/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2008-2015 The OpenLDAP Foundation.
+ * Copyright 2008-2017 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include <gnutls/crypto.h>
typedef struct tlsg_ctx {
- struct ldapoptions *lo;
gnutls_certificate_credentials_t cred;
gnutls_dh_params_t dh_params;
unsigned long verify_depth;
int refcount;
+ int reqcert;
gnutls_priority_t prios;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_t ref_mutex;
ctx = ber_memcalloc ( 1, sizeof (*ctx) );
if ( ctx ) {
- ctx->lo = lo;
if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
ber_memfree( ctx );
return NULL;
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
}
+ if (lo->ldo_tls_cacert.bv_val != NULL ) {
+ gnutls_datum_t buf;
+ buf.data = (unsigned char *)lo->ldo_tls_cacert.bv_val;
+ buf.size = lo->ldo_tls_cacert.bv_len;
+ rc = gnutls_certificate_set_x509_trust_mem(
+ ctx->cred,
+ &buf,
+ GNUTLS_X509_FMT_DER );
+ if ( rc < 0 ) return -1;
+ }
- if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
+ if (( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) ||
+ ( lo->ldo_tls_cert.bv_val && lo->ldo_tls_key.bv_val )) {
gnutls_x509_privkey_t key;
gnutls_datum_t buf;
gnutls_x509_crt_t certs[VERIFY_DEPTH];
* not, we have to build it ourselves. So we have to
* do some special checks here...
*/
- rc = tlsg_getfile( lt->lt_keyfile, &buf );
- if ( rc ) return -1;
- rc = gnutls_x509_privkey_import( key, &buf,
- GNUTLS_X509_FMT_PEM );
- LDAP_FREE( buf.data );
+ if ( lo->ldo_tls_key.bv_val ) {
+ buf.data = (unsigned char *)lo->ldo_tls_key.bv_val;
+ buf.size = lo->ldo_tls_key.bv_len;
+ rc = gnutls_x509_privkey_import( key, &buf,
+ GNUTLS_X509_FMT_DER );
+ } else {
+ rc = tlsg_getfile( lt->lt_keyfile, &buf );
+ if ( rc ) return -1;
+ rc = gnutls_x509_privkey_import( key, &buf,
+ GNUTLS_X509_FMT_PEM );
+ LDAP_FREE( buf.data );
+ }
if ( rc < 0 ) return rc;
- rc = tlsg_getfile( lt->lt_certfile, &buf );
- if ( rc ) return -1;
- rc = gnutls_x509_crt_list_import( certs, &max, &buf,
- GNUTLS_X509_FMT_PEM, 0 );
- LDAP_FREE( buf.data );
+ if ( lo->ldo_tls_cert.bv_val ) {
+ buf.data = (unsigned char *)lo->ldo_tls_cert.bv_val;
+ buf.size = lo->ldo_tls_cert.bv_len;
+ rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+ GNUTLS_X509_FMT_DER, 0 );
+ } else {
+ rc = tlsg_getfile( lt->lt_certfile, &buf );
+ if ( rc ) return -1;
+ rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+ GNUTLS_X509_FMT_PEM, 0 );
+ LDAP_FREE( buf.data );
+ }
if ( rc < 0 ) return rc;
/* If there's only one cert and it's not self-signed,
}
rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
if ( rc ) return -1;
- } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
- Debug( LDAP_DEBUG_ANY,
+ } else if (( lo->ldo_tls_certfile || lo->ldo_tls_keyfile )) {
+ Debug( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n",
NULL, NULL, NULL );
return -1;
+ } else if (( lo->ldo_tls_cert.bv_val || lo->ldo_tls_key.bv_val )) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: only one of cert and key specified\n",
+ NULL, NULL, NULL );
+ return -1;
}
if ( lo->ldo_tls_crlfile ) {
if ( rc ) return -1;
gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
}
+
+ ctx->reqcert = lo->ldo_tls_require_cert;
+
return 0;
}
if ( is_server ) {
int flag = 0;
- if ( c->lo->ldo_tls_require_cert ) {
+ if ( c->reqcert ) {
flag = GNUTLS_CERT_REQUEST;
- if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
- c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
+ if ( c->reqcert == LDAP_OPT_X_TLS_DEMAND ||
+ c->reqcert == LDAP_OPT_X_TLS_HARD )
flag = GNUTLS_CERT_REQUIRE;
gnutls_certificate_server_set_request( session->session, flag );
}
tlsg_session *s = (tlsg_session *)session;
int rc;
- rc = gnutls_handshake( s->session );
- if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
+ for ( rc = gnutls_handshake ( s->session );
+ rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN;
+ rc = gnutls_handshake ( s->session ) );
+ if ( rc == 0 && s->ctx->reqcert != LDAP_OPT_X_TLS_NEVER ) {
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
- if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
+ if ( !peer_cert_list && s->ctx->reqcert == LDAP_OPT_X_TLS_TRY )
rc = 0;
else {
rc = tlsg_cert_verify( s );
- if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
+ if ( rc && s->ctx->reqcert == LDAP_OPT_X_TLS_ALLOW )
rc = 0;
}
}
return 0;
}
+static int
+tlsg_session_pinning( LDAP *ld, tls_session *sess, char *hashalg, struct berval *hash )
+{
+ tlsg_session *s = (tlsg_session *)sess;
+ const gnutls_datum_t *cert_list;
+ unsigned int cert_list_size = 0;
+ gnutls_x509_crt_t crt;
+ gnutls_pubkey_t pubkey;
+ gnutls_datum_t key = {};
+ gnutls_digest_algorithm_t alg;
+ struct berval keyhash;
+ size_t len;
+ int rc = -1;
+
+ if ( hashalg ) {
+ alg = gnutls_digest_get_id( hashalg );
+ if ( alg == GNUTLS_DIG_UNKNOWN ) {
+ Debug( LDAP_DEBUG_ANY, "tlsg_session_pinning: "
+ "unknown hashing algorithm for GnuTLS: '%s'\n",
+ hashalg, 0, 0 );
+ return rc;
+ }
+ }
+
+ cert_list = gnutls_certificate_get_peers( s->session, &cert_list_size );
+ if ( cert_list_size == 0 ) {
+ return rc;
+ }
+
+ if ( gnutls_x509_crt_init( &crt ) < 0 ) {
+ return rc;
+ }
+
+ if ( gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER ) ) {
+ goto done;
+ }
+
+ if ( gnutls_pubkey_init( &pubkey ) ) {
+ goto done;
+ }
+
+ if ( gnutls_pubkey_import_x509( pubkey, crt, 0 ) < 0 ) {
+ goto done;
+ }
+
+ gnutls_pubkey_export( pubkey, GNUTLS_X509_FMT_DER, key.data, &len );
+ if ( len <= 0 ) {
+ goto done;
+ }
+
+ key.data = LDAP_MALLOC( len );
+ if ( !key.data ) {
+ goto done;
+ }
+
+ key.size = len;
+
+ if ( gnutls_pubkey_export( pubkey, GNUTLS_X509_FMT_DER,
+ key.data, &len ) < 0 ) {
+ goto done;
+ }
+
+ if ( hashalg ) {
+ keyhash.bv_len = gnutls_hash_get_len( alg );
+ keyhash.bv_val = LDAP_MALLOC( keyhash.bv_len );
+ if ( !keyhash.bv_val || gnutls_fingerprint( alg, &key,
+ keyhash.bv_val, &keyhash.bv_len ) < 0 ) {
+ goto done;
+ }
+ } else {
+ keyhash.bv_val = (char *)key.data;
+ keyhash.bv_len = key.size;
+ }
+
+ if ( ber_bvcmp( hash, &keyhash ) ) {
+ rc = LDAP_CONNECT_ERROR;
+ Debug( LDAP_DEBUG_ANY, "tlsg_session_pinning: "
+ "public key hash does not match provided pin.\n", 0, 0, 0 );
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: public key hash does not match provided pin"));
+ } else {
+ rc = LDAP_SUCCESS;
+ }
+
+done:
+ if ( pubkey ) {
+ gnutls_pubkey_deinit( pubkey );
+ }
+ if ( crt ) {
+ gnutls_x509_crt_deinit( crt );
+ }
+ if ( keyhash.bv_val != (char *)key.data ) {
+ LDAP_FREE( keyhash.bv_val );
+ }
+ if ( key.data ) {
+ LDAP_FREE( key.data );
+ }
+ return rc;
+}
+
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
return -1;
}
- gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
+ gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr_t)p );
gnutls_transport_set_pull_function( session->session, tlsg_recv );
gnutls_transport_set_push_function( session->session, tlsg_send );
p->session = session;
tlsg_session_version,
tlsg_session_cipher,
tlsg_session_peercert,
+ tlsg_session_pinning,
&tlsg_sbio,