Blame SOURCES/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch

e4ff3b
NOTE: The patch has been adjusted to match the base code before backporting.
e4ff3b
e4ff3b
From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001
e4ff3b
From: Howard Chu <hyc@openldap.org>
e4ff3b
Date: Tue, 10 Sep 2013 04:26:51 -0700
e4ff3b
Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT
e4ff3b
e4ff3b
retrieve peer cert for an active TLS session
e4ff3b
---
e4ff3b
 doc/man/man3/ldap_get_option.3 |  8 ++++++++
e4ff3b
 include/ldap.h                 |  1 +
e4ff3b
 libraries/libldap/ldap-tls.h   |  2 ++
e4ff3b
 libraries/libldap/tls2.c       | 24 ++++++++++++++++++++++++
e4ff3b
 libraries/libldap/tls_g.c      | 19 +++++++++++++++++++
e4ff3b
 libraries/libldap/tls_m.c      | 17 +++++++++++++++++
e4ff3b
 libraries/libldap/tls_o.c      | 16 ++++++++++++++++
e4ff3b
 7 files changed, 87 insertions(+)
e4ff3b
e4ff3b
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
e4ff3b
index eb3f25b33..7546875f5 100644
e4ff3b
--- a/doc/man/man3/ldap_get_option.3
e4ff3b
+++ b/doc/man/man3/ldap_get_option.3
e4ff3b
@@ -744,6 +744,14 @@ A non-zero value pointed to by
e4ff3b
 .BR invalue
e4ff3b
 tells the library to create a context for a server.
e4ff3b
 .TP
e4ff3b
+.B LDAP_OPT_X_TLS_PEERCERT
e4ff3b
+Gets the peer's certificate in DER format from an established TLS session.
e4ff3b
+.BR outvalue
e4ff3b
+must be
e4ff3b
+.BR "struct berval *" ,
e4ff3b
+and the data it returns needs to be freed by the caller using
e4ff3b
+.BR ldap_memfree (3).
e4ff3b
+.TP
e4ff3b
 .B LDAP_OPT_X_TLS_PROTOCOL_MIN
e4ff3b
 Sets/gets the minimum protocol version.
e4ff3b
 .BR invalue
e4ff3b
diff --git a/include/ldap.h b/include/ldap.h
e4ff3b
index 389441031..88bfcabf8 100644
e4ff3b
--- a/include/ldap.h
e4ff3b
+++ b/include/ldap.h
e4ff3b
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
e4ff3b
 #define LDAP_OPT_X_TLS_PACKAGE		0x6011
e4ff3b
 #define LDAP_OPT_X_TLS_ECNAME		0x6012
e4ff3b
 #define LDAP_OPT_X_TLS_REQUIRE_SAN	0x601a
e4ff3b
+#define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */
e4ff3b
 
e4ff3b
 #define LDAP_OPT_X_TLS_NEVER	0
e4ff3b
 #define LDAP_OPT_X_TLS_HARD		1
e4ff3b
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
e4ff3b
index 0ecf81ab9..103004fa7 100644
e4ff3b
--- a/libraries/libldap/ldap-tls.h
e4ff3b
+++ b/libraries/libldap/ldap-tls.h
e4ff3b
@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
e4ff3b
 typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
e4ff3b
 typedef int (TI_session_strength)(tls_session *sess);
e4ff3b
 typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
e4ff3b
+typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
e4ff3b
 
e4ff3b
 typedef void (TI_thr_init)(void);
e4ff3b
 
e4ff3b
@@ -66,6 +67,7 @@ typedef struct tls_impl {
e4ff3b
 	TI_session_chkhost *ti_session_chkhost;
e4ff3b
 	TI_session_strength *ti_session_strength;
e4ff3b
 	TI_session_unique *ti_session_unique;
e4ff3b
+	TI_session_peercert *ti_session_peercert;
e4ff3b
 
e4ff3b
 	Sockbuf_IO *ti_sbio;
e4ff3b
 
e4ff3b
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
e4ff3b
index 13d734362..ad09ba39b 100644
e4ff3b
--- a/libraries/libldap/tls2.c
e4ff3b
+++ b/libraries/libldap/tls2.c
e4ff3b
@@ -705,6 +705,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
e4ff3b
 	case LDAP_OPT_X_TLS_CONNECT_ARG:
e4ff3b
 		*(void **)arg = lo->ldo_tls_connect_arg;
e4ff3b
 		break;
e4ff3b
+	case LDAP_OPT_X_TLS_PEERCERT: {
e4ff3b
+		void *sess = NULL;
e4ff3b
+		struct berval *bv = arg;
e4ff3b
+		bv->bv_len = 0;
e4ff3b
+		bv->bv_val = NULL;
e4ff3b
+		if ( ld != NULL ) {
e4ff3b
+			LDAPConn *conn = ld->ld_defconn;
e4ff3b
+			if ( conn != NULL ) {
e4ff3b
+				Sockbuf *sb = conn->lconn_sb;
e4ff3b
+				sess = ldap_pvt_tls_sb_ctx( sb );
e4ff3b
+				if ( sess != NULL )
e4ff3b
+					return ldap_pvt_tls_get_peercert( sess, bv );
e4ff3b
+			}
e4ff3b
+		}
e4ff3b
+		break;
e4ff3b
+	}
e4ff3b
+
e4ff3b
 	default:
e4ff3b
 		return -1;
e4ff3b
 	}
e4ff3b
@@ -1020,6 +1037,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
e4ff3b
 	tls_session *session = s;
e4ff3b
 	return tls_imp->ti_session_unique( session, buf, is_server );
e4ff3b
 }
e4ff3b
+
e4ff3b
+int
e4ff3b
+ldap_pvt_tls_get_peercert( void *s, struct berval *der )
e4ff3b
+{
e4ff3b
+	tls_session *session = s;
e4ff3b
+	return tls_imp->ti_session_peercert( session, der );
e4ff3b
+}
e4ff3b
 #endif /* HAVE_TLS */
e4ff3b
 
e4ff3b
 int
e4ff3b
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
e4ff3b
index b78c12086..26d9f99ce 100644
e4ff3b
--- a/libraries/libldap/tls_g.c
e4ff3b
+++ b/libraries/libldap/tls_g.c
e4ff3b
@@ -675,6 +675,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
e4ff3b
 	return 0;
e4ff3b
 }
e4ff3b
 
e4ff3b
+static int
e4ff3b
+tlsg_session_peercert( tls_session *sess, struct berval *der )
e4ff3b
+{
e4ff3b
+	tlsg_session *s = (tlsg_session *)sess;
e4ff3b
+	const gnutls_datum_t *peer_cert_list;
e4ff3b
+	unsigned int list_size;
e4ff3b
+
e4ff3b
+	peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
e4ff3b
+	if (!peer_cert_list)
e4ff3b
+		return -1;
e4ff3b
+	der->bv_len = peer_cert_list[0].size;
e4ff3b
+	der->bv_val = LDAP_MALLOC( der->bv_len );
e4ff3b
+	if (!der->bv_val)
e4ff3b
+		return -1;
e4ff3b
+	memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
e4ff3b
+	return 0;
e4ff3b
+}
e4ff3b
+
e4ff3b
 /* suites is a string of colon-separated cipher suite names. */
e4ff3b
 static int
e4ff3b
 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
e4ff3b
@@ -932,6 +950,7 @@ tls_impl ldap_int_tls_impl = {
e4ff3b
 	tlsg_session_chkhost,
e4ff3b
 	tlsg_session_strength,
e4ff3b
 	tlsg_session_unique,
e4ff3b
+	tlsg_session_peercert,
e4ff3b
 
e4ff3b
 	&tlsg_sbio,
e4ff3b
 
e4ff3b
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
e4ff3b
index c64f4c176..d35a803de 100644
e4ff3b
--- a/libraries/libldap/tls_m.c
e4ff3b
+++ b/libraries/libldap/tls_m.c
e4ff3b
@@ -2880,6 +2880,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
e4ff3b
 	return 0;
e4ff3b
 }
e4ff3b
 
e4ff3b
+static int
e4ff3b
+tlsm_session_peercert( tls_session *sess, struct berval *der )
e4ff3b
+{
e4ff3b
+	tlsm_session *s = (tlsm_session *)sess;
e4ff3b
+	CERTCertificate *cert;
e4ff3b
+	cert = SSL_PeerCertificate( s );
e4ff3b
+	if (!cert)
e4ff3b
+		return -1;
e4ff3b
+	der->bv_len = cert->derCert.len;
e4ff3b
+	der->bv_val = LDAP_MALLOC( der->bv_len );
e4ff3b
+	if (!der->bv_val)
e4ff3b
+		return -1;
e4ff3b
+	memcpy( der->bv_val, cert->derCert.data, der->bv_len );
e4ff3b
+	return 0;
e4ff3b
+}
e4ff3b
+
e4ff3b
 /*
e4ff3b
  * TLS support for LBER Sockbufs
e4ff3b
  */
e4ff3b
@@ -3309,6 +3325,7 @@ tls_impl ldap_int_tls_impl = {
e4ff3b
 	tlsm_session_chkhost,
e4ff3b
 	tlsm_session_strength,
e4ff3b
 	tlsm_session_unique,
e4ff3b
+	tlsm_session_peercert,
e4ff3b
 
e4ff3b
 	&tlsm_sbio,
e4ff3b
 
e4ff3b
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
e4ff3b
index f741a461f..157923289 100644
e4ff3b
--- a/libraries/libldap/tls_o.c
e4ff3b
+++ b/libraries/libldap/tls_o.c
e4ff3b
@@ -861,6 +861,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
e4ff3b
 	return buf->bv_len;
e4ff3b
 }
e4ff3b
 
e4ff3b
+static int
e4ff3b
+tlso_session_peercert( tls_session *sess, struct berval *der )
e4ff3b
+{
e4ff3b
+	tlso_session *s = (tlso_session *)sess;
e4ff3b
+	unsigned char *ptr;
e4ff3b
+	X509 *x = SSL_get_peer_certificate(s);
e4ff3b
+	der->bv_len = i2d_X509(x, NULL);
e4ff3b
+	der->bv_val = LDAP_MALLOC(der->bv_len);
e4ff3b
+	if ( !der->bv_val )
e4ff3b
+		return -1;
e4ff3b
+	ptr = der->bv_val;
e4ff3b
+	i2d_X509(x, &ptr);
e4ff3b
+	return 0;
e4ff3b
+}
e4ff3b
+
e4ff3b
 /*
e4ff3b
  * TLS support for LBER Sockbufs
e4ff3b
  */
e4ff3b
@@ -1379,6 +1394,7 @@ tls_impl ldap_int_tls_impl = {
e4ff3b
 	tlso_session_chkhost,
e4ff3b
 	tlso_session_strength,
e4ff3b
 	tlso_session_unique,
e4ff3b
+	tlso_session_peercert,
e4ff3b
 
e4ff3b
 	&tlso_sbio,
e4ff3b
 
e4ff3b
-- 
e4ff3b
2.29.2
e4ff3b