upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-01-03 21:50:49 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Modular TLS support, proof of concept. tls2.c would replace tls.c,

Browse source 
but I'm leaving tls.c intact for now.
This commit is contained in:
Howard Chu 2008-08-13 16:18:51 +00:00
parent c97ef0a708
commit a225b02f17
6 changed files with 4387 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
libraries/libldap/ldap-int.h
View file

@ -154,9 +154,8 @@ struct ldaptls {
char *lt_cacertfile;
char *lt_cacertdir;
char *lt_ciphersuite;
#ifdef HAVE_GNUTLS
char *lt_crlfile;
#endif
char *lt_randfile; /* OpenSSL only */
};
#endif
@ -200,8 +199,10 @@ struct ldapoptions {
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
#define ldo_tls_crlfile ldo_tls_info.lt_crlfile
#define ldo_tls_randfile ldo_tls_info.lt_randfile
int ldo_tls_mode;
int ldo_tls_require_cert;
int ldo_tls_impl;
#ifdef HAVE_OPENSSL_CRL
int ldo_tls_crlcheck;
#endif

78
libraries/libldap/ldap-tls.h Normal file
View file

@ -0,0 +1,78 @@
/* ldap-tls.h - TLS defines & prototypes internal to the LDAP library */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
#ifndef _LDAP_TLS_H
#define _LDAP_TLS_H 1
struct tls_impl;
typedef struct tls_ctx {
struct tls_impl *tc_impl;
} tls_ctx;
typedef struct tls_session {
struct tls_impl *ts_impl;
void *ts_session;
} tls_session;
typedef int (TI_tls_init)(void);
typedef void (TI_tls_destroy)(void);
typedef tls_ctx *(TI_ctx_new)(struct ldapoptions *lo);
typedef void (TI_ctx_ref)(tls_ctx *ctx);
typedef void (TI_ctx_free)(tls_ctx *ctx);
typedef int (TI_ctx_init)(struct ldapoptions *lo, struct ldaptls *lt, int is_server);
typedef tls_session *(TI_session_new)(tls_ctx *ctx, int is_server);
typedef int (TI_session_connect)(LDAP *ld, tls_session *s);
typedef int (TI_session_accept)(tls_session *s);
typedef int (TI_session_upflags)(Sockbuf *sb, tls_session *s, int rc);
typedef char *(TI_session_errmsg)(int rc, char *buf, size_t len );
typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
typedef void (TI_thr_init)(void);
typedef struct tls_impl {
const char *ti_name;
TI_tls_init *ti_tls_init; /* library initialization */
TI_tls_destroy *ti_tls_destroy;
TI_ctx_new *ti_ctx_new;
TI_ctx_ref *ti_ctx_ref;
TI_ctx_free *ti_ctx_free;
TI_ctx_init *ti_ctx_init;
TI_session_new *ti_session_new;
TI_session_connect *ti_session_connect;
TI_session_accept *ti_session_accept;
TI_session_upflags *ti_session_upflags;
TI_session_errmsg *ti_session_errmsg;
TI_session_dn *ti_session_my_dn;
TI_session_dn *ti_session_peer_dn;
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
Sockbuf_IO *ti_sbio;
TI_thr_init *ti_thr_init;
int ti_inited;
} tls_impl;
#endif /* _LDAP_TLS_H */

1180
libraries/libldap/tls2.c Normal file
View file

File diff suppressed because it is too large Load diff

975
libraries/libldap/tls_g.c Normal file
View file

@ -0,0 +1,975 @@
/* tls_g.c - Handle tls/ssl using GNUTLS. */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
/* ACKNOWLEDGEMENTS: GNUTLS support written by Howard Chu and
* Matt Backes; sponsored by The Written Word (thewrittenword.com)
* and Stanford University (stanford.edu).
*/
#include "portable.h"
#ifdef HAVE_GNUTLS
#include "ldap_config.h"
#include <stdio.h>
#include <ac/stdlib.h>
#include <ac/errno.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/ctype.h>
#include <ac/time.h>
#include <ac/unistd.h>
#include <ac/param.h>
#include <ac/dirent.h>
#include "ldap-int.h"
#include "ldap-tls.h"
#ifdef LDAP_R_COMPILE
#include <ldap_pvt_thread.h>
#endif
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gcrypt.h>
#define DH_BITS (1024)
typedef struct tls_cipher_suite {
const char *name;
gnutls_kx_algorithm_t kx;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
gnutls_protocol_t version;
} tls_cipher_suite;
typedef struct tlsg_ctx {
tls_impl *tc_impl;
struct ldapoptions *lo;
gnutls_certificate_credentials_t cred;
gnutls_dh_params_t dh_params;
unsigned long verify_depth;
int refcount;
int *kx_list;
int *cipher_list;
int *mac_list;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_t ref_mutex;
#endif
} tlsg_ctx;
typedef struct tlsg_session {
tls_impl *ts_impl;
gnutls_session_t session;
tlsg_ctx *ctx;
struct berval peer_der_dn;
} tlsg_session;
static tls_cipher_suite *tlsg_ciphers;
static int tlsg_n_ciphers;
static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
static int tlsg_cert_verify( tlsg_session *s );
extern tls_impl ldap_int_gnutls_impl;
#ifdef LDAP_R_COMPILE
static int
tlsg_mutex_init( void **priv )
{
int err = 0;
ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
if ( !lock )
err = ENOMEM;
if ( !err ) {
err = ldap_pvt_thread_mutex_init( lock );
if ( err )
LDAP_FREE( lock );
else
*priv = lock;
}
return err;
}
static int
tlsg_mutex_destroy( void **lock )
{
int err = ldap_pvt_thread_mutex_destroy( *lock );
LDAP_FREE( *lock );
return err;
}
static int
tlsg_mutex_lock( void **lock )
{
return ldap_pvt_thread_mutex_lock( *lock );
}
static int
tlsg_mutex_unlock( void **lock )
{
return ldap_pvt_thread_mutex_unlock( *lock );
}
static struct gcry_thread_cbs tlsg_thread_cbs = {
GCRY_THREAD_OPTION_USER,
NULL,
tlsg_mutex_init,
tlsg_mutex_destroy,
tlsg_mutex_lock,
tlsg_mutex_unlock,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
};
static void
tlsg_thr_init( void )
{
gcry_control (GCRYCTL_SET_THREAD_CBS, &tlsg_thread_cbs);
}
#endif /* LDAP_R_COMPILE */
/*
* Initialize TLS subsystem. Should be called only once.
*/
static int
tlsg_init( void )
{
gnutls_global_init();
/* GNUtls cipher suite handling: The library ought to parse suite
* names for us, but it doesn't. It will return a list of suite names
* that it supports, so we can do parsing ourselves. It ought to tell
* us how long the list is, but it doesn't do that either, so we just
* have to count it manually...
*/
{
int i = 0;
tls_cipher_suite *ptr, tmp;
char cs_id[2];
while ( gnutls_cipher_suite_info( i, cs_id, &tmp.kx, &tmp.cipher,
&tmp.mac, &tmp.version ))
i++;
tlsg_n_ciphers = i;
/* Store a copy */
tlsg_ciphers = LDAP_MALLOC(tlsg_n_ciphers * sizeof(tls_cipher_suite));
if ( !tlsg_ciphers )
return -1;
for ( i=0; i<tlsg_n_ciphers; i++ ) {
tlsg_ciphers[i].name = gnutls_cipher_suite_info( i, cs_id,
&tlsg_ciphers[i].kx, &tlsg_ciphers[i].cipher, &tlsg_ciphers[i].mac,
&tlsg_ciphers[i].version );
}
}
return 0;
}
/*
* Tear down the TLS subsystem. Should only be called once.
*/
static void
tlsg_destroy( void )
{
LDAP_FREE( tlsg_ciphers );
tlsg_ciphers = NULL;
tlsg_n_ciphers = 0;
gnutls_global_deinit();
}
static tls_ctx *
tlsg_ctx_new ( struct ldapoptions *lo )
{
tlsg_ctx *ctx;
ctx = ber_memcalloc ( 1, sizeof (*ctx) );
if ( ctx ) {
ctx->lo = lo;
if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
ber_memfree( ctx );
return NULL;
}
ctx->tc_impl = &ldap_int_gnutls_impl;
ctx->refcount = 1;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
#endif
}
return (tls_ctx *)ctx;
}
static void
tlsg_ctx_ref( tls_ctx *ctx )
{
tlsg_ctx *c = (tlsg_ctx *)ctx;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &c->ref_mutex );
#endif
c->refcount++;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &c->ref_mutex );
#endif
}
static void
tlsg_ctx_free ( tls_ctx *ctx )
{
tlsg_ctx *c = (tlsg_ctx *)ctx;
int refcount;
if ( !c ) return;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &c->ref_mutex );
#endif
refcount = --c->refcount;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &c->ref_mutex );
#endif
if ( refcount )
return;
LDAP_FREE( c->kx_list );
gnutls_certificate_free_credentials( c->cred );
ber_memfree ( c );
}
/*
* initialize a new TLS context
*/
static int
tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
{
tlsg_ctx *ctx = lo->ldo_tls_ctx;
int rc;
if ( lo->ldo_tls_ciphersuite &&
tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list %s.\n",
lo->ldo_tls_ciphersuite, 0, 0 );
return -1;
}
if (lo->ldo_tls_cacertdir != NULL) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: cacertdir not implemented for gnutls\n",
NULL, NULL, NULL );
}
if (lo->ldo_tls_cacertfile != NULL) {
rc = gnutls_certificate_set_x509_trust_file(
ctx->cred,
lt->lt_cacertfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
}
if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
rc = gnutls_certificate_set_x509_key_file(
ctx->cred,
lt->lt_certfile,
lt->lt_keyfile,
GNUTLS_X509_FMT_PEM );
if ( rc ) return -1;
} else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n",
NULL, NULL, NULL );
return -1;
}
if ( lo->ldo_tls_dhfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: ignoring dhfile\n",
NULL, NULL, NULL );
}
if ( lo->ldo_tls_crlfile ) {
rc = gnutls_certificate_set_x509_crl_file(
ctx->cred,
lt->lt_crlfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
rc = 0;
}
if ( is_server ) {
gnutls_dh_params_init(&ctx->dh_params);
gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
}
return 0;
}
static tls_session *
tlsg_session_new ( tls_ctx * ctx, int is_server )
{
tlsg_ctx *c = (tlsg_ctx *)ctx;
tlsg_session *session;
session = ber_memcalloc ( 1, sizeof (*session) );
if ( !session )
return NULL;
session->ctx = c;
session->ts_impl = &ldap_int_gnutls_impl;
gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
gnutls_set_default_priority( session->session );
if ( c->kx_list ) {
gnutls_kx_set_priority( session->session, c->kx_list );
gnutls_cipher_set_priority( session->session, c->cipher_list );
gnutls_mac_set_priority( session->session, c->mac_list );
}
if ( c->cred )
gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
if ( is_server ) {
int flag = 0;
if ( c->lo->ldo_tls_require_cert ) {
flag = GNUTLS_CERT_REQUEST;
if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
flag = GNUTLS_CERT_REQUIRE;
gnutls_certificate_server_set_request( session->session, flag );
}
}
return (tls_session *)session;
}
static int
tlsg_session_accept( tls_session *session )
{
tlsg_session *s = (tlsg_session *)session;
int rc;
rc = gnutls_handshake( s->session );
if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
rc = tlsg_cert_verify( s );
if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
rc = 0;
}
return rc;
}
static int
tlsg_session_connect( LDAP *ld, tls_session *session )
{
return tlsg_session_accept( session);
}
static int
tlsg_session_upflags( Sockbuf *sb, tls_session *session, int rc )
{
tlsg_session *s = (tlsg_session *)session;
if ( rc != GNUTLS_E_INTERRUPTED && rc != GNUTLS_E_AGAIN )
return 0;
switch (gnutls_record_get_direction (s->session)) {
case 0:
sb->sb_trans_needs_read = 1;
return 1;
case 1:
sb->sb_trans_needs_write = 1;
return 1;
}
return 0;
}
static char *
tlsg_session_errmsg( int rc, char *buf, size_t len )
{
return (char *)gnutls_strerror( rc );
}
static void
tlsg_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
{
BerElementBuffer berbuf;
BerElement *ber = (BerElement *)&berbuf;
ber_tag_t tag;
ber_len_t len;
ber_int_t i;
ber_init2( ber, cert, LBER_USE_DER );
tag = ber_skip_tag( ber, &len ); /* Sequence */
tag = ber_skip_tag( ber, &len ); /* Sequence */
tag = ber_skip_tag( ber, &len ); /* Context + Constructed (version) */
if ( tag == 0xa0 ) /* Version is optional */
tag = ber_get_int( ber, &i ); /* Int: Version */
tag = ber_get_int( ber, &i ); /* Int: Serial */
tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
ber_skip_data( ber, len );
if ( !get_subject ) {
tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
} else {
tag = ber_skip_tag( ber, &len );
ber_skip_data( ber, len );
tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
ber_skip_data( ber, len );
tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
}
len = ber_ptrlen( ber );
dn->bv_val = cert->bv_val + len;
dn->bv_len = cert->bv_len - len;
}
static int
tlsg_session_my_dn( tls_session *session, struct berval *der_dn )
{
tlsg_session *s = (tlsg_session *)session;
const gnutls_datum_t *x;
struct berval bv;
x = gnutls_certificate_get_ours( s->session );
if (!x) return LDAP_INVALID_CREDENTIALS;
bv.bv_val = x->data;
bv.bv_len = x->size;
tlsg_x509_cert_dn( &bv, der_dn, 1 );
return 0;
}
static int
tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
{
tlsg_session *s = (tlsg_session *)session;
if ( !s->peer_der_dn.bv_val ) {
const gnutls_datum_t *peer_cert_list;
int list_size;
struct berval bv;
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
bv.bv_len = peer_cert_list->size;
bv.bv_val = peer_cert_list->data;
tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
}
*der_dn = s->peer_der_dn;
return 0;
}
/* what kind of hostname were we given? */
#define IS_DNS 0
#define IS_IP4 1
#define IS_IP6 2
#define CN_OID "2.5.4.3"
static int
tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{
tlsg_session *s = (tlsg_session *)session;
int i, ret;
const gnutls_datum_t *peer_cert_list;
int list_size;
struct berval bv;
char altname[NI_MAXHOST];
size_t altnamesize;
gnutls_x509_crt_t cert;
gnutls_datum_t *x;
const char *name;
char *ptr;
char *domain = NULL;
#ifdef LDAP_PF_INET6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
int n, len1 = 0, len2 = 0;
int ntype = IS_DNS;
time_t now = time(0);
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
{
name = ldap_int_hostname;
} else {
name = name_in;
}
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
if ( !peer_cert_list ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get peer certificate.\n",
0, 0, 0 );
/* If this was a fatal condition, things would have
* aborted long before now.
*/
return LDAP_SUCCESS;
}
ret = gnutls_x509_crt_init( &cert );
if ( ret < 0 )
return LDAP_LOCAL_ERROR;
ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
if ( ret ) {
gnutls_x509_crt_deinit( cert );
return LDAP_LOCAL_ERROR;
}
#ifdef LDAP_PF_INET6
if (name[0] == '[' && strchr(name, ']')) {
char *n2 = ldap_strdup(name+1);
*strchr(n2, ']') = 2;
if (inet_pton(AF_INET6, n2, &addr))
ntype = IS_IP6;
LDAP_FREE(n2);
} else
#endif
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
if (ntype == IS_DNS) {
len1 = strlen(name);
domain = strchr(name, '.');
if (domain) {
len2 = len1 - (domain-name);
}
}
for ( i=0, ret=0; ret >= 0; i++ ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
altname, &altnamesize, NULL );
if ( ret < 0 ) break;
/* ignore empty */
if ( altnamesize == 0 ) continue;
if ( ret == GNUTLS_SAN_DNSNAME ) {
if (ntype != IS_DNS) continue;
/* Is this an exact match? */
if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
break;
}
/* Is this a wildcard match? */
if (domain && (altname[0] == '*') && (altname[1] == '.') &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
{
break;
}
} else if ( ret == GNUTLS_SAN_IPADDRESS ) {
if (ntype == IS_DNS) continue;
#ifdef LDAP_PF_INET6
if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
continue;
} else
#endif
if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
continue;
}
if (!memcmp(altname, &addr, altnamesize)) {
break;
}
}
}
if ( ret >= 0 ) {
ret = LDAP_SUCCESS;
} else {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
0, 0, altname, &altnamesize );
if ( ret < 0 ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
} else {
ret = LDAP_LOCAL_ERROR;
if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
ret = LDAP_SUCCESS;
} else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
/* Is this a wildcard match? */
if( domain &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
ret = LDAP_SUCCESS;
}
}
}
if( ret == LDAP_LOCAL_ERROR ) {
altname[altnamesize] = '\0';
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%s).\n",
name, altname, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
}
}
gnutls_x509_crt_deinit( cert );
return ret;
}
static int
tlsg_session_strength( tls_session *session )
{
tlsg_session *s = (tlsg_session *)session;
gnutls_cipher_algorithm_t c;
c = gnutls_cipher_get( s->session );
return gnutls_cipher_get_key_size( c ) * 8;
}
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
{
char *ptr, *end;
int i, j, len, num;
int *list, nkx = 0, ncipher = 0, nmac = 0;
int *kx, *cipher, *mac;
num = 0;
ptr = suites;
do {
end = strchr(ptr, ':');
if ( end )
len = end - ptr;
else
len = strlen(ptr);
for (i=0; i<tlsg_n_ciphers; i++) {
if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
num++;
break;
}
}
if ( i == tlsg_n_ciphers ) {
/* unrecognized cipher suite */
return -1;
}
ptr += len + 1;
} while (end);
/* Space for all 3 lists */
list = LDAP_MALLOC( (num+1) * sizeof(int) * 3 );
if ( !list )
return -1;
kx = list;
cipher = kx+num+1;
mac = cipher+num+1;
ptr = suites;
do {
end = strchr(ptr, ':');
if ( end )
len = end - ptr;
else
len = strlen(ptr);
for (i=0; i<tlsg_n_ciphers; i++) {
/* For each cipher suite, insert its algorithms into
* their respective priority lists. Make sure they
* only appear once in each list.
*/
if ( !strncasecmp( tlsg_ciphers[i].name, ptr, len )) {
for (j=0; j<nkx; j++)
if ( kx[j] == tlsg_ciphers[i].kx )
break;
if ( j == nkx )
kx[nkx++] = tlsg_ciphers[i].kx;
for (j=0; j<ncipher; j++)
if ( cipher[j] == tlsg_ciphers[i].cipher )
break;
if ( j == ncipher )
cipher[ncipher++] = tlsg_ciphers[i].cipher;
for (j=0; j<nmac; j++)
if ( mac[j] == tlsg_ciphers[i].mac )
break;
if ( j == nmac )
mac[nmac++] = tlsg_ciphers[i].mac;
break;
}
}
ptr += len + 1;
} while (end);
kx[nkx] = 0;
cipher[ncipher] = 0;
mac[nmac] = 0;
ctx->kx_list = kx;
ctx->cipher_list = cipher;
ctx->mac_list = mac;
return 0;
}
/*
* TLS support for LBER Sockbufs
*/
struct tls_data {
tlsg_session *session;
Sockbuf_IO_Desc *sbiod;
};
static ssize_t
tlsg_recv( gnutls_transport_ptr_t ptr, void *buf, size_t len )
{
struct tls_data *p;
if ( buf == NULL || len <= 0 ) return 0;
p = (struct tls_data *)ptr;
if ( p == NULL || p->sbiod == NULL ) {
return 0;
}
return LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
}
static ssize_t
tlsg_send( gnutls_transport_ptr_t ptr, const void *buf, size_t len )
{
struct tls_data *p;
if ( buf == NULL || len <= 0 ) return 0;
p = (struct tls_data *)ptr;
if ( p == NULL || p->sbiod == NULL ) {
return 0;
}
return LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
}
static int
tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
{
struct tls_data *p;
tlsg_session *session = arg;
assert( sbiod != NULL );
p = LBER_MALLOC( sizeof( *p ) );
if ( p == NULL ) {
return -1;
}
gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
gnutls_transport_set_pull_function( session->session, tlsg_recv );
gnutls_transport_set_push_function( session->session, tlsg_send );
p->session = session;
p->sbiod = sbiod;
sbiod->sbiod_pvt = p;
return 0;
}
static int
tlsg_sb_remove( Sockbuf_IO_Desc *sbiod )
{
struct tls_data *p;
assert( sbiod != NULL );
assert( sbiod->sbiod_pvt != NULL );
p = (struct tls_data *)sbiod->sbiod_pvt;
gnutls_deinit ( p->session->session );
LBER_FREE( p->session );
LBER_FREE( sbiod->sbiod_pvt );
sbiod->sbiod_pvt = NULL;
return 0;
}
static int
tlsg_sb_close( Sockbuf_IO_Desc *sbiod )
{
struct tls_data *p;
assert( sbiod != NULL );
assert( sbiod->sbiod_pvt != NULL );
p = (struct tls_data *)sbiod->sbiod_pvt;
gnutls_bye ( p->session->session, GNUTLS_SHUT_RDWR );
return 0;
}
static int
tlsg_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
{
struct tls_data *p;
assert( sbiod != NULL );
assert( sbiod->sbiod_pvt != NULL );
p = (struct tls_data *)sbiod->sbiod_pvt;
if ( opt == LBER_SB_OPT_GET_SSL ) {
*((tlsg_session **)arg) = p->session;
return 1;
} else if ( opt == LBER_SB_OPT_DATA_READY ) {
if( gnutls_record_check_pending( p->session->session ) > 0 ) {
return 1;
}
}
return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
}
static ber_slen_t
tlsg_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
{
struct tls_data *p;
ber_slen_t ret;
int err;
assert( sbiod != NULL );
assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
p = (struct tls_data *)sbiod->sbiod_pvt;
ret = gnutls_record_recv ( p->session->session, buf, len );
switch (ret) {
case GNUTLS_E_INTERRUPTED:
case GNUTLS_E_AGAIN:
sbiod->sbiod_sb->sb_trans_needs_read = 1;
sock_errset(EWOULDBLOCK);
ret = 0;
break;
case GNUTLS_E_REHANDSHAKE:
for ( ret = gnutls_handshake ( p->session->session );
ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN;
ret = gnutls_handshake ( p->session->session ) );
sbiod->sbiod_sb->sb_trans_needs_read = 1;
ret = 0;
break;
default:
sbiod->sbiod_sb->sb_trans_needs_read = 0;
}
return ret;
}
static ber_slen_t
tlsg_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
{
struct tls_data *p;
ber_slen_t ret;
int err;
assert( sbiod != NULL );
assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
p = (struct tls_data *)sbiod->sbiod_pvt;
ret = gnutls_record_send ( p->session->session, (char *)buf, len );
if ( ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN ) {
sbiod->sbiod_sb->sb_trans_needs_write = 1;
sock_errset(EWOULDBLOCK);
ret = 0;
} else {
sbiod->sbiod_sb->sb_trans_needs_write = 0;
}
return ret;
}
static Sockbuf_IO tlsg_sbio =
{
tlsg_sb_setup, /* sbi_setup */
tlsg_sb_remove, /* sbi_remove */
tlsg_sb_ctrl, /* sbi_ctrl */
tlsg_sb_read, /* sbi_read */
tlsg_sb_write, /* sbi_write */
tlsg_sb_close /* sbi_close */
};
/* Certs are not automatically varified during the handshake */
static int
tlsg_cert_verify( tlsg_session *ssl )
{
unsigned int status = 0;
int err;
time_t now = time(0);
err = gnutls_certificate_verify_peers2( ssl->session, &status );
if ( err < 0 ) {
Debug( LDAP_DEBUG_ANY,"TLS: gnutls_certificate_verify_peers2 failed %d\n",
err,0,0 );
return -1;
}
if ( status ) {
Debug( LDAP_DEBUG_TRACE,"TLS: peer cert untrusted or revoked (0x%x)\n",
status, 0,0 );
return -1;
}
if ( gnutls_certificate_expiration_time_peers( ssl->session ) < now ) {
Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
0, 0, 0 );
return -1;
}
if ( gnutls_certificate_activation_time_peers( ssl->session ) > now ) {
Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
0, 0, 0 );
return -1;
}
return 0;
}
tls_impl ldap_int_gnutls_impl = {
"GnuTLS",
tlsg_init,
tlsg_destroy,
tlsg_ctx_new,
tlsg_ctx_ref,
tlsg_ctx_free,
tlsg_ctx_init,
tlsg_session_new,
tlsg_session_connect,
tlsg_session_accept,
tlsg_session_upflags,
tlsg_session_errmsg,
tlsg_session_my_dn,
tlsg_session_peer_dn,
tlsg_session_chkhost,
tlsg_session_strength,
&tlsg_sbio,
#ifdef LDAP_R_COMPILE
tlsg_thr_init,
#else
NULL,
#endif
0
};
#endif /* HAVE_GNUTLS */

865
libraries/libldap/tls_m.c Normal file
View file

@ -0,0 +1,865 @@
/* tls_m.c - Handle tls/ssl using Mozilla NSS. */
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
* Copyright 2008 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
/* ACKNOWLEDGEMENTS: written by Howard Chu.
*/
#include "portable.h"
#ifdef HAVE_MOZNSS
#include "ldap_config.h"
#include <stdio.h>
#include <ac/stdlib.h>
#include <ac/errno.h>
#include <ac/socket.h>
#include <ac/string.h>
#include <ac/ctype.h>
#include <ac/time.h>
#include <ac/unistd.h>
#include <ac/param.h>
#include <ac/dirent.h>
#include "ldap-int.h"
#include "ldap-tls.h"
#ifdef LDAP_R_COMPILE
#include <ldap_pvt_thread.h>
#endif
#include <nspr.h>
#include <nss.h>
#include <ssl.h>
typedef struct tlsm_ctx {
tls_impl *tc_impl;
PRFileDesc *tc_model;
int tc_refcnt;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_t tc_refmutex;
#endif
} tlsm_ctx;
typedef struct tlsm_session {
tls_impl *ts_impl;
PRFileDesc *ts_session;
} tlsm_session;
static PRDescIdentity tlsm_layer_id;
static const PRIOMethods tlsm_PR_methods;
extern tls_impl ldap_int_moznss_impl;
#ifdef LDAP_R_COMPILE
static void
tlsm_thr_init( void )
{
}
#endif /* LDAP_R_COMPILE */
/*
* Initialize TLS subsystem. Should be called only once.
*/
static int
tlsm_init( void )
{
PR_Init(0, 0, 0);
tlsm_layer_id = PR_GetUniqueIdentity("OpenLDAP");
if ( !NSS_IsInitialized() ) {
NSS_NoDB_Init("");
NSS_SetDomesticPolicy();
}
/* No cipher suite handling for now */
return 0;
}
/*
* Tear down the TLS subsystem. Should only be called once.
*/
static void
tlsm_destroy( void )
{
NSS_Shutdown();
PR_Cleanup();
}
static tls_ctx *
tlsm_ctx_new ( struct ldapoptions *lo )
{
tlsm_ctx *ctx;
ctx = LDAP_MALLOC( sizeof (*ctx) );
if ( ctx ) {
PRFileDesc *fd = PR_CreateIOLayerStub(tlsm_layer_id, &tlsm_PR_methods);
if ( fd ) {
ctx->tc_model = SSL_ImportFD( NULL, fd );
if ( ctx->tc_model ) {
ctx->tc_impl = &ldap_int_moznss_impl;
ctx->tc_refcnt = 1;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_init( &ctx->tc_refmutex );
#endif
} else {
PR_DELETE( fd );
LDAP_FREE( ctx );
ctx = NULL;
}
} else {
LDAP_FREE( ctx );
ctx = NULL;
}
}
return (tls_ctx *)ctx;
}
static void
tlsm_ctx_ref( tls_ctx *ctx )
{
tlsm_ctx *c = (tlsm_ctx *)ctx;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &c->tc_refmutex );
#endif
c->tc_refcnt++;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &c->tc_refmutex );
#endif
}
static void
tlsm_ctx_free ( tls_ctx *ctx )
{
tlsm_ctx *c = (tlsm_ctx *)ctx;
int refcount;
if ( !c ) return;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_lock( &c->tc_refmutex );
#endif
refcount = --c->tc_refcnt;
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_unlock( &c->tc_refmutex );
#endif
if ( refcount )
return;
PR_Close( c->tc_model );
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_destroy( &c->tc_refmutex );
#endif
LDAP_FREE( c );
}
/*
* initialize a new TLS context
*/
static int
tlsm_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
{
tlsm_ctx *ctx = lo->ldo_tls_ctx;
int rc;
SSL_OptionSet( ctx->tc_model, SSL_SECURITY, PR_TRUE );
SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_CLIENT, !is_server );
SSL_OptionSet( ctx->tc_model, SSL_HANDSHAKE_AS_SERVER, is_server );
/* See SECMOD_OpenUserDB() */
#if 0
if ( lo->ldo_tls_ciphersuite &&
tlsm_parse_ciphers( ctx, lt->lt_ciphersuite )) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list %s.\n",
lo->ldo_tls_ciphersuite, 0, 0 );
return -1;
}
if (lo->ldo_tls_cacertdir != NULL) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: cacertdir not implemented for gnutls\n",
NULL, NULL, NULL );
}
if (lo->ldo_tls_cacertfile != NULL) {
rc = gnutls_certificate_set_x509_trust_file(
ctx->cred,
lt->lt_cacertfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
}
if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
rc = gnutls_certificate_set_x509_key_file(
ctx->cred,
lt->lt_certfile,
lt->lt_keyfile,
GNUTLS_X509_FMT_PEM );
if ( rc ) return -1;
} else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n",
NULL, NULL, NULL );
return -1;
}
if ( lo->ldo_tls_dhfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: ignoring dhfile\n",
NULL, NULL, NULL );
}
if ( lo->ldo_tls_crlfile ) {
rc = gnutls_certificate_set_x509_crl_file(
ctx->cred,
lt->lt_crlfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
rc = 0;
}
if ( is_server ) {
gnutls_dh_params_init(&ctx->dh_params);
gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
}
#endif
return 0;
}
static tls_session *
tlsm_session_new ( tls_ctx * ctx, int is_server )
{
tlsm_ctx *c = (tlsm_ctx *)ctx;
tlsm_session *session;
PRFileDesc *fd;
session = LDAP_MALLOC( sizeof (*session) );
if ( !session )
return NULL;
fd = PR_CreateIOLayerStub(tlsm_layer_id, &tlsm_PR_methods);
if ( !fd ) {
LDAP_FREE( session );
return NULL;
}
session->ts_session = SSL_ImportFD( c->tc_model, fd );
if ( !session->ts_session ) {
PR_DELETE( fd );
LDAP_FREE( session );
return NULL;
}
session->ts_impl = &ldap_int_moznss_impl;
SSL_ResetHandshake( session->ts_session, is_server );
return (tls_session *)session;
}
static int
tlsm_session_accept( tls_session *session )
{
tlsm_session *s = (tlsm_session *)session;
return SSL_ForceHandshake( s->ts_session );
}
static int
tlsm_session_connect( LDAP *ld, tls_session *session )
{
tlsm_session *s = (tlsm_session *)session;
int rc;
/* By default, NSS checks the cert hostname for us */
rc = SSL_SetURL( s->ts_session, ld->ld_options.ldo_defludp->lud_host );
return SSL_ForceHandshake( s->ts_session );
}
static int
tlsm_session_upflags( Sockbuf *sb, tls_session *session, int rc )
{
/* Should never happen */
rc = PR_GetError();
if ( rc != PR_PENDING_INTERRUPT_ERROR && rc != PR_WOULD_BLOCK_ERROR )
return 0;
return 0;
}
static char *
tlsm_session_errmsg( int rc, char *buf, size_t len )
{
int i;
rc = PR_GetError();
i = PR_GetErrorTextLength();
if ( i > len ) {
char *msg = LDAP_MALLOC( i+1 );
PR_GetErrorText( msg );
memcpy( buf, msg, len );
LDAP_FREE( msg );
} else if ( i ) {
PR_GetErrorText( buf );
}
return i ? buf : NULL;
}
static int
tlsm_session_my_dn( tls_session *session, struct berval *der_dn )
{
tlsm_session *s = (tlsm_session *)session;
CERTCertificate *cert;
cert = SSL_LocalCertificate( s->ts_session );
if (!cert) return LDAP_INVALID_CREDENTIALS;
der_dn->bv_val = cert->derSubject.data;
der_dn->bv_len = cert->derSubject.len;
CERT_DestroyCertificate( cert );
return 0;
}
static int
tlsm_session_peer_dn( tls_session *session, struct berval *der_dn )
{
tlsm_session *s = (tlsm_session *)session;
CERTCertificate *cert;
cert = SSL_PeerCertificate( s->ts_session );
if (!cert) return LDAP_INVALID_CREDENTIALS;
der_dn->bv_val = cert->derSubject.data;
der_dn->bv_len = cert->derSubject.len;
CERT_DestroyCertificate( cert );
return 0;
}
/* what kind of hostname were we given? */
#define IS_DNS 0
#define IS_IP4 1
#define IS_IP6 2
static int
tlsm_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{
/* NSS already does a hostname check */
#if 0
int i, ret;
const gnutls_datum_t *peer_cert_list;
int list_size;
struct berval bv;
char altname[NI_MAXHOST];
size_t altnamesize;
gnutls_x509_crt_t cert;
gnutls_datum_t *x;
const char *name;
char *ptr;
char *domain = NULL;
#ifdef LDAP_PF_INET6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
int n, len1 = 0, len2 = 0;
int ntype = IS_DNS;
time_t now = time(0);
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
{
name = ldap_int_hostname;
} else {
name = name_in;
}
peer_cert_list = gnutls_certificate_get_peers( session->session,
&list_size );
if ( !peer_cert_list ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get peer certificate.\n",
0, 0, 0 );
/* If this was a fatal condition, things would have
* aborted long before now.
*/
return LDAP_SUCCESS;
}
ret = gnutls_x509_crt_init( &cert );
if ( ret < 0 )
return LDAP_LOCAL_ERROR;
ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
if ( ret ) {
gnutls_x509_crt_deinit( cert );
return LDAP_LOCAL_ERROR;
}
#ifdef LDAP_PF_INET6
if (name[0] == '[' && strchr(name, ']')) {
char *n2 = ldap_strdup(name+1);
*strchr(n2, ']') = 2;
if (inet_pton(AF_INET6, n2, &addr))
ntype = IS_IP6;
LDAP_FREE(n2);
} else
#endif
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
if (ntype == IS_DNS) {
len1 = strlen(name);
domain = strchr(name, '.');
if (domain) {
len2 = len1 - (domain-name);
}
}
for ( i=0, ret=0; ret >= 0; i++ ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
altname, &altnamesize, NULL );
if ( ret < 0 ) break;
/* ignore empty */
if ( altnamesize == 0 ) continue;
if ( ret == GNUTLS_SAN_DNSNAME ) {
if (ntype != IS_DNS) continue;
/* Is this an exact match? */
if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
break;
}
/* Is this a wildcard match? */
if (domain && (altname[0] == '*') && (altname[1] == '.') &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
{
break;
}
} else if ( ret == GNUTLS_SAN_IPADDRESS ) {
if (ntype == IS_DNS) continue;
#ifdef LDAP_PF_INET6
if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
continue;
} else
#endif
if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
continue;
}
if (!memcmp(altname, &addr, altnamesize)) {
break;
}
}
}
if ( ret >= 0 ) {
ret = LDAP_SUCCESS;
} else {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
0, 0, altname, &altnamesize );
if ( ret < 0 ) {
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
} else {
ret = LDAP_LOCAL_ERROR;
if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
ret = LDAP_SUCCESS;
} else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
/* Is this a wildcard match? */
if( domain &&
(len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
ret = LDAP_SUCCESS;
}
}
}
if( ret == LDAP_LOCAL_ERROR ) {
altname[altnamesize] = '\0';
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
"common name in certificate (%s).\n",
name, altname, 0 );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
_("TLS: hostname does not match CN in peer certificate"));
}
}
gnutls_x509_crt_deinit( cert );
return ret;
#endif
}
static int
tlsm_session_strength( tls_session *session )
{
tlsm_session *s = (tlsm_session *)session;
int rc, keySize;
rc = SSL_SecurityStatus( s->ts_session, NULL, NULL, NULL, &keySize,
NULL, NULL );
return rc ? 0 : keySize;
}
/*
* TLS support for LBER Sockbufs
*/
struct tls_data {
tlsm_session *session;
Sockbuf_IO_Desc *sbiod;
};
static PRStatus PR_CALLBACK
tlsm_PR_Close(PRFileDesc *fd)
{
return PR_SUCCESS;
}
static int PR_CALLBACK
tlsm_PR_Recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags,
PRIntervalTime timeout)
{
struct tls_data *p;
if ( buf == NULL || len <= 0 ) return 0;
p = (struct tls_data *)fd->secret;
if ( p == NULL || p->sbiod == NULL ) {
return 0;
}
return LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
}
static int PR_CALLBACK
tlsm_PR_Send(PRFileDesc *fd, const void *buf, PRInt32 len, PRIntn flags,
PRIntervalTime timeout)
{
struct tls_data *p;
if ( buf == NULL || len <= 0 ) return 0;
p = (struct tls_data *)fd->secret;
if ( p == NULL || p->sbiod == NULL ) {
return 0;
}
return LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
}
static int PR_CALLBACK
tlsm_PR_Read(PRFileDesc *fd, void *buf, PRInt32 len)
{
return tlsm_PR_Recv( fd, buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
}
static int PR_CALLBACK
tlsm_PR_Write(PRFileDesc *fd, const void *buf, PRInt32 len)
{
return tlsm_PR_Send( fd, buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
}
static PRStatus PR_CALLBACK
tlsm_PR_GetPeerName(PRFileDesc *fd, PRNetAddr *addr)
{
struct tls_data *p;
int rc;
ber_socklen_t len;
p = (struct tls_data *)fd->secret;
if ( p == NULL || p->sbiod == NULL ) {
return PR_FAILURE;
}
len = sizeof(PRNetAddr);
return getpeername( p->sbiod->sbiod_sb->sb_fd, (struct sockaddr *)addr, &len );
}
static PRStatus PR_CALLBACK
tlsm_PR_prs_unimp()
{
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
return PR_FAILURE;
}
static PRFileDesc * PR_CALLBACK
tlsm_PR_pfd_unimp()
{
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
return NULL;
}
static PRInt16 PR_CALLBACK
tlsm_PR_i16_unimp()
{
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
return SECFailure;
}
static PRInt32 PR_CALLBACK
tlsm_PR_i32_unimp()
{
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
return SECFailure;
}
static PRInt64 PR_CALLBACK
tlsm_PR_i64_unimp()
{
PRInt64 res;
PR_SetError(PR_NOT_IMPLEMENTED_ERROR, 0);
LL_I2L(res, -1L);
return res;
}
static const PRIOMethods tlsm_PR_methods = {
PR_DESC_LAYERED,
tlsm_PR_Close, /* close */
tlsm_PR_Read, /* read */
tlsm_PR_Write, /* write */
tlsm_PR_i32_unimp, /* available */
tlsm_PR_i64_unimp, /* available64 */
tlsm_PR_prs_unimp, /* fsync */
tlsm_PR_i32_unimp, /* seek */
tlsm_PR_i64_unimp, /* seek64 */
tlsm_PR_prs_unimp, /* fileInfo */
tlsm_PR_prs_unimp, /* fileInfo64 */
tlsm_PR_i32_unimp, /* writev */
tlsm_PR_prs_unimp, /* connect */
tlsm_PR_pfd_unimp, /* accept */
tlsm_PR_prs_unimp, /* bind */
tlsm_PR_prs_unimp, /* listen */
(PRShutdownFN)tlsm_PR_Close, /* shutdown */
tlsm_PR_Recv, /* recv */
tlsm_PR_Send, /* send */
tlsm_PR_i32_unimp, /* recvfrom */
tlsm_PR_i32_unimp, /* sendto */
(PRPollFN)tlsm_PR_i16_unimp, /* poll */
tlsm_PR_i32_unimp, /* acceptread */
tlsm_PR_i32_unimp, /* transmitfile */
tlsm_PR_prs_unimp, /* getsockname */
tlsm_PR_GetPeerName, /* getpeername */
tlsm_PR_i32_unimp, /* getsockopt OBSOLETE */
tlsm_PR_i32_unimp, /* setsockopt OBSOLETE */
tlsm_PR_i32_unimp, /* getsocketoption */
tlsm_PR_i32_unimp, /* setsocketoption */
tlsm_PR_i32_unimp, /* Send a (partial) file with header/trailer*/
(PRConnectcontinueFN)tlsm_PR_prs_unimp, /* connectcontinue */
tlsm_PR_i32_unimp, /* reserved for future use */
tlsm_PR_i32_unimp, /* reserved for future use */
tlsm_PR_i32_unimp, /* reserved for future use */
tlsm_PR_i32_unimp /* reserved for future use */
};
static int
tlsm_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
{
struct tls_data *p;
tlsm_session *session = arg;
PRFileDesc *fd;
assert( sbiod != NULL );
p = LBER_MALLOC( sizeof( *p ) );
if ( p == NULL ) {
return -1;
}
fd = PR_GetIdentitiesLayer( session->ts_session, tlsm_layer_id );
if ( !fd ) {
LBER_FREE( p );
return -1;
}
fd->secret = (PRFilePrivate *)p;
p->session = session;
p->sbiod = sbiod;
sbiod->sbiod_pvt = p;
return 0;
}
static int
tlsm_sb_remove( Sockbuf_IO_Desc *sbiod )
{
struct tls_data *p;
assert( sbiod != NULL );
assert( sbiod->sbiod_pvt != NULL );
p = (struct tls_data *)sbiod->sbiod_pvt;
PR_Close( p->session->ts_session );
LBER_FREE( p->session );
LBER_FREE( sbiod->sbiod_pvt );
sbiod->sbiod_pvt = NULL;
return 0;
}
static int
tlsm_sb_close( Sockbuf_IO_Desc *sbiod )
{
struct tls_data *p;
assert( sbiod != NULL );
assert( sbiod->sbiod_pvt != NULL );
p = (struct tls_data *)sbiod->sbiod_pvt;
PR_Shutdown( p->session->ts_session, PR_SHUTDOWN_BOTH );
return 0;
}
static int
tlsm_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
{
struct tls_data *p;
assert( sbiod != NULL );
assert( sbiod->sbiod_pvt != NULL );
p = (struct tls_data *)sbiod->sbiod_pvt;
if ( opt == LBER_SB_OPT_GET_SSL ) {
*((tlsm_session **)arg) = p->session;
return 1;
} else if ( opt == LBER_SB_OPT_DATA_READY ) {
PRPollDesc pd = { p->session->ts_session, PR_POLL_READ, 0 };
if( PR_Poll( &pd, 1, 1 ) > 0 ) {
return 1;
}
}
return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
}
static ber_slen_t
tlsm_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
{
struct tls_data *p;
ber_slen_t ret;
int err;
assert( sbiod != NULL );
assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
p = (struct tls_data *)sbiod->sbiod_pvt;
ret = PR_Recv( p->session->ts_session, buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
if ( ret < 0 ) {
err = PR_GetError();
if ( err == PR_PENDING_INTERRUPT_ERROR || err == PR_WOULD_BLOCK_ERROR ) {
sbiod->sbiod_sb->sb_trans_needs_read = 1;
sock_errset(EWOULDBLOCK);
}
} else {
sbiod->sbiod_sb->sb_trans_needs_read = 0;
}
return ret;
}
static ber_slen_t
tlsm_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
{
struct tls_data *p;
ber_slen_t ret;
int err;
assert( sbiod != NULL );
assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
p = (struct tls_data *)sbiod->sbiod_pvt;
ret = PR_Send( p->session->ts_session, (char *)buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
if ( ret < 0 ) {
err = PR_GetError();
if ( err == PR_PENDING_INTERRUPT_ERROR || err == PR_WOULD_BLOCK_ERROR ) {
sbiod->sbiod_sb->sb_trans_needs_write = 1;
sock_errset(EWOULDBLOCK);
ret = 0;
}
} else {
sbiod->sbiod_sb->sb_trans_needs_write = 0;
}
return ret;
}
static Sockbuf_IO tlsm_sbio =
{
tlsm_sb_setup, /* sbi_setup */
tlsm_sb_remove, /* sbi_remove */
tlsm_sb_ctrl, /* sbi_ctrl */
tlsm_sb_read, /* sbi_read */
tlsm_sb_write, /* sbi_write */
tlsm_sb_close /* sbi_close */
};
tls_impl ldap_int_moznss_impl = {
"MozNSS",
tlsm_init,
tlsm_destroy,
tlsm_ctx_new,
tlsm_ctx_ref,
tlsm_ctx_free,
tlsm_ctx_init,
tlsm_session_new,
tlsm_session_connect,
tlsm_session_accept,
tlsm_session_upflags,
tlsm_session_errmsg,
tlsm_session_my_dn,
tlsm_session_peer_dn,
tlsm_session_chkhost,
tlsm_session_strength,
&tlsm_sbio,
#ifdef LDAP_R_COMPILE
tlsm_thr_init,
#else
NULL,
#endif
0
};
#endif /* HAVE_MOZNSS */

1286
libraries/libldap/tls_o.c Normal file
View file

File diff suppressed because it is too large Load diff