]> git.sur5r.net Git - openldap/blobdiff - libraries/libldap/tls_g.c
projects / openldap / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
ITS#8753 Public key pinning support in libldap
[openldap] / libraries / libldap / tls_g.c
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index fca7d67e0c1b01b186453a2c5b0ebb1db432c5f5..adcb6be04076a91d3a0bf94cf8357f4e51f5b9da 100644 (file)
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -2,7 +2,7 @@
 /* $OpenLDAP$ */
 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
  *
- * Copyright 2008-2015 The OpenLDAP Foundation.
+ * Copyright 2008-2017 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43,13 +43,15 @@
 
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
+#include <gnutls/abstract.h>
+#include <gnutls/crypto.h>
 
 typedef struct tlsg_ctx {
-       struct ldapoptions *lo;
        gnutls_certificate_credentials_t cred;
        gnutls_dh_params_t dh_params;
        unsigned long verify_depth;
        int refcount;
+       int reqcert;
        gnutls_priority_t prios;
 #ifdef LDAP_R_COMPILE
        ldap_pvt_thread_mutex_t ref_mutex;
@@ -141,7 +143,6 @@ tlsg_ctx_new ( struct ldapoptions *lo )
 
        ctx = ber_memcalloc ( 1, sizeof (*ctx) );
        if ( ctx ) {
-               ctx->lo = lo;
                if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
                        ber_memfree( ctx );
                        return NULL;
@@ -239,8 +240,19 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                        GNUTLS_X509_FMT_PEM );
                if ( rc < 0 ) return -1;
        }
+       if (lo->ldo_tls_cacert.bv_val != NULL ) {
+               gnutls_datum_t buf;
+               buf.data = (unsigned char *)lo->ldo_tls_cacert.bv_val;
+               buf.size = lo->ldo_tls_cacert.bv_len;
+               rc = gnutls_certificate_set_x509_trust_mem(
+                       ctx->cred,
+                       &buf,
+                       GNUTLS_X509_FMT_DER );
+               if ( rc < 0 ) return -1;
+       }
 
-       if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
+       if (( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) ||
+               ( lo->ldo_tls_cert.bv_val && lo->ldo_tls_key.bv_val )) {
                gnutls_x509_privkey_t key;
                gnutls_datum_t buf;
                gnutls_x509_crt_t certs[VERIFY_DEPTH];
@@ -254,18 +266,32 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                 * not, we have to build it ourselves. So we have to
                 * do some special checks here...
                 */
-               rc = tlsg_getfile( lt->lt_keyfile, &buf );
-               if ( rc ) return -1;
-               rc = gnutls_x509_privkey_import( key, &buf,
-                       GNUTLS_X509_FMT_PEM );
-               LDAP_FREE( buf.data );
+               if ( lo->ldo_tls_key.bv_val ) {
+                       buf.data = (unsigned char *)lo->ldo_tls_key.bv_val;
+                       buf.size = lo->ldo_tls_key.bv_len;
+                       rc = gnutls_x509_privkey_import( key, &buf,
+                               GNUTLS_X509_FMT_DER );
+               } else {
+                       rc = tlsg_getfile( lt->lt_keyfile, &buf );
+                       if ( rc ) return -1;
+                       rc = gnutls_x509_privkey_import( key, &buf,
+                               GNUTLS_X509_FMT_PEM );
+                       LDAP_FREE( buf.data );
+               }
                if ( rc < 0 ) return rc;
 
-               rc = tlsg_getfile( lt->lt_certfile, &buf );
-               if ( rc ) return -1;
-               rc = gnutls_x509_crt_list_import( certs, &max, &buf,
-                       GNUTLS_X509_FMT_PEM, 0 );
-               LDAP_FREE( buf.data );
+               if ( lo->ldo_tls_cert.bv_val ) {
+                       buf.data = (unsigned char *)lo->ldo_tls_cert.bv_val;
+                       buf.size = lo->ldo_tls_cert.bv_len;
+                       rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+                               GNUTLS_X509_FMT_DER, 0 );
+               } else {
+                       rc = tlsg_getfile( lt->lt_certfile, &buf );
+                       if ( rc ) return -1;
+                       rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+                               GNUTLS_X509_FMT_PEM, 0 );
+                       LDAP_FREE( buf.data );
+               }
                if ( rc < 0 ) return rc;
 
                /* If there's only one cert and it's not self-signed,
@@ -284,11 +310,16 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                }
                rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
                if ( rc ) return -1;
-       } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
-               Debug( LDAP_DEBUG_ANY, 
+       } else if (( lo->ldo_tls_certfile || lo->ldo_tls_keyfile )) {
+               Debug( LDAP_DEBUG_ANY,
                       "TLS: only one of certfile and keyfile specified\n",
                       NULL, NULL, NULL );
                return -1;
+       } else if (( lo->ldo_tls_cert.bv_val || lo->ldo_tls_key.bv_val )) {
+               Debug( LDAP_DEBUG_ANY,
+                      "TLS: only one of cert and key specified\n",
+                      NULL, NULL, NULL );
+               return -1;
        }
 
        if ( lo->ldo_tls_crlfile ) {
@@ -318,6 +349,9 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
                if ( rc ) return -1;
                gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
        }
+
+       ctx->reqcert = lo->ldo_tls_require_cert;
+
        return 0;
 }
 
@@ -339,10 +373,10 @@ tlsg_session_new ( tls_ctx * ctx, int is_server )
        
        if ( is_server ) {
                int flag = 0;
-               if ( c->lo->ldo_tls_require_cert ) {
+               if ( c->reqcert ) {
                        flag = GNUTLS_CERT_REQUEST;
-                       if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
-                               c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
+                       if ( c->reqcert == LDAP_OPT_X_TLS_DEMAND ||
+                               c->reqcert == LDAP_OPT_X_TLS_HARD )
                                flag = GNUTLS_CERT_REQUIRE;
                        gnutls_certificate_server_set_request( session->session, flag );
                }
@@ -356,18 +390,20 @@ tlsg_session_accept( tls_session *session )
        tlsg_session *s = (tlsg_session *)session;
        int rc;
 
-       rc = gnutls_handshake( s->session );
-       if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
+       for ( rc = gnutls_handshake ( s->session );
+             rc == GNUTLS_E_INTERRUPTED || rc == GNUTLS_E_AGAIN;
+             rc = gnutls_handshake ( s->session ) );
+       if ( rc == 0 && s->ctx->reqcert != LDAP_OPT_X_TLS_NEVER ) {
                const gnutls_datum_t *peer_cert_list;
                unsigned int list_size;
 
                peer_cert_list = gnutls_certificate_get_peers( s->session, 
                                                &list_size );
-               if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY ) 
+               if ( !peer_cert_list && s->ctx->reqcert == LDAP_OPT_X_TLS_TRY )
                        rc = 0;
                else {
                        rc = tlsg_cert_verify( s );
-                       if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
+                       if ( rc && s->ctx->reqcert == LDAP_OPT_X_TLS_ALLOW )
                                rc = 0;
                }
        }
@@ -718,6 +754,109 @@ tlsg_session_peercert( tls_session *sess, struct berval *der )
        return 0;
 }
 
+static int
+tlsg_session_pinning( LDAP *ld, tls_session *sess, char *hashalg, struct berval *hash )
+{
+       tlsg_session *s = (tlsg_session *)sess;
+       const gnutls_datum_t *cert_list;
+       unsigned int cert_list_size = 0;
+       gnutls_x509_crt_t crt;
+       gnutls_pubkey_t pubkey;
+       gnutls_datum_t key = {};
+       gnutls_digest_algorithm_t alg;
+       struct berval keyhash;
+       size_t len;
+       int rc = -1;
+
+       if ( hashalg ) {
+               alg = gnutls_digest_get_id( hashalg );
+               if ( alg == GNUTLS_DIG_UNKNOWN ) {
+                       Debug( LDAP_DEBUG_ANY, "tlsg_session_pinning: "
+                                       "unknown hashing algorithm for GnuTLS: '%s'\n",
+                                       hashalg, 0, 0 );
+                       return rc;
+               }
+       }
+
+       cert_list = gnutls_certificate_get_peers( s->session, &cert_list_size );
+       if ( cert_list_size == 0 ) {
+               return rc;
+       }
+
+       if ( gnutls_x509_crt_init( &crt ) < 0 ) {
+               return rc;
+       }
+
+       if ( gnutls_x509_crt_import( crt, &cert_list[0], GNUTLS_X509_FMT_DER ) ) {
+               goto done;
+       }
+
+       if ( gnutls_pubkey_init( &pubkey ) ) {
+               goto done;
+       }
+
+       if ( gnutls_pubkey_import_x509( pubkey, crt, 0 ) < 0 ) {
+               goto done;
+       }
+
+       gnutls_pubkey_export( pubkey, GNUTLS_X509_FMT_DER, key.data, &len );
+       if ( len <= 0 ) {
+               goto done;
+       }
+
+       key.data = LDAP_MALLOC( len );
+       if ( !key.data ) {
+               goto done;
+       }
+
+       key.size = len;
+
+       if ( gnutls_pubkey_export( pubkey, GNUTLS_X509_FMT_DER,
+                               key.data, &len ) < 0 ) {
+               goto done;
+       }
+
+       if ( hashalg ) {
+               keyhash.bv_len = gnutls_hash_get_len( alg );
+               keyhash.bv_val = LDAP_MALLOC( keyhash.bv_len );
+               if ( !keyhash.bv_val || gnutls_fingerprint( alg, &key,
+                                       keyhash.bv_val, &keyhash.bv_len ) < 0 ) {
+                       goto done;
+               }
+       } else {
+               keyhash.bv_val = (char *)key.data;
+               keyhash.bv_len = key.size;
+       }
+
+       if ( ber_bvcmp( hash, &keyhash ) ) {
+               rc = LDAP_CONNECT_ERROR;
+               Debug( LDAP_DEBUG_ANY, "tlsg_session_pinning: "
+                               "public key hash does not match provided pin.\n", 0, 0, 0 );
+               if ( ld->ld_error ) {
+                       LDAP_FREE( ld->ld_error );
+               }
+               ld->ld_error = LDAP_STRDUP(
+                       _("TLS: public key hash does not match provided pin"));
+       } else {
+               rc = LDAP_SUCCESS;
+       }
+
+done:
+       if ( pubkey ) {
+               gnutls_pubkey_deinit( pubkey );
+       }
+       if ( crt ) {
+               gnutls_x509_crt_deinit( crt );
+       }
+       if ( keyhash.bv_val != (char *)key.data ) {
+               LDAP_FREE( keyhash.bv_val );
+       }
+       if ( key.data ) {
+               LDAP_FREE( key.data );
+       }
+       return rc;
+}
+
 /* suites is a string of colon-separated cipher suite names. */
 static int
 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
@@ -783,7 +922,7 @@ tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
                return -1;
        }
        
-       gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
+       gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr_t)p );
        gnutls_transport_set_pull_function( session->session, tlsg_recv );
        gnutls_transport_set_push_function( session->session, tlsg_send );
        p->session = session;
@@ -978,6 +1117,7 @@ tls_impl ldap_int_tls_impl = {
        tlsg_session_version,
        tlsg_session_cipher,
        tlsg_session_peercert,
+       tlsg_session_pinning,
 
        &tlsg_sbio,
 
Cloned from git://git.openldap.org/openldap.git