|
|
e4ff3b |
From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001
|
|
|
e4ff3b |
From: Howard Chu <hyc@openldap.org>
|
|
|
e4ff3b |
Date: Mon, 26 Aug 2013 23:31:48 -0700
|
|
|
e4ff3b |
Subject: [PATCH] Add channel binding support
|
|
|
e4ff3b |
|
|
|
e4ff3b |
Currently only implemented for OpenSSL.
|
|
|
e4ff3b |
Needs an option to set the criticality flag.
|
|
|
e4ff3b |
---
|
|
|
e4ff3b |
include/ldap_pvt.h | 1 +
|
|
|
e4ff3b |
libraries/libldap/cyrus.c | 22 ++++++++++++++++++++++
|
|
|
e4ff3b |
libraries/libldap/ldap-int.h | 1 +
|
|
|
e4ff3b |
libraries/libldap/ldap-tls.h | 2 ++
|
|
|
e4ff3b |
libraries/libldap/tls2.c | 7 +++++++
|
|
|
e4ff3b |
libraries/libldap/tls_g.c | 7 +++++++
|
|
|
e4ff3b |
libraries/libldap/tls_m.c | 7 +++++++
|
|
|
e4ff3b |
libraries/libldap/tls_o.c | 16 ++++++++++++++++
|
|
|
e4ff3b |
servers/slapd/connection.c | 8 ++++++++
|
|
|
e4ff3b |
servers/slapd/sasl.c | 18 ++++++++++++++++++
|
|
|
e4ff3b |
servers/slapd/slap.h | 1 +
|
|
|
e4ff3b |
11 files changed, 90 insertions(+)
|
|
|
e4ff3b |
|
|
|
e4ff3b |
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
|
|
|
e4ff3b |
index 716c1a90f..61c620785 100644
|
|
|
e4ff3b |
--- a/include/ldap_pvt.h
|
|
|
e4ff3b |
+++ b/include/ldap_pvt.h
|
|
|
e4ff3b |
@@ -420,6 +420,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
|
|
|
e4ff3b |
LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
|
|
|
e4ff3b |
LDAPDN_rewrite_dummy *func, unsigned flags ));
|
|
|
e4ff3b |
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
|
|
|
e4ff3b |
+LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
|
|
|
e4ff3b |
|
|
|
e4ff3b |
LDAP_END_DECL
|
|
|
e4ff3b |
|
|
|
e4ff3b |
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
|
|
|
e4ff3b |
index 4c0089d5d..3171d56a3 100644
|
|
|
e4ff3b |
--- a/libraries/libldap/cyrus.c
|
|
|
e4ff3b |
+++ b/libraries/libldap/cyrus.c
|
|
|
e4ff3b |
@@ -360,6 +360,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
|
|
|
e4ff3b |
lc->lconn_sasl_sockctx = NULL;
|
|
|
e4ff3b |
lc->lconn_sasl_authctx = NULL;
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
+ if( lc->lconn_sasl_cbind ) {
|
|
|
e4ff3b |
+ ldap_memfree( lc->lconn_sasl_cbind );
|
|
|
e4ff3b |
+ lc->lconn_sasl_cbind = NULL;
|
|
|
e4ff3b |
+ }
|
|
|
e4ff3b |
|
|
|
e4ff3b |
return LDAP_SUCCESS;
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
@@ -492,6 +496,24 @@ ldap_int_sasl_bind(
|
|
|
e4ff3b |
|
|
|
e4ff3b |
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
|
|
|
e4ff3b |
LDAP_FREE( authid.bv_val );
|
|
|
e4ff3b |
+#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
|
|
|
e4ff3b |
+ {
|
|
|
e4ff3b |
+ char cbinding[64];
|
|
|
e4ff3b |
+ struct berval cbv = { sizeof(cbinding), cbinding };
|
|
|
e4ff3b |
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
|
|
|
e4ff3b |
+ sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
|
|
|
e4ff3b |
+ cbv.bv_len);
|
|
|
e4ff3b |
+ cb->name = "ldap";
|
|
|
e4ff3b |
+ cb->critical = 0;
|
|
|
e4ff3b |
+ cb->data = (char *)(cb+1);
|
|
|
e4ff3b |
+ cb->len = cbv.bv_len;
|
|
|
e4ff3b |
+ memcpy( cb->data, cbv.bv_val, cbv.bv_len );
|
|
|
e4ff3b |
+ sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
|
|
|
e4ff3b |
+ SASL_CHANNEL_BINDING, cb );
|
|
|
e4ff3b |
+ ld->ld_defconn->lconn_sasl_cbind = cb;
|
|
|
e4ff3b |
+ }
|
|
|
e4ff3b |
+ }
|
|
|
e4ff3b |
+#endif
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
#endif
|
|
|
e4ff3b |
|
|
|
e4ff3b |
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
|
|
e4ff3b |
index 98ad4dc05..397894271 100644
|
|
|
e4ff3b |
--- a/libraries/libldap/ldap-int.h
|
|
|
e4ff3b |
+++ b/libraries/libldap/ldap-int.h
|
|
|
e4ff3b |
@@ -308,6 +308,7 @@ typedef struct ldap_conn {
|
|
|
e4ff3b |
#ifdef HAVE_CYRUS_SASL
|
|
|
e4ff3b |
void *lconn_sasl_authctx; /* context for bind */
|
|
|
e4ff3b |
void *lconn_sasl_sockctx; /* for security layer */
|
|
|
e4ff3b |
+ void *lconn_sasl_cbind; /* for channel binding */
|
|
|
e4ff3b |
#endif
|
|
|
e4ff3b |
#ifdef HAVE_GSSAPI
|
|
|
e4ff3b |
void *lconn_gss_ctx; /* gss_ctx_id_t */
|
|
|
e4ff3b |
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
|
|
|
e4ff3b |
index c8a27112f..0ecf81ab9 100644
|
|
|
e4ff3b |
--- a/libraries/libldap/ldap-tls.h
|
|
|
e4ff3b |
+++ b/libraries/libldap/ldap-tls.h
|
|
|
e4ff3b |
@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
|
|
|
e4ff3b |
typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
|
|
|
e4ff3b |
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
|
|
|
e4ff3b |
typedef int (TI_session_strength)(tls_session *sess);
|
|
|
e4ff3b |
+typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
|
|
|
e4ff3b |
|
|
|
e4ff3b |
typedef void (TI_thr_init)(void);
|
|
|
e4ff3b |
|
|
|
e4ff3b |
@@ -64,6 +65,7 @@ typedef struct tls_impl {
|
|
|
e4ff3b |
TI_session_dn *ti_session_peer_dn;
|
|
|
e4ff3b |
TI_session_chkhost *ti_session_chkhost;
|
|
|
e4ff3b |
TI_session_strength *ti_session_strength;
|
|
|
e4ff3b |
+ TI_session_unique *ti_session_unique;
|
|
|
e4ff3b |
|
|
|
e4ff3b |
Sockbuf_IO *ti_sbio;
|
|
|
e4ff3b |
|
|
|
e4ff3b |
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
|
|
e4ff3b |
index 82ca5272c..13d734362 100644
|
|
|
e4ff3b |
--- a/libraries/libldap/tls2.c
|
|
|
e4ff3b |
+++ b/libraries/libldap/tls2.c
|
|
|
e4ff3b |
@@ -1013,6 +1013,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
|
|
|
e4ff3b |
rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
|
|
|
e4ff3b |
return rc;
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
+
|
|
|
e4ff3b |
+int
|
|
|
e4ff3b |
+ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
|
|
|
e4ff3b |
+{
|
|
|
e4ff3b |
+ tls_session *session = s;
|
|
|
e4ff3b |
+ return tls_imp->ti_session_unique( session, buf, is_server );
|
|
|
e4ff3b |
+}
|
|
|
e4ff3b |
#endif /* HAVE_TLS */
|
|
|
e4ff3b |
|
|
|
e4ff3b |
int
|
|
|
e4ff3b |
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
|
|
|
e4ff3b |
index 3b72cd2a1..b78c12086 100644
|
|
|
e4ff3b |
--- a/libraries/libldap/tls_g.c
|
|
|
e4ff3b |
+++ b/libraries/libldap/tls_g.c
|
|
|
e4ff3b |
@@ -669,6 +669,12 @@ tlsg_session_strength( tls_session *session )
|
|
|
e4ff3b |
return gnutls_cipher_get_key_size( c ) * 8;
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
|
|
|
e4ff3b |
+static int
|
|
|
e4ff3b |
+tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
|
|
e4ff3b |
+{
|
|
|
e4ff3b |
+ return 0;
|
|
|
e4ff3b |
+}
|
|
|
e4ff3b |
+
|
|
|
e4ff3b |
/* suites is a string of colon-separated cipher suite names. */
|
|
|
e4ff3b |
static int
|
|
|
e4ff3b |
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
|
|
|
e4ff3b |
@@ -925,6 +931,7 @@ tls_impl ldap_int_tls_impl = {
|
|
|
e4ff3b |
tlsg_session_peer_dn,
|
|
|
e4ff3b |
tlsg_session_chkhost,
|
|
|
e4ff3b |
tlsg_session_strength,
|
|
|
e4ff3b |
+ tlsg_session_unique,
|
|
|
e4ff3b |
|
|
|
e4ff3b |
&tlsg_sbio,
|
|
|
e4ff3b |
|
|
|
e4ff3b |
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
|
e4ff3b |
index 43fbae4bc..c64f4c176 100644
|
|
|
e4ff3b |
--- a/libraries/libldap/tls_m.c
|
|
|
e4ff3b |
+++ b/libraries/libldap/tls_m.c
|
|
|
e4ff3b |
@@ -2874,6 +2874,12 @@ tlsm_session_strength( tls_session *session )
|
|
|
e4ff3b |
return rc ? 0 : keySize;
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
|
|
|
e4ff3b |
+static int
|
|
|
e4ff3b |
+tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
|
|
e4ff3b |
+{
|
|
|
e4ff3b |
+ return 0;
|
|
|
e4ff3b |
+}
|
|
|
e4ff3b |
+
|
|
|
e4ff3b |
/*
|
|
|
e4ff3b |
* TLS support for LBER Sockbufs
|
|
|
e4ff3b |
*/
|
|
|
e4ff3b |
@@ -3302,6 +3308,7 @@ tls_impl ldap_int_tls_impl = {
|
|
|
e4ff3b |
tlsm_session_peer_dn,
|
|
|
e4ff3b |
tlsm_session_chkhost,
|
|
|
e4ff3b |
tlsm_session_strength,
|
|
|
e4ff3b |
+ tlsm_session_unique,
|
|
|
e4ff3b |
|
|
|
e4ff3b |
&tlsm_sbio,
|
|
|
e4ff3b |
|
|
|
e4ff3b |
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
|
|
e4ff3b |
index a13f11fb5..f741a461f 100644
|
|
|
e4ff3b |
--- a/libraries/libldap/tls_o.c
|
|
|
e4ff3b |
+++ b/libraries/libldap/tls_o.c
|
|
|
e4ff3b |
@@ -846,6 +846,21 @@ tlso_session_strength( tls_session *sess )
|
|
|
e4ff3b |
return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
|
|
|
e4ff3b |
+static int
|
|
|
e4ff3b |
+tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
|
|
e4ff3b |
+{
|
|
|
e4ff3b |
+ tlso_session *s = (tlso_session *)sess;
|
|
|
e4ff3b |
+
|
|
|
e4ff3b |
+ /* Usually the client sends the finished msg. But if the
|
|
|
e4ff3b |
+ * session was resumed, the server sent the msg.
|
|
|
e4ff3b |
+ */
|
|
|
e4ff3b |
+ if (SSL_session_reused(s) ^ !is_server)
|
|
|
e4ff3b |
+ buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);
|
|
|
e4ff3b |
+ else
|
|
|
e4ff3b |
+ buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);
|
|
|
e4ff3b |
+ return buf->bv_len;
|
|
|
e4ff3b |
+}
|
|
|
e4ff3b |
+
|
|
|
e4ff3b |
/*
|
|
|
e4ff3b |
* TLS support for LBER Sockbufs
|
|
|
e4ff3b |
*/
|
|
|
e4ff3b |
@@ -1363,6 +1378,7 @@ tls_impl ldap_int_tls_impl = {
|
|
|
e4ff3b |
tlso_session_peer_dn,
|
|
|
e4ff3b |
tlso_session_chkhost,
|
|
|
e4ff3b |
tlso_session_strength,
|
|
|
e4ff3b |
+ tlso_session_unique,
|
|
|
e4ff3b |
|
|
|
e4ff3b |
&tlso_sbio,
|
|
|
e4ff3b |
|
|
|
e4ff3b |
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
|
|
|
e4ff3b |
index 44c3fc63d..0602fdceb 100644
|
|
|
e4ff3b |
--- a/servers/slapd/connection.c
|
|
|
e4ff3b |
+++ b/servers/slapd/connection.c
|
|
|
e4ff3b |
@@ -406,6 +406,7 @@ Connection * connection_init(
|
|
|
e4ff3b |
c->c_sasl_sockctx = NULL;
|
|
|
e4ff3b |
c->c_sasl_extra = NULL;
|
|
|
e4ff3b |
c->c_sasl_bindop = NULL;
|
|
|
e4ff3b |
+ c->c_sasl_cbind = NULL;
|
|
|
e4ff3b |
|
|
|
e4ff3b |
c->c_sb = ber_sockbuf_alloc( );
|
|
|
e4ff3b |
|
|
|
e4ff3b |
@@ -451,6 +452,7 @@ Connection * connection_init(
|
|
|
e4ff3b |
assert( c->c_sasl_sockctx == NULL );
|
|
|
e4ff3b |
assert( c->c_sasl_extra == NULL );
|
|
|
e4ff3b |
assert( c->c_sasl_bindop == NULL );
|
|
|
e4ff3b |
+ assert( c->c_sasl_cbind == NULL );
|
|
|
e4ff3b |
assert( c->c_currentber == NULL );
|
|
|
e4ff3b |
assert( c->c_writewaiter == 0);
|
|
|
e4ff3b |
assert( c->c_writers == 0);
|
|
|
e4ff3b |
@@ -1428,6 +1430,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
|
|
|
e4ff3b |
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
|
|
|
e4ff3b |
slap_sasl_external( c, c->c_tls_ssf, &authid );
|
|
|
e4ff3b |
if ( authid.bv_val ) free( authid.bv_val );
|
|
|
e4ff3b |
+ {
|
|
|
e4ff3b |
+ char cbinding[64];
|
|
|
e4ff3b |
+ struct berval cbv = { sizeof(cbinding), cbinding };
|
|
|
e4ff3b |
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
|
|
|
e4ff3b |
+ slap_sasl_cbinding( c, &cbv );
|
|
|
e4ff3b |
+ }
|
|
|
e4ff3b |
} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
|
|
|
e4ff3b |
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
|
|
|
e4ff3b |
slapd_set_write( s, 1 );
|
|
|
e4ff3b |
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
|
|
|
e4ff3b |
index 5144170d1..258cd5407 100644
|
|
|
e4ff3b |
--- a/servers/slapd/sasl.c
|
|
|
e4ff3b |
+++ b/servers/slapd/sasl.c
|
|
|
e4ff3b |
@@ -1389,6 +1389,21 @@ int slap_sasl_external(
|
|
|
e4ff3b |
return LDAP_SUCCESS;
|
|
|
e4ff3b |
}
|
|
|
e4ff3b |
|
|
|
e4ff3b |
+int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
|
|
|
e4ff3b |
+{
|
|
|
e4ff3b |
+#ifdef SASL_CHANNEL_BINDING
|
|
|
e4ff3b |
+ sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
|
|
|
e4ff3b |
+ cb->name = "ldap";
|
|
|
e4ff3b |
+ cb->critical = 0;
|
|
|
e4ff3b |
+ cb->data = (char *)(cb+1);
|
|
|
e4ff3b |
+ cb->len = cbv->bv_len;
|
|
|
e4ff3b |
+ memcpy( cb->data, cbv->bv_val, cbv->bv_len );
|
|
|
e4ff3b |
+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
|
|
|
e4ff3b |
+ conn->c_sasl_cbind = cb;
|
|
|
e4ff3b |
+#endif
|
|
|
e4ff3b |
+ return LDAP_SUCCESS;
|
|
|
e4ff3b |
+}
|
|
|
e4ff3b |
+
|
|
|
e4ff3b |
int slap_sasl_reset( Connection *conn )
|
|
|
e4ff3b |
{
|
|
|
e4ff3b |
return LDAP_SUCCESS;
|
|
|
e4ff3b |
@@ -1454,6 +1469,9 @@ int slap_sasl_close( Connection *conn )
|
|
|
e4ff3b |
free( conn->c_sasl_extra );
|
|
|
e4ff3b |
conn->c_sasl_extra = NULL;
|
|
|
e4ff3b |
|
|
|
e4ff3b |
+ free( conn->c_sasl_cbind );
|
|
|
e4ff3b |
+ conn->c_sasl_cbind = NULL;
|
|
|
e4ff3b |
+
|
|
|
e4ff3b |
#elif defined(SLAP_BUILTIN_SASL)
|
|
|
e4ff3b |
SASL_CTX *ctx = conn->c_sasl_authctx;
|
|
|
e4ff3b |
if( ctx ) {
|
|
|
e4ff3b |
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
|
|
|
e4ff3b |
index 7581967be..ad797d752 100644
|
|
|
e4ff3b |
--- a/servers/slapd/slap.h
|
|
|
e4ff3b |
+++ b/servers/slapd/slap.h
|
|
|
e4ff3b |
@@ -2910,6 +2910,7 @@ struct Connection {
|
|
|
e4ff3b |
void *c_sasl_authctx; /* SASL authentication context */
|
|
|
e4ff3b |
void *c_sasl_sockctx; /* SASL security layer context */
|
|
|
e4ff3b |
void *c_sasl_extra; /* SASL session extra stuff */
|
|
|
e4ff3b |
+ void *c_sasl_cbind; /* SASL channel binding */
|
|
|
e4ff3b |
Operation *c_sasl_bindop; /* set to current op if it's a bind */
|
|
|
e4ff3b |
|
|
|
e4ff3b |
#ifdef LDAP_X_TXN
|
|
|
e4ff3b |
--
|
|
|
e4ff3b |
2.29.2
|
|
|
e4ff3b |
|