( name );
667 if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
670 } else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
671 /* Is this a wildcard match? */
673 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
679 if( ret == LDAP_LOCAL_ERROR ) {
680 altname[altnamesize] = '\0';
681 Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
682 "common name in certificate (%s).\n",
684 ret = LDAP_CONNECT_ERROR;
685 if ( ld->ld_error ) {
686 LDAP_FREE( ld->ld_error );
688 ld->ld_error = LDAP_STRDUP(
689 _("TLS: hostname does not match CN in peer certificate"));
692 gnutls_x509_crt_deinit( cert );
697 tlsg_session_strength( tls_session *session )
699 tlsg_session *s = (tlsg_session *)session;
700 gnutls_cipher_algorithm_t c;
702 c = gnutls_cipher_get( s->session );
703 return gnutls_cipher_get_key_size( c ) * 8;
707 tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
709 tlsg_session *s = (tlsg_session *)sess;
713 rc = gnutls_session_channel_binding( s->session, GNUTLS_CB_TLS_UNIQUE, &cb );
716 if ( len > buf->bv_len )
719 memcpy( buf->bv_val, cb.data, len );
726 tlsg_session_version( tls_session *sess )
728 tlsg_session *s = (tlsg_session *)sess;
729 return gnutls_protocol_get_name(gnutls_protocol_get_version( s->session ));
733 tlsg_session_cipher( tls_session *sess )
735 tlsg_session *s = (tlsg_session *)sess;
736 return gnutls_cipher_get_name(gnutls_cipher_get( s->session ));
740 tlsg_session_peercert( tls_session *sess, struct berval *der )
742 tlsg_session *s = (tlsg_session *)sess;
743 const gnutls_datum_t *peer_cert_list;
744 unsigned int list_size;
746 peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
749 der->bv_len = peer_cert_list[0].size;
750 der->bv_val = LDAP_MALLOC( der->bv_len );
753 memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
758 tlsg_session_pinning( LDAP *ld, tls_session *sess, char *hashalg, struct berval *hash )
760 tlsg_session *s = (tlsg_session *)sess;
761 const gnutls_datum_t *cert_list;
762 unsigned int cert_list_size = 0;
763 gnutls_x509_crt_t crt;
764 gnutls_pubkey_t pubkey;
765 gnutls_datum_t key = {};
766 gnutls_digest_algorithm_t alg;
767 struct berval keyhash;
772 alg = gnutls_digest_get_id( hashalg );
773 if ( alg == GNUTLS_DIG_UNKNOWN ) {
774 Debug( LDAP_DEBUG_ANY, "tlsg_session_pinning: "
775 "unknown hashing algorithm for GnuTLS: '%s'\n",
781 cert_list = gnutls_certificate_get_peers( s->session, &cert_list_size );
782 if ( cert_list_size == 0 ) {
786 if ( gnutls_x509_crt_init( &crt ) < 0 ) {
790 if ( gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER ) ) {
794 if ( gnutls_pubkey_init( &pubkey ) ) {
798 if ( gnutls_pubkey_import_x509( pubkey, crt, 0 ) < 0 ) {
802 gnutls_pubkey_export( pubkey, GNUTLS_X509_FMT_DER, key.data, &len );
807 key.data = LDAP_MALLOC( len );
814 if ( gnutls_pubkey_export( pubkey, GNUTLS_X509_FMT_DER,
815 key.data, &len ) < 0 ) {
820 keyhash.bv_len = gnutls_hash_get_len( alg );
821 keyhash.bv_val = LDAP_MALLOC( keyhash.bv_len );
822 if ( !keyhash.bv_val || gnutls_fingerprint( alg, &key,
823 keyhash.bv_val, &keyhash.bv_len ) < 0 ) {
827 keyhash.bv_val = (char *)key.data;
828 keyhash.bv_len = key.size;
831 if ( ber_bvcmp( hash, &keyhash ) ) {
832 rc = LDAP_CONNECT_ERROR;
833 Debug( LDAP_DEBUG_ANY, "tlsg_session_pinning: "
834 "public key hash does not match provided pin.\n", 0, 0, 0 );
835 if ( ld->ld_error ) {
836 LDAP_FREE( ld->ld_error );
838 ld->ld_error = LDAP_STRDUP(
839 _("TLS: public key hash does not match provided pin"));
846 gnutls_pubkey_deinit( pubkey );
849 gnutls_x509_crt_deinit( crt );
851 if ( keyhash.bv_val != (char *)key.data ) {
852 LDAP_FREE( keyhash.bv_val );
855 LDAP_FREE( key.data );
860 /* suites is a string of colon-separated cipher suite names. */
862 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
865 int rc = gnutls_priority_init( &ctx->prios, suites, &err );
872 * TLS support for LBER Sockbufs
876 tlsg_session *session;
877 Sockbuf_IO_Desc *sbiod;
881 tlsg_recv( gnutls_transport_ptr_t ptr, void *buf, size_t len )
885 if ( buf == NULL || len <= 0 ) return 0;
887 p = (struct tls_data *)ptr;
889 if ( p == NULL || p->sbiod == NULL ) {
893 return LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
897 tlsg_send( gnutls_transport_ptr_t ptr, const void *buf, size_t len )
901 if ( buf == NULL || len <= 0 ) return 0;
903 p = (struct tls_data *)ptr;
905 if ( p == NULL || p->sbiod == NULL ) {
909 return LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
913 tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
916 tlsg_session *session = arg;
918 assert( sbiod != NULL );
920 p = LBER_MALLOC( sizeof( *p ) );
925 gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr_t)p );
926 gnutls_transport_set_pull_function( session->session, tlsg_recv );
927 gnutls_transport_set_push_function( session->session, tlsg_send );
928 p->session = session;
930 sbiod->sbiod_pvt = p;
935 tlsg_sb_remove( Sockbuf_IO_Desc *sbiod )
939 assert( sbiod != NULL );
940 assert( sbiod->sbiod_pvt != NULL );
942 p = (struct tls_data *)sbiod->sbiod_pvt;
943 gnutls_deinit ( p->session->session );
944 LBER_FREE( p->session );
945 LBER_FREE( sbiod->sbiod_pvt );
946 sbiod->sbiod_pvt = NULL;
951 tlsg_sb_close( Sockbuf_IO_Desc *sbiod )
955 assert( sbiod != NULL );
956 assert( sbiod->sbiod_pvt != NULL );
958 p = (struct tls_data *)sbiod->sbiod_pvt;
959 gnutls_bye ( p->session->session, GNUTLS_SHUT_WR );
964 tlsg_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
968 assert( sbiod != NULL );
969 assert( sbiod->sbiod_pvt != NULL );
971 p = (struct tls_data *)sbiod->sbiod_pvt;
973 if ( opt == LBER_SB_OPT_GET_SSL ) {
974 *((tlsg_session **)arg) = p->session;
977 } else if ( opt == LBER_SB_OPT_DATA_READY ) {
978 if( gnutls_record_check_pending( p->session->session ) > 0 ) {
983 return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
987 tlsg_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
992 assert( sbiod != NULL );
993 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
995 p = (struct tls_data *)sbiod->sbiod_pvt;
997 ret = gnutls_record_recv ( p->session->session, buf, len );
999 case GNUTLS_E_INTERRUPTED:
1000 case GNUTLS_E_AGAIN:
1001 sbiod->sbiod_sb->sb_trans_needs_read = 1;
1002 sock_errset(EWOULDBLOCK);
1005 case GNUTLS_E_REHANDSHAKE:
1006 for ( ret = gnutls_handshake ( p->session->session );
1007 ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN;
1008 ret = gnutls_handshake ( p->session->session ) );
1009 sbiod->sbiod_sb->sb_trans_needs_read = 1;
1013 sbiod->sbiod_sb->sb_trans_needs_read = 0;
1019 tlsg_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
1024 assert( sbiod != NULL );
1025 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
1027 p = (struct tls_data *)sbiod->sbiod_pvt;
1029 ret = gnutls_record_send ( p->session->session, (char *)buf, len );
1031 if ( ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN ) {
1032 sbiod->sbiod_sb->sb_trans_needs_write = 1;
1033 sock_errset(EWOULDBLOCK);
1036 sbiod->sbiod_sb->sb_trans_needs_write = 0;
1041 static Sockbuf_IO tlsg_sbio =
1043 tlsg_sb_setup, /* sbi_setup */
1044 tlsg_sb_remove, /* sbi_remove */
1045 tlsg_sb_ctrl, /* sbi_ctrl */
1046 tlsg_sb_read, /* sbi_read */
1047 tlsg_sb_write, /* sbi_write */
1048 tlsg_sb_close /* sbi_close */
1051 /* Certs are not automatically varified during the handshake */
1053 tlsg_cert_verify( tlsg_session *ssl )
1055 unsigned int status = 0;
1057 time_t now = time(0);
1060 err = gnutls_certificate_verify_peers2( ssl->session, &status );
1062 Debug( LDAP_DEBUG_ANY,"TLS: gnutls_certificate_verify_peers2 failed %d\n",
1067 Debug( LDAP_DEBUG_TRACE,"TLS: peer cert untrusted or revoked (0x%x)\n",
1071 peertime = gnutls_certificate_expiration_time_peers( ssl->session );
1072 if ( peertime == (time_t) -1 ) {
1073 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_expiration_time_peers failed\n",
1077 if ( peertime < now ) {
1078 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
1082 peertime = gnutls_certificate_activation_time_peers( ssl->session );
1083 if ( peertime == (time_t) -1 ) {
1084 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_activation_time_peers failed\n",
1088 if ( peertime > now ) {
1089 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
1096 tls_impl ldap_int_tls_impl = {
1108 tlsg_session_connect,
1109 tlsg_session_accept,
1110 tlsg_session_upflags,
1111 tlsg_session_errmsg,
1113 tlsg_session_peer_dn,
1114 tlsg_session_chkhost,
1115 tlsg_session_strength,
1116 tlsg_session_unique,
1117 tlsg_session_version,
1118 tlsg_session_cipher,
1119 tlsg_session_peercert,
1120 tlsg_session_pinning,
1124 #ifdef LDAP_R_COMPILE
1133 #endif /* HAVE_GNUTLS */