ITS#10014: Add TLS handle using MbedTLS

2026-02-14 08:13:10 -05:00 · 2023-03-02 10:51:19 +01:00 · 2023-03-02 10:51:19 +01:00 · f7e6c71e13
commit f7e6c71e13
parent 6c2164970a
11 changed files with 1123 additions and 6 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -73,3 +73,29 @@ build-gnutls-mit-standalone-lloadd:
      - obj/tests/testrun/
      - obj/servers/
      - obj/libraries/
+
+build-mbedtls-mit-standalone-lloadd:
+  image: "debian:testing"
+  stage: build
+  script:
+    - export STARTTIME=$(date +%s)
+    - apt update
+    - DEBIAN_FRONTEND=noninteractive apt install -y build-essential python3 gdb procps pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libmbedtls-dev libevent-dev libargon2-dev libsystemd-dev
+    - autoreconf
+    - mkdir obj
+    - cd obj
+    - echo "$(date -u -d "now - $STARTTIME sec" +%T) Configuring"
+    - ../configure --with-tls=mbedtls --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --enable-balancer=mod --enable-argon2 --with-systemd
+    - make depend
+    - echo "$(date -u -d "now - $STARTTIME sec" +%T) Building"
+    - make
+    - ulimit -n 4096 # back-monitor takes a while scanning a long connections array
+    - SLAPD_COMMON_WRAPPER=gdb make test
+  artifacts:
+    name: testdir
+    when: on_failure
+    expire_in: '1 week'
+    paths:
+      - obj/tests/testrun/
+      - obj/servers/
+      - obj/libraries/
--- a/configure.ac
+++ b/configure.ac
@ -247,8 +247,8 @@ OL_ARG_WITH(threads,
 	[AS_HELP_STRING([--with-threads], [with threads library auto|nt|posix|pth|lwp|manual])],
 	auto, [auto nt posix pth lwp yes no manual] )
 OL_ARG_WITH(tls,
-	[AS_HELP_STRING([--with-tls], [with TLS/SSL support auto|openssl|gnutls])],
-	auto, [auto openssl gnutls yes no] )
+	[AS_HELP_STRING([--with-tls], [with TLS/SSL support auto|openssl|gnutls|mbedtls])],
+	auto, [auto openssl gnutls mbedtls yes no] )
 OL_ARG_WITH(yielding_select,
 	[AS_HELP_STRING([--with-yielding-select], [with implicitly yielding select])],
 	auto, [auto yes no manual] )
@ -1290,6 +1290,35 @@ if test $ol_link_tls = no ; then
 	fi
 fi

+if test $ol_link_tls = no ; then
+	if test $ol_with_tls = mbedtls || test $ol_with_tls = auto ; then
+		AC_CHECK_HEADERS(mbedtls/ssl.h)
+
+		if test $ac_cv_header_mbedtls_ssl_h = yes ; then
+			AC_PREPROC_IFELSE([AC_LANG_SOURCE(
+				[[#include <mbedtls/version.h>]
+[#if MBEDTLS_VERSION_NUMBER < 0x02120000]
+[#error "mbedtls is too old"]
+[#endif]])],
+					, [AC_MSG_FAILURE([mbedtls 2.18.0 or newer required])])
+
+			AC_CHECK_LIB(mbedtls, mbedtls_ssl_init,
+				[have_mbedtls=yes], [have_mbedtls=no], -lmbedx509 -lmbedcrypto)
+
+			if test $have_mbedtls = yes ; then
+				ol_with_tls=mbedtls
+				ol_link_tls=yes
+				WITH_TLS_TYPE=mbedtls
+
+				TLS_LIBS="-lmbedtls -lmbedx509 -lmbedcrypto"
+
+				AC_DEFINE(HAVE_MBEDTLS, 1,
+					[define if you have mbedtls])
+			fi
+		fi
+	fi
+fi
+
 WITH_TLS=no
 if test $ol_link_tls = yes ; then
 	AC_DEFINE(HAVE_TLS, 1, [define if you have TLS])
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@ -692,6 +692,7 @@ and its contents need to be freed by the caller using
 .TP
 .B LDAP_OPT_X_TLS_CIPHER_SUITE
 Sets/gets the allowed cipher suite.
+This directive is not supported when using MbedTLS.
 .BR invalue
 must be
 .BR "const char *" ;
@ -762,6 +763,7 @@ manipulate this structure.
 .B LDAP_OPT_X_TLS_DHFILE
 Gets/sets the full-path of the file containing the parameters
 for Diffie-Hellman ephemeral key exchange.
+This directive is not supported when using MbedTLS.
 .BR invalue
 must be
 .BR "const char *" ;
--- a/doc/man/man5/lloadd.conf.5
+++ b/doc/man/man5/lloadd.conf.5
@ -462,6 +462,7 @@ option.
 Permits configuring what ciphers will be accepted and the preference order.
 <cipher-suite-spec> should be a cipher specification for the TLS library
 in use (OpenSSL, GnuTLS, or Mozilla NSS).
+This directive is not supported when using MbedTLS.
 Example:
 .RS
 .RS
@ -577,6 +578,7 @@ You should append "!ADH" to your cipher suites to ensure that these suites
 are not used.
 When using Mozilla NSS these parameters are always generated randomly
 so this directive is ignored.
+This directive is not supported when using MbedTLS.
 .TP
 .B TLSECName <name>
 Specify the name of a curve to use for Elliptic curve Diffie-Hellman
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@ -903,6 +903,7 @@ you can specify.
 Permits configuring what ciphers will be accepted and the preference order.
 <cipher-suite-spec> should be a cipher specification for the TLS library
 in use (OpenSSL or GnuTLS).
+This directive is not supported when using MbedTLS.
 Example:
 .RS
 .RS
@ -982,6 +983,7 @@ actual client or server authentication and provide no protection against
 man-in-the-middle attacks.
 You should append "!ADH" to your cipher suites to ensure that these suites
 are not used.
+This directive is not supported when using MbedTLS.
 .TP
 .B olcTLSECName: <name>
 Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@ -1133,6 +1133,7 @@ you can specify.
 Permits configuring what ciphers will be accepted and the preference order.
 <cipher-suite-spec> should be a cipher specification for the TLS library
 in use (OpenSSL or GnuTLS).
+This directive is not supported when using MbedTLS.
 Example:
 .RS
 .RS
@ -1209,6 +1210,7 @@ actual client or server authentication and provide no protection against
 man-in-the-middle attacks.
 You should append "!ADH" to your cipher suites to ensure that these suites
 are not used.
+This directive is not supported when using MbedTLS.
 .TP
 .B TLSECName <name>
 Specify the name of the curve(s) to use for Elliptic curve Diffie-Hellman
--- a/libraries/libldap/Makefile.in
+++ b/libraries/libldap/Makefile.in
@ -26,7 +26,7 @@ SRCS	= bind.c open.c result.c error.c compare.c search.c \
 	request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \
 	init.c options.c print.c string.c util-int.c schema.c \
 	charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
-	tls2.c tls_o.c tls_g.c \
+	tls2.c tls_o.c tls_g.c tls_mt.c\
 	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
 	assertion.c deref.c ldifutil.c ldif.c fetch.c lbase64.c \
 	msctrl.c psearchctrl.c threads.c rdwr.c tpool.c rq.c \
@ -42,7 +42,7 @@ OBJS	= bind.lo open.lo result.lo error.lo compare.lo search.lo \
 	request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \
 	charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
-	tls2.lo tls_o.lo tls_g.lo \
+	tls2.lo tls_o.lo tls_g.lo tls_mt.lo\
 	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
 	assertion.lo deref.lo ldifutil.lo ldif.lo fetch.lo lbase64.lo \
 	msctrl.lo psearchctrl.lo threads.lo rdwr.lo tpool.lo rq.lo \
--- a/libraries/libldap/tls_mt.c
+++ b/libraries/libldap/tls_mt.c
--- a/servers/slapd/overlays/otp.c
+++ b/servers/slapd/overlays/otp.c
@ -37,6 +37,7 @@
 /* include socket.h to get sys/types.h and/or winsock2.h */
 #include <ac/socket.h>

+#include "slap.h"
 #if HAVE_OPENSSL
 #include <openssl/sha.h>
 #include <openssl/hmac.h>
@ -124,11 +125,45 @@ static EVP_MAC *evp_mac;
 	hmac_digest( &ctx.outer, &ctx.inner, &ctx.state, h, h->digest_size, dig ); \
 	dlen = h->digest_size

+#elif HAVE_MBEDTLS
+
+#include "mbedtls/md.h"
+
+#define TOTP_SHA512_DIGEST_LENGTH MBEDTLS_MD_MAX_SIZE
+#define TOTP_SHA1 mbedtls_md_info_from_type(MBEDTLS_MD_SHA1)
+#define TOTP_SHA224 mbedtls_md_info_from_type(MBEDTLS_MD_SHA224)
+#define TOTP_SHA256 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)
+#define TOTP_SHA384 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384)
+#define TOTP_SHA512 mbedtls_md_info_from_type(MBEDTLS_MD_SHA512)
+
+static mbedtls_md_context_t *
+HMAC_CTX_new( void )
+{
+	mbedtls_md_context_t *ctx = ch_malloc( sizeof(mbedtls_md_context_t) );
+	if ( ctx != NULL ) {
+		mbedtls_md_init( ctx );
+	}
+	return ctx;
+}
+
+#define TOTP_HMAC_CTX mbedtls_md_context_t*
+#define HMAC_setup( ctx, key, len, hash ) \
+	ctx = HMAC_CTX_new(); \
+	mbedtls_md_setup(ctx, (const mbedtls_md_info_t *)hash, 1); \
+	mbedtls_md_hmac_starts(ctx, key, len)
+
+#define HMAC_crunch( ctx, buf, len ) mbedtls_md_hmac_update( ctx, buf, len )
+
+#define HMAC_finish( ctx, dig, dlen ) \
+	mbedtls_md_hmac_finish(ctx, dig); \
+	dlen = mbedtls_md_get_size((const mbedtls_md_info_t *)hash); \
+	mbedtls_md_free(ctx); \
+	ch_free(ctx)
+
 #else
 #error Unsupported crypto backend.
 #endif

-#include "slap.h"
 #include "slap-config.h"

 /* Schema from OATH-LDAP project by Michael Ströder */
--- a/tests/scripts/test067-tls
+++ b/tests/scripts/test067-tls
@ -110,7 +110,7 @@ else
 	echo "success"
 fi

-if test $WITH_TLS_TYPE = openssl ; then
+if [ $WITH_TLS_TYPE = openssl ] || [ $WITH_TLS_TYPE = mbedtls ]; then
 	echo -n "Using ldapsearch with startTLS and specific protocol version...."
 	$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -o tls_protocol_min=3.3 -ZZ -b "" -s base -H $URIP1 \
 		'@extensibleObject' > $SEARCHOUT 2>&1
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@ -194,10 +194,15 @@ EOF
 		for icb in "none" "tls-unique" "tls-endpoint" ; do

 			# The gnutls implementation of "tls-unique" seems broken
+			# mbedtls does not support "tls-unique"
 			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
 				if test $WITH_TLS_TYPE = gnutls ; then
 					continue
 				fi
+				if test $WITH_TLS_TYPE = mbedtls ; then
+					echo "mbedtls backend does not support TLS-unique binding, skip"
+					continue
+				fi
 			fi

 			fail="no"