|
|
ad145f |
NOTE: The patch has been adjusted to match the base code before backporting.
|
|
|
ad145f |
|
|
|
ad145f |
From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001
|
|
|
ad145f |
From: Howard Chu <hyc@openldap.org>
|
|
|
ad145f |
Date: Tue, 10 Sep 2013 04:26:51 -0700
|
|
|
ad145f |
Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT
|
|
|
ad145f |
|
|
|
ad145f |
retrieve peer cert for an active TLS session
|
|
|
ad145f |
---
|
|
|
ad145f |
doc/man/man3/ldap_get_option.3 | 8 ++++++++
|
|
|
ad145f |
include/ldap.h | 1 +
|
|
|
ad145f |
libraries/libldap/ldap-tls.h | 2 ++
|
|
|
ad145f |
libraries/libldap/tls2.c | 23 +++++++++++++++++++++++
|
|
|
ad145f |
libraries/libldap/tls_g.c | 19 +++++++++++++++++++
|
|
|
ad145f |
libraries/libldap/tls_m.c | 17 +++++++++++++++++
|
|
|
ad145f |
libraries/libldap/tls_o.c | 16 ++++++++++++++++
|
|
|
ad145f |
7 files changed, 86 insertions(+)
|
|
|
ad145f |
|
|
|
ad145f |
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
|
|
|
ad145f |
index e67de75e9..1bb55d357 100644
|
|
|
ad145f |
--- a/doc/man/man3/ldap_get_option.3
|
|
|
ad145f |
+++ b/doc/man/man3/ldap_get_option.3
|
|
|
ad145f |
@@ -732,6 +732,14 @@ A non-zero value pointed to by
|
|
|
ad145f |
.BR invalue
|
|
|
ad145f |
tells the library to create a context for a server.
|
|
|
ad145f |
.TP
|
|
|
ad145f |
+.B LDAP_OPT_X_TLS_PEERCERT
|
|
|
ad145f |
+Gets the peer's certificate in DER format from an established TLS session.
|
|
|
ad145f |
+.BR outvalue
|
|
|
ad145f |
+must be
|
|
|
ad145f |
+.BR "struct berval *" ,
|
|
|
ad145f |
+and the data it returns needs to be freed by the caller using
|
|
|
ad145f |
+.BR ldap_memfree (3).
|
|
|
ad145f |
+.TP
|
|
|
ad145f |
.B LDAP_OPT_X_TLS_PROTOCOL_MIN
|
|
|
ad145f |
Sets/gets the minimum protocol version.
|
|
|
ad145f |
.BR invalue
|
|
|
ad145f |
diff --git a/include/ldap.h b/include/ldap.h
|
|
|
ad145f |
index 4de3f7f32..97ca524d7 100644
|
|
|
ad145f |
--- a/include/ldap.h
|
|
|
ad145f |
+++ b/include/ldap.h
|
|
|
ad145f |
@@ -161,6 +161,7 @@ LDAP_BEGIN_DECL
|
|
|
ad145f |
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
|
|
|
ad145f |
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
|
|
|
ad145f |
#define LDAP_OPT_X_TLS_ECNAME 0x6012
|
|
|
ad145f |
+#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
|
|
|
ad145f |
|
|
|
ad145f |
#define LDAP_OPT_X_TLS_NEVER 0
|
|
|
ad145f |
#define LDAP_OPT_X_TLS_HARD 1
|
|
|
ad145f |
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
|
|
|
ad145f |
index 548814d7f..890d20dc7 100644
|
|
|
ad145f |
--- a/libraries/libldap/ldap-tls.h
|
|
|
ad145f |
+++ b/libraries/libldap/ldap-tls.h
|
|
|
ad145f |
@@ -43,6 +43,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
|
|
|
ad145f |
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
|
|
|
ad145f |
typedef int (TI_session_strength)(tls_session *sess);
|
|
|
ad145f |
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
|
|
|
ad145f |
+typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
|
|
|
ad145f |
|
|
|
ad145f |
typedef void (TI_thr_init)(void);
|
|
|
ad145f |
|
|
|
ad145f |
@@ -69,6 +70,7 @@ typedef struct tls_impl {
|
|
|
ad145f |
TI_session_chkhost *ti_session_chkhost;
|
|
|
ad145f |
TI_session_strength *ti_session_strength;
|
|
|
ad145f |
TI_session_unique *ti_session_unique;
|
|
|
ad145f |
+ TI_session_peercert *ti_session_peercert;
|
|
|
ad145f |
|
|
|
ad145f |
Sockbuf_IO *ti_sbio;
|
|
|
ad145f |
|
|
|
ad145f |
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
|
|
ad145f |
index 05fce3218..cbf73bdd5 100644
|
|
|
ad145f |
--- a/libraries/libldap/tls2.c
|
|
|
ad145f |
+++ b/libraries/libldap/tls2.c
|
|
|
ad145f |
@@ -718,6 +718,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
|
|
|
ad145f |
case LDAP_OPT_X_TLS_CONNECT_ARG:
|
|
|
ad145f |
*(void **)arg = lo->ldo_tls_connect_arg;
|
|
|
ad145f |
break;
|
|
|
ad145f |
+ case LDAP_OPT_X_TLS_PEERCERT: {
|
|
|
ad145f |
+ void *sess = NULL;
|
|
|
ad145f |
+ struct berval *bv = arg;
|
|
|
ad145f |
+ bv->bv_len = 0;
|
|
|
ad145f |
+ bv->bv_val = NULL;
|
|
|
ad145f |
+ if ( ld != NULL ) {
|
|
|
ad145f |
+ LDAPConn *conn = ld->ld_defconn;
|
|
|
ad145f |
+ if ( conn != NULL ) {
|
|
|
ad145f |
+ Sockbuf *sb = conn->lconn_sb;
|
|
|
ad145f |
+ sess = ldap_pvt_tls_sb_ctx( sb );
|
|
|
ad145f |
+ if ( sess != NULL )
|
|
|
ad145f |
+ return ldap_pvt_tls_get_peercert( sess, bv );
|
|
|
ad145f |
+ }
|
|
|
ad145f |
+ }
|
|
|
ad145f |
+ break;
|
|
|
ad145f |
+ }
|
|
|
ad145f |
+
|
|
|
ad145f |
default:
|
|
|
ad145f |
return -1;
|
|
|
ad145f |
}
|
|
|
ad145f |
@@ -1050,6 +1066,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
|
|
|
ad145f |
tls_session *session = s;
|
|
|
ad145f |
return tls_imp->ti_session_unique( session, buf, is_server );
|
|
|
ad145f |
}
|
|
|
ad145f |
+
|
|
|
ad145f |
+int
|
|
|
ad145f |
+ldap_pvt_tls_get_peercert( void *s, struct berval *der )
|
|
|
ad145f |
+{
|
|
|
ad145f |
+ tls_session *session = s;
|
|
|
ad145f |
+ return tls_imp->ti_session_peercert( session, der );
|
|
|
ad145f |
+}
|
|
|
ad145f |
#endif /* HAVE_TLS */
|
|
|
ad145f |
|
|
|
ad145f |
int
|
|
|
ad145f |
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
|
|
|
ad145f |
index ce422387c..739680439 100644
|
|
|
ad145f |
--- a/libraries/libldap/tls_g.c
|
|
|
ad145f |
+++ b/libraries/libldap/tls_g.c
|
|
|
ad145f |
@@ -830,6 +830,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
|
|
ad145f |
return 0;
|
|
|
ad145f |
}
|
|
|
ad145f |
|
|
|
ad145f |
+static int
|
|
|
ad145f |
+tlsg_session_peercert( tls_session *sess, struct berval *der )
|
|
|
ad145f |
+{
|
|
|
ad145f |
+ tlsg_session *s = (tlsg_session *)sess;
|
|
|
ad145f |
+ const gnutls_datum_t *peer_cert_list;
|
|
|
ad145f |
+ unsigned int list_size;
|
|
|
ad145f |
+
|
|
|
ad145f |
+ peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
|
|
|
ad145f |
+ if (!peer_cert_list)
|
|
|
ad145f |
+ return -1;
|
|
|
ad145f |
+ der->bv_len = peer_cert_list[0].size;
|
|
|
ad145f |
+ der->bv_val = LDAP_MALLOC( der->bv_len );
|
|
|
ad145f |
+ if (!der->bv_val)
|
|
|
ad145f |
+ return -1;
|
|
|
ad145f |
+ memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
|
|
|
ad145f |
+ return 0;
|
|
|
ad145f |
+}
|
|
|
ad145f |
+
|
|
|
ad145f |
/* suites is a string of colon-separated cipher suite names. */
|
|
|
ad145f |
static int
|
|
|
ad145f |
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
|
|
|
ad145f |
@@ -1166,6 +1184,7 @@ tls_impl ldap_int_tls_impl = {
|
|
|
ad145f |
tlsg_session_chkhost,
|
|
|
ad145f |
tlsg_session_strength,
|
|
|
ad145f |
tlsg_session_unique,
|
|
|
ad145f |
+ tlsg_session_peercert,
|
|
|
ad145f |
|
|
|
ad145f |
&tlsg_sbio,
|
|
|
ad145f |
|
|
|
ad145f |
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
|
ad145f |
index 4bd9e63cb..36dc989ef 100644
|
|
|
ad145f |
--- a/libraries/libldap/tls_m.c
|
|
|
ad145f |
+++ b/libraries/libldap/tls_m.c
|
|
|
ad145f |
@@ -2891,6 +2891,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
|
|
ad145f |
return 0;
|
|
|
ad145f |
}
|
|
|
ad145f |
|
|
|
ad145f |
+static int
|
|
|
ad145f |
+tlsm_session_peercert( tls_session *sess, struct berval *der )
|
|
|
ad145f |
+{
|
|
|
ad145f |
+ tlsm_session *s = (tlsm_session *)sess;
|
|
|
ad145f |
+ CERTCertificate *cert;
|
|
|
ad145f |
+ cert = SSL_PeerCertificate( s );
|
|
|
ad145f |
+ if (!cert)
|
|
|
ad145f |
+ return -1;
|
|
|
ad145f |
+ der->bv_len = cert->derCert.len;
|
|
|
ad145f |
+ der->bv_val = LDAP_MALLOC( der->bv_len );
|
|
|
ad145f |
+ if (!der->bv_val)
|
|
|
ad145f |
+ return -1;
|
|
|
ad145f |
+ memcpy( der->bv_val, cert->derCert.data, der->bv_len );
|
|
|
ad145f |
+ return 0;
|
|
|
ad145f |
+}
|
|
|
ad145f |
+
|
|
|
ad145f |
/*
|
|
|
ad145f |
* TLS support for LBER Sockbufs
|
|
|
ad145f |
*/
|
|
|
ad145f |
@@ -3322,6 +3338,7 @@ tls_impl ldap_int_tls_impl = {
|
|
|
ad145f |
tlsm_session_chkhost,
|
|
|
ad145f |
tlsm_session_strength,
|
|
|
ad145f |
tlsm_session_unique,
|
|
|
ad145f |
+ tlsm_session_peercert,
|
|
|
ad145f |
|
|
|
ad145f |
&tlsm_sbio,
|
|
|
ad145f |
|
|
|
ad145f |
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
|
|
ad145f |
index 6288456d3..1fa50392f 100644
|
|
|
ad145f |
--- a/libraries/libldap/tls_o.c
|
|
|
ad145f |
+++ b/libraries/libldap/tls_o.c
|
|
|
ad145f |
@@ -721,6 +721,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
|
|
ad145f |
return buf->bv_len;
|
|
|
ad145f |
}
|
|
|
ad145f |
|
|
|
ad145f |
+static int
|
|
|
ad145f |
+tlso_session_peercert( tls_session *sess, struct berval *der )
|
|
|
ad145f |
+{
|
|
|
ad145f |
+ tlso_session *s = (tlso_session *)sess;
|
|
|
ad145f |
+ unsigned char *ptr;
|
|
|
ad145f |
+ X509 *x = SSL_get_peer_certificate(s);
|
|
|
ad145f |
+ der->bv_len = i2d_X509(x, NULL);
|
|
|
ad145f |
+ der->bv_val = LDAP_MALLOC(der->bv_len);
|
|
|
ad145f |
+ if ( !der->bv_val )
|
|
|
ad145f |
+ return -1;
|
|
|
ad145f |
+ ptr = der->bv_val;
|
|
|
ad145f |
+ i2d_X509(x, &ptr);
|
|
|
ad145f |
+ return 0;
|
|
|
ad145f |
+}
|
|
|
ad145f |
+
|
|
|
ad145f |
/*
|
|
|
ad145f |
* TLS support for LBER Sockbufs
|
|
|
ad145f |
*/
|
|
|
ad145f |
@@ -1229,6 +1244,7 @@ tls_impl ldap_int_tls_impl = {
|
|
|
ad145f |
tlso_session_chkhost,
|
|
|
ad145f |
tlso_session_strength,
|
|
|
ad145f |
tlso_session_unique,
|
|
|
ad145f |
+ tlso_session_peercert,
|
|
|
ad145f |
|
|
|
ad145f |
&tlso_sbio,
|
|
|
ad145f |
|
|
|
ad145f |
--
|
|
|
ad145f |
2.26.2
|
|
|
ad145f |
|