Blame SOURCES/openldap-add-TLS_REQSAN-option.patch

00db6a
From c8050d1e6eb0f4f3deb187224945ddcfc3baa4d6 Mon Sep 17 00:00:00 2001
00db6a
From: Howard Chu <hyc@openldap.org>
00db6a
Date: Fri, 21 Aug 2020 09:15:15 +0100
00db6a
Subject: [PATCH] ITS#9318 add TLS_REQSAN option
00db6a
00db6a
Add an option to specify how subjectAlternativeNames should be
00db6a
handled when validating the names in a server certificate.
00db6a
---
00db6a
 doc/man/man3/ldap_get_option.3 |  9 +++++++
00db6a
 doc/man/man5/ldap.conf.5       | 31 +++++++++++++++++++++++
00db6a
 include/ldap.h                 |  1 +
00db6a
 libraries/libldap/init.c       |  2 ++
00db6a
 libraries/libldap/ldap-int.h   |  1 +
00db6a
 libraries/libldap/tls2.c       | 16 ++++++++++++
00db6a
 libraries/libldap/tls_g.c      | 46 ++++++++++++++++++++++++++++++++--
00db6a
 libraries/libldap/tls_o.c      | 44 ++++++++++++++++++++++++++++++--
00db6a
 8 files changed, 146 insertions(+), 4 deletions(-)
00db6a
00db6a
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
00db6a
index d229ce6e3..7d760136f 100644
00db6a
--- a/doc/man/man3/ldap_get_option.3
00db6a
+++ b/doc/man/man3/ldap_get_option.3
00db6a
@@ -788,6 +788,15 @@ one of
00db6a
 .BR LDAP_OPT_X_TLS_ALLOW ,
00db6a
 .BR LDAP_OPT_X_TLS_TRY .
00db6a
 .TP
00db6a
+.B LDAP_OPT_X_TLS_REQUIRE_SAN
00db6a
+Sets/gets the peer certificate subjectAlternativeName checking strategy,
00db6a
+one of
00db6a
+.BR LDAP_OPT_X_TLS_NEVER ,
00db6a
+.BR LDAP_OPT_X_TLS_HARD ,
00db6a
+.BR LDAP_OPT_X_TLS_DEMAND ,
00db6a
+.BR LDAP_OPT_X_TLS_ALLOW ,
00db6a
+.BR LDAP_OPT_X_TLS_TRY .
00db6a
+.TP
00db6a
 .B LDAP_OPT_X_TLS_SSL_CTX
00db6a
 Gets the TLS session context associated with this handle.
00db6a
 .BR outvalue
00db6a
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
00db6a
index 2f1ee886d..cde2c875f 100644
00db6a
--- a/doc/man/man5/ldap.conf.5
00db6a
+++ b/doc/man/man5/ldap.conf.5
00db6a
@@ -464,6 +464,37 @@ certificate is provided, or a bad certificate is provided, the session
00db6a
 is immediately terminated. This is the default setting.
00db6a
 .RE
00db6a
 .TP
00db6a
+.B TLS_REQSAN <level>
00db6a
+Specifies what checks to perform on the subjectAlternativeName
00db6a
+(SAN) extensions in a server certificate when validating the certificate
00db6a
+name against the specified hostname of the server. The
00db6a
+.B <level>
00db6a
+can be specified as one of the following keywords:
00db6a
+.RS
00db6a
+.TP
00db6a
+.B never
00db6a
+The client will not check any SAN in the certificate.
00db6a
+.TP
00db6a
+.B allow
00db6a
+The SAN is checked against the specified hostname. If a SAN is
00db6a
+present but none match the specified hostname, the SANs are ignored
00db6a
+and the usual check against the certificate DN is used.
00db6a
+This is the default setting.
00db6a
+.TP
00db6a
+.B try
00db6a
+The SAN is checked against the specified hostname. If no SAN is present
00db6a
+in the server certificate, the usual check against the certificate DN
00db6a
+is used. If a SAN is present but doesn't match the specified hostname,
00db6a
+the session is immediately terminated. This setting may be preferred
00db6a
+when a mix of certs with and without SANs are in use.
00db6a
+.TP
00db6a
+.B demand | hard
00db6a
+These keywords are equivalent. The SAN is checked against the specified
00db6a
+hostname. If no SAN is present in the server certificate, or no SANs
00db6a
+match, the session is immediately terminated. This setting should be
00db6a
+used when only certificates with SANs are in use.
00db6a
+.RE
00db6a
+.TP
00db6a
 .B TLS_CRLCHECK <level>
00db6a
 Specifies if the Certificate Revocation List (CRL) of the CA should be 
00db6a
 used to verify if the server certificates have not been revoked. This
00db6a
diff --git a/include/ldap.h b/include/ldap.h
00db6a
index 4b81a6841..4877de24a 100644
00db6a
--- a/include/ldap.h
00db6a
+++ b/include/ldap.h
00db6a
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
00db6a
 #define LDAP_OPT_X_TLS_PACKAGE		0x6011
00db6a
 #define LDAP_OPT_X_TLS_ECNAME		0x6012
00db6a
 #define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */
00db6a
+#define LDAP_OPT_X_TLS_REQUIRE_SAN	0x601a
00db6a
 
00db6a
 #define LDAP_OPT_X_TLS_NEVER	0
00db6a
 #define LDAP_OPT_X_TLS_HARD		1
00db6a
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
00db6a
index d503019aa..0d91808ec 100644
00db6a
--- a/libraries/libldap/init.c
00db6a
+++ b/libraries/libldap/init.c
00db6a
@@ -128,6 +128,7 @@ static const struct ol_attribute {
00db6a
   	{0, ATTR_TLS,	"TLS_CACERT",		NULL,	LDAP_OPT_X_TLS_CACERTFILE},
00db6a
   	{0, ATTR_TLS,	"TLS_CACERTDIR",	NULL,	LDAP_OPT_X_TLS_CACERTDIR},
00db6a
   	{0, ATTR_TLS,	"TLS_REQCERT",		NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT},
00db6a
+	{0, ATTR_TLS,	"TLS_REQSAN",		NULL,	LDAP_OPT_X_TLS_REQUIRE_SAN},
00db6a
 	{0, ATTR_TLS,	"TLS_RANDFILE",		NULL,	LDAP_OPT_X_TLS_RANDOM_FILE},
00db6a
 	{0, ATTR_TLS,	"TLS_CIPHER_SUITE",	NULL,	LDAP_OPT_X_TLS_CIPHER_SUITE},
00db6a
 	{0, ATTR_TLS,	"TLS_PROTOCOL_MIN",	NULL,	LDAP_OPT_X_TLS_PROTOCOL_MIN},
00db6a
@@ -624,6 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
00db6a
 	gopts->ldo_tls_connect_cb = NULL;
00db6a
 	gopts->ldo_tls_connect_arg = NULL;
00db6a
 	gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
00db6a
+	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
00db6a
 #endif
00db6a
 	gopts->ldo_keepalive_probes = 0;
00db6a
 	gopts->ldo_keepalive_interval = 0;
00db6a
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
00db6a
index 753014ad0..2bf5d4ff6 100644
00db6a
--- a/libraries/libldap/ldap-int.h
00db6a
+++ b/libraries/libldap/ldap-int.h
00db6a
@@ -262,6 +262,7 @@ struct ldapoptions {
00db6a
    	int			ldo_tls_require_cert;
00db6a
 	int			ldo_tls_impl;
00db6a
    	int			ldo_tls_crlcheck;
00db6a
+	int			ldo_tls_require_san;
00db6a
 #define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0
00db6a
 #else
00db6a
 #define LDAP_LDO_TLS_NULLARG
00db6a
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
00db6a
index 6a2113255..670292c22 100644
00db6a
--- a/libraries/libldap/tls2.c
00db6a
+++ b/libraries/libldap/tls2.c
00db6a
@@ -539,6 +539,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
00db6a
 		return ldap_pvt_tls_set_option( ld, option, (void *) arg );
00db6a
 
00db6a
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
00db6a
+	case LDAP_OPT_X_TLS_REQUIRE_SAN:
00db6a
 	case LDAP_OPT_X_TLS:
00db6a
 		i = -1;
00db6a
 		if ( strcasecmp( arg, "never" ) == 0 ) {
00db6a
@@ -669,6 +670,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
00db6a
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
00db6a
 		*(int *)arg = lo->ldo_tls_require_cert;
00db6a
 		break;
00db6a
+	case LDAP_OPT_X_TLS_REQUIRE_SAN:
00db6a
+		*(int *)arg = lo->ldo_tls_require_san;
00db6a
+		break;
00db6a
 #ifdef HAVE_OPENSSL_CRL
00db6a
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
00db6a
 		*(int *)arg = lo->ldo_tls_crlcheck;
00db6a
@@ -818,6 +822,18 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
00db6a
 			return 0;
00db6a
 		}
00db6a
 		return -1;
00db6a
+	case LDAP_OPT_X_TLS_REQUIRE_SAN:
00db6a
+		if ( !arg ) return -1;
00db6a
+		switch( *(int *) arg ) {
00db6a
+		case LDAP_OPT_X_TLS_NEVER:
00db6a
+		case LDAP_OPT_X_TLS_DEMAND:
00db6a
+		case LDAP_OPT_X_TLS_ALLOW:
00db6a
+		case LDAP_OPT_X_TLS_TRY:
00db6a
+		case LDAP_OPT_X_TLS_HARD:
00db6a
+			lo->ldo_tls_require_san = * (int *) arg;
00db6a
+			return 0;
00db6a
+		}
00db6a
+		return -1;
00db6a
 #ifdef HAVE_OPENSSL_CRL
00db6a
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
00db6a
 		if ( !arg ) return -1;
00db6a
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
00db6a
index 15ce0bbb8..e3486c9b4 100644
00db6a
--- a/libraries/libldap/tls_g.c
00db6a
+++ b/libraries/libldap/tls_g.c
00db6a
@@ -496,6 +496,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
00db6a
 {
00db6a
 	tlsg_session *s = (tlsg_session *)session;
00db6a
 	int i, ret;
00db6a
+	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
00db6a
 	const gnutls_datum_t *peer_cert_list;
00db6a
 	unsigned int list_size;
00db6a
 	char altname[NI_MAXHOST];
00db6a
@@ -558,12 +559,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
00db6a
 		}
00db6a
 	}
00db6a
 
00db6a
+	if (chkSAN) {
00db6a
 	for ( i=0, ret=0; ret >= 0; i++ ) {
00db6a
 		altnamesize = sizeof(altname);
00db6a
 		ret = gnutls_x509_crt_get_subject_alt_name( cert, i, 
00db6a
 			altname, &altnamesize, NULL );
00db6a
 		if ( ret < 0 ) break;
00db6a
 
00db6a
+		gotSAN = 1;
00db6a
 		/* ignore empty */
00db6a
 		if ( altnamesize == 0 ) continue;
00db6a
 
00db6a
@@ -599,7 +602,45 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
00db6a
 	}
00db6a
 	if ( ret >= 0 ) {
00db6a
 		ret = LDAP_SUCCESS;
00db6a
-	} else {
00db6a
+	}
00db6a
+	}
00db6a
+	if (ret != LDAP_SUCCESS && chkSAN) {
00db6a
+		switch(chkSAN) {
00db6a
+		case LDAP_OPT_X_TLS_DEMAND:
00db6a
+		case LDAP_OPT_X_TLS_HARD:
00db6a
+			if (!gotSAN) {
00db6a
+				Debug( LDAP_DEBUG_ANY,
00db6a
+					"TLS: unable to get subjectAltName from peer certificate.\n",
00db6a
+					0, 0, 0 );
00db6a
+				ret = LDAP_CONNECT_ERROR;
00db6a
+				if ( ld->ld_error ) {
00db6a
+					LDAP_FREE( ld->ld_error );
00db6a
+				}
00db6a
+				ld->ld_error = LDAP_STRDUP(
00db6a
+					_("TLS: unable to get subjectAltName from peer certificate"));
00db6a
+				goto done;
00db6a
+			}
00db6a
+			/* FALLTHRU */
00db6a
+		case LDAP_OPT_X_TLS_TRY:
00db6a
+			if (gotSAN) {
00db6a
+				Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
00db6a
+					"subjectAltName in certificate.\n",
00db6a
+					name, 0, 0 );
00db6a
+				ret = LDAP_CONNECT_ERROR;
00db6a
+				if ( ld->ld_error ) {
00db6a
+					LDAP_FREE( ld->ld_error );
00db6a
+				}
00db6a
+				ld->ld_error = LDAP_STRDUP(
00db6a
+					_("TLS: hostname does not match subjectAltName in peer certificate"));
00db6a
+				goto done;
00db6a
+			}
00db6a
+			break;
00db6a
+		case LDAP_OPT_X_TLS_ALLOW:
00db6a
+			break;
00db6a
+		}
00db6a
+	}
00db6a
+
00db6a
+	if ( ret != LDAP_SUCCESS ){
00db6a
 		/* find the last CN */
00db6a
 		i=0;
00db6a
 		do {
00db6a
@@ -654,9 +695,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
00db6a
 				LDAP_FREE( ld->ld_error );
00db6a
 			}
00db6a
 			ld->ld_error = LDAP_STRDUP(
00db6a
-				_("TLS: hostname does not match CN in peer certificate"));
00db6a
+				_("TLS: hostname does not match name in peer certificate"));
00db6a
 		}
00db6a
 	}
00db6a
+done:
00db6a
 	gnutls_x509_crt_deinit( cert );
00db6a
 	return ret;
00db6a
 }
00db6a
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
00db6a
index 4006f7a4f..6f27168e9 100644
00db6a
--- a/libraries/libldap/tls_o.c
00db6a
+++ b/libraries/libldap/tls_o.c
00db6a
@@ -600,6 +600,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
00db6a
 {
00db6a
 	tlso_session *s = (tlso_session *)sess;
00db6a
 	int i, ret = LDAP_LOCAL_ERROR;
00db6a
+	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
00db6a
 	X509 *x;
00db6a
 	const char *name;
00db6a
 	char *ptr;
00db6a
@@ -638,7 +639,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
00db6a
 	if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
00db6a
 		if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
00db6a
 	}
00db6a
-	
00db6a
+
00db6a
+	if (chkSAN) {
00db6a
 	i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
00db6a
 	if (i >= 0) {
00db6a
 		X509_EXTENSION *ex;
00db6a
@@ -651,6 +653,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
00db6a
 			char *domain = NULL;
00db6a
 			GENERAL_NAME *gn;
00db6a
 
00db6a
+			gotSAN = 1;
00db6a
 			if (ntype == IS_DNS) {
00db6a
 				domain = strchr(name, '.');
00db6a
 				if (domain) {
00db6a
@@ -709,6 +712,42 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
00db6a
 			}
00db6a
 		}
00db6a
 	}
00db6a
+	}
00db6a
+	if (ret != LDAP_SUCCESS && chkSAN) {
00db6a
+		switch(chkSAN) {
00db6a
+		case LDAP_OPT_X_TLS_DEMAND:
00db6a
+		case LDAP_OPT_X_TLS_HARD:
00db6a
+			if (!gotSAN) {
00db6a
+				Debug( LDAP_DEBUG_ANY,
00db6a
+					"TLS: unable to get subjectAltName from peer certificate.\n",
00db6a
+					0, 0, 0 );
00db6a
+				ret = LDAP_CONNECT_ERROR;
00db6a
+				if ( ld->ld_error ) {
00db6a
+					LDAP_FREE( ld->ld_error );
00db6a
+				}
00db6a
+				ld->ld_error = LDAP_STRDUP(
00db6a
+					_("TLS: unable to get subjectAltName from peer certificate"));
00db6a
+				goto done;
00db6a
+			}
00db6a
+			/* FALLTHRU */
00db6a
+		case LDAP_OPT_X_TLS_TRY:
00db6a
+			if (gotSAN) {
00db6a
+				Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
00db6a
+					"subjectAltName in certificate.\n",
00db6a
+					name, 0, 0 );
00db6a
+				ret = LDAP_CONNECT_ERROR;
00db6a
+				if ( ld->ld_error ) {
00db6a
+					LDAP_FREE( ld->ld_error );
00db6a
+				}
00db6a
+				ld->ld_error = LDAP_STRDUP(
00db6a
+					_("TLS: hostname does not match subjectAltName in peer certificate"));
00db6a
+				goto done;
00db6a
+			}
00db6a
+			break;
00db6a
+		case LDAP_OPT_X_TLS_ALLOW:
00db6a
+			break;
00db6a
+		}
00db6a
+	}
00db6a
 
00db6a
 	if (ret != LDAP_SUCCESS) {
00db6a
 		X509_NAME *xn;
00db6a
@@ -772,9 +811,10 @@ no_cn:
00db6a
 				LDAP_FREE( ld->ld_error );
00db6a
 			}
00db6a
 			ld->ld_error = LDAP_STRDUP(
00db6a
-				_("TLS: hostname does not match CN in peer certificate"));
00db6a
+				_("TLS: hostname does not match name in peer certificate"));
00db6a
 		}
00db6a
 	}
00db6a
+done:
00db6a
 	X509_free(x);
00db6a
 	return ret;
00db6a
 }
00db6a
-- 
00db6a
2.31.1
00db6a