basebuilder_pel7ppc64lebuilder0
4 years ago
18 changed files with 1045 additions and 539 deletions
Binary file not shown.
@ -0,0 +1,227 @@ |
|||||||
|
ITS#7595 Add Elliptic Curve support for OpenSSL |
||||||
|
|
||||||
|
Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08 |
||||||
|
Author: Howard Chu <hyc@openldap.org> |
||||||
|
Date: Sat Sep 7 09:47:19 2013 -0700 |
||||||
|
|
||||||
|
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 |
||||||
|
index 9c72e8296..2311c3096 100644 |
||||||
|
--- a/doc/man/man5/slapd-config.5 |
||||||
|
+++ b/doc/man/man5/slapd-config.5 |
||||||
|
@@ -922,6 +922,13 @@ are not used. |
||||||
|
When using Mozilla NSS these parameters are always generated randomly |
||||||
|
so this directive is ignored. |
||||||
|
.TP |
||||||
|
+.B olcTLSECName: <name> |
||||||
|
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman |
||||||
|
+ephemeral key exchange. This is required to enable ECDHE algorithms in |
||||||
|
+OpenSSL. This option is not used with GnuTLS; the curves may be |
||||||
|
+chosen in the GnuTLS ciphersuite specification. This option is also |
||||||
|
+ignored for Mozilla NSS. |
||||||
|
+.TP |
||||||
|
.B olcTLSProtocolMin: <major>[.<minor>] |
||||||
|
Specifies minimum SSL/TLS protocol version that will be negotiated. |
||||||
|
If the server doesn't support at least that version, |
||||||
|
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 |
||||||
|
index f504adcf9..ef03e0ad8 100644 |
||||||
|
--- a/doc/man/man5/slapd.conf.5 |
||||||
|
+++ b/doc/man/man5/slapd.conf.5 |
||||||
|
@@ -1153,6 +1153,13 @@ are not used. |
||||||
|
When using Mozilla NSS these parameters are always generated randomly |
||||||
|
so this directive is ignored. |
||||||
|
.TP |
||||||
|
+.B TLSECName <name> |
||||||
|
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman |
||||||
|
+ephemeral key exchange. This is required to enable ECDHE algorithms in |
||||||
|
+OpenSSL. This option is not used with GnuTLS; the curves may be |
||||||
|
+chosen in the GnuTLS ciphersuite specification. This option is also |
||||||
|
+ignored for Mozilla NSS. |
||||||
|
+.TP |
||||||
|
.B TLSProtocolMin <major>[.<minor>] |
||||||
|
Specifies minimum SSL/TLS protocol version that will be negotiated. |
||||||
|
If the server doesn't support at least that version, |
||||||
|
diff --git a/include/ldap.h b/include/ldap.h |
||||||
|
index c245651c2..0964a193e 100644 |
||||||
|
--- a/include/ldap.h |
||||||
|
+++ b/include/ldap.h |
||||||
|
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL |
||||||
|
#define LDAP_OPT_X_TLS_NEWCTX 0x600f |
||||||
|
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ |
||||||
|
#define LDAP_OPT_X_TLS_PACKAGE 0x6011 |
||||||
|
+#define LDAP_OPT_X_TLS_ECNAME 0x6012 |
||||||
|
|
||||||
|
#define LDAP_OPT_X_TLS_NEVER 0 |
||||||
|
#define LDAP_OPT_X_TLS_HARD 1 |
||||||
|
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h |
||||||
|
index 66e04ae80..db7193f4f 100644 |
||||||
|
--- a/libraries/libldap/ldap-int.h |
||||||
|
+++ b/libraries/libldap/ldap-int.h |
||||||
|
@@ -165,6 +165,7 @@ struct ldaptls { |
||||||
|
char *lt_ciphersuite; |
||||||
|
char *lt_crlfile; |
||||||
|
char *lt_randfile; /* OpenSSL only */ |
||||||
|
+ char *lt_ecname; /* OpenSSL only */ |
||||||
|
int lt_protocol_min; |
||||||
|
}; |
||||||
|
#endif |
||||||
|
@@ -250,6 +251,7 @@ struct ldapoptions { |
||||||
|
#define ldo_tls_certfile ldo_tls_info.lt_certfile |
||||||
|
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile |
||||||
|
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile |
||||||
|
+#define ldo_tls_ecname ldo_tls_info.lt_ecname |
||||||
|
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile |
||||||
|
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir |
||||||
|
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite |
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c |
||||||
|
index d25c190ea..0451b01af 100644 |
||||||
|
--- a/libraries/libldap/tls2.c |
||||||
|
+++ b/libraries/libldap/tls2.c |
||||||
|
@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) |
||||||
|
LDAP_FREE( lo->ldo_tls_dhfile ); |
||||||
|
lo->ldo_tls_dhfile = NULL; |
||||||
|
} |
||||||
|
+ if ( lo->ldo_tls_ecname ) { |
||||||
|
+ LDAP_FREE( lo->ldo_tls_ecname ); |
||||||
|
+ lo->ldo_tls_ecname = NULL; |
||||||
|
+ } |
||||||
|
if ( lo->ldo_tls_cacertfile ) { |
||||||
|
LDAP_FREE( lo->ldo_tls_cacertfile ); |
||||||
|
lo->ldo_tls_cacertfile = NULL; |
||||||
|
@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) |
||||||
|
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); |
||||||
|
__atoe( lts.lt_dhfile ); |
||||||
|
} |
||||||
|
+ if ( lts.lt_ecname ) { |
||||||
|
+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname ); |
||||||
|
+ __atoe( lts.lt_ecname ); |
||||||
|
+ } |
||||||
|
#endif |
||||||
|
lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); |
||||||
|
if ( lo->ldo_tls_ctx == NULL ) { |
||||||
|
@@ -257,6 +265,7 @@ error_exit: |
||||||
|
LDAP_FREE( lts.lt_crlfile ); |
||||||
|
LDAP_FREE( lts.lt_cacertdir ); |
||||||
|
LDAP_FREE( lts.lt_dhfile ); |
||||||
|
+ LDAP_FREE( lts.lt_ecname ); |
||||||
|
#endif |
||||||
|
return rc; |
||||||
|
} |
||||||
|
@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) |
||||||
|
*(char **)arg = lo->ldo_tls_dhfile ? |
||||||
|
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; |
||||||
|
break; |
||||||
|
+ case LDAP_OPT_X_TLS_ECNAME: |
||||||
|
+ *(char **)arg = lo->ldo_tls_ecname ? |
||||||
|
+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL; |
||||||
|
+ break; |
||||||
|
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ |
||||||
|
*(char **)arg = lo->ldo_tls_crlfile ? |
||||||
|
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; |
||||||
|
@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) |
||||||
|
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); |
||||||
|
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
+ case LDAP_OPT_X_TLS_ECNAME: |
||||||
|
+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname ); |
||||||
|
+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ return 0; |
||||||
|
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ |
||||||
|
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); |
||||||
|
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c |
||||||
|
index f24060b7e..1370923af 100644 |
||||||
|
--- a/libraries/libldap/tls_o.c |
||||||
|
+++ b/libraries/libldap/tls_o.c |
||||||
|
@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) |
||||||
|
return -1; |
||||||
|
} |
||||||
|
|
||||||
|
- if ( lo->ldo_tls_dhfile ) { |
||||||
|
- DH *dh = NULL; |
||||||
|
+ if ( is_server && lo->ldo_tls_dhfile ) { |
||||||
|
+ DH *dh; |
||||||
|
BIO *bio; |
||||||
|
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); |
||||||
|
|
||||||
|
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { |
||||||
|
Debug( LDAP_DEBUG_ANY, |
||||||
|
@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) |
||||||
|
} |
||||||
|
BIO_free( bio ); |
||||||
|
SSL_CTX_set_tmp_dh( ctx, dh ); |
||||||
|
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); |
||||||
|
+ DH_free( dh ); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+#ifdef SSL_OP_SINGLE_ECDH_USE |
||||||
|
+ if ( is_server && lo->ldo_tls_ecname ) { |
||||||
|
+ EC_KEY *ecdh; |
||||||
|
+ |
||||||
|
+ int nid = OBJ_sn2nid( lt->lt_ecname ); |
||||||
|
+ if ( nid == NID_undef ) { |
||||||
|
+ Debug( LDAP_DEBUG_ANY, |
||||||
|
+ "TLS: could not use EC name `%s'.\n", |
||||||
|
+ lo->ldo_tls_ecname,0,0); |
||||||
|
+ tlso_report_error(); |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ ecdh = EC_KEY_new_by_curve_name( nid ); |
||||||
|
+ if ( ecdh == NULL ) { |
||||||
|
+ Debug( LDAP_DEBUG_ANY, |
||||||
|
+ "TLS: could not generate key for EC name `%s'.\n", |
||||||
|
+ lo->ldo_tls_ecname,0,0); |
||||||
|
+ tlso_report_error(); |
||||||
|
+ return -1; |
||||||
|
+ } |
||||||
|
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh ); |
||||||
|
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); |
||||||
|
+ EC_KEY_free( ecdh ); |
||||||
|
} |
||||||
|
+#endif |
||||||
|
|
||||||
|
if ( tlso_opt_trace ) { |
||||||
|
SSL_CTX_set_info_callback( ctx, tlso_info_cb ); |
||||||
|
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c |
||||||
|
index 250f14100..8b1e4e582 100644 |
||||||
|
--- a/servers/slapd/bconfig.c |
||||||
|
+++ b/servers/slapd/bconfig.c |
||||||
|
@@ -194,6 +194,7 @@ enum { |
||||||
|
CFG_ACL_ADD, |
||||||
|
CFG_SYNC_SUBENTRY, |
||||||
|
CFG_LTHREADS, |
||||||
|
+ CFG_TLS_ECNAME, |
||||||
|
|
||||||
|
CFG_LAST |
||||||
|
}; |
||||||
|
@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = { |
||||||
|
#endif |
||||||
|
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " |
||||||
|
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, |
||||||
|
+ { "TLSECName", NULL, 2, 2, 0, |
||||||
|
+#ifdef HAVE_TLS |
||||||
|
+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option, |
||||||
|
+#else |
||||||
|
+ ARG_IGNORED, NULL, |
||||||
|
+#endif |
||||||
|
+ "( OLcfgGlAt:96 NAME 'olcTLSECName' " |
||||||
|
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, |
||||||
|
{ "TLSProtocolMin", NULL, 2, 2, 0, |
||||||
|
#ifdef HAVE_TLS |
||||||
|
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, |
||||||
|
@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = { |
||||||
|
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " |
||||||
|
"olcTLSCACertificatePath $ olcTLSCertificateFile $ " |
||||||
|
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " |
||||||
|
- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ " |
||||||
|
+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ " |
||||||
|
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " |
||||||
|
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " |
||||||
|
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, |
||||||
|
@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) { |
||||||
|
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break; |
||||||
|
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break; |
||||||
|
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break; |
||||||
|
+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break; |
||||||
|
#ifdef HAVE_GNUTLS |
||||||
|
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; |
||||||
|
#endif |
@ -0,0 +1,34 @@ |
|||||||
|
ITS#7595 don't try to use EC if OpenSSL lacks it |
||||||
|
|
||||||
|
Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d |
||||||
|
Author: Howard Chu <hyc@openldap.org> |
||||||
|
Date: Sun Sep 8 06:32:23 2013 -0700 |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c |
||||||
|
index 1a81bc625..71c2b055c 100644 |
||||||
|
--- a/libraries/libldap/tls_o.c |
||||||
|
+++ b/libraries/libldap/tls_o.c |
||||||
|
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) |
||||||
|
DH_free( dh ); |
||||||
|
} |
||||||
|
|
||||||
|
-#ifdef SSL_OP_SINGLE_ECDH_USE |
||||||
|
if ( is_server && lo->ldo_tls_ecname ) { |
||||||
|
+#ifdef OPENSSL_NO_EC |
||||||
|
+ Debug( LDAP_DEBUG_ANY, |
||||||
|
+ "TLS: Elliptic Curves not supported.\n", 0,0,0 ); |
||||||
|
+ return -1; |
||||||
|
+#else |
||||||
|
EC_KEY *ecdh; |
||||||
|
|
||||||
|
int nid = OBJ_sn2nid( lt->lt_ecname ); |
||||||
|
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) |
||||||
|
SSL_CTX_set_tmp_ecdh( ctx, ecdh ); |
||||||
|
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); |
||||||
|
EC_KEY_free( ecdh ); |
||||||
|
- } |
||||||
|
#endif |
||||||
|
+ } |
||||||
|
|
||||||
|
if ( tlso_opt_trace ) { |
||||||
|
SSL_CTX_set_info_callback( ctx, tlso_info_cb ); |
@ -0,0 +1,48 @@ |
|||||||
|
Reference default system-wide CA certificates in manpages |
||||||
|
|
||||||
|
OpenSSL, unless explicitly configured, uses system-wide default set of CA |
||||||
|
certificates. |
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com> |
||||||
|
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 |
||||||
|
--- a/doc/man/man5/ldap.conf.5 |
||||||
|
+++ b/doc/man/man5/ldap.conf.5 |
||||||
|
@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an |
||||||
|
.B ldaps:// URI |
||||||
|
is selected (by default or otherwise) or when the application |
||||||
|
negotiates TLS by issuing the LDAP StartTLS operation. |
||||||
|
+.LP |
||||||
|
+When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP |
||||||
|
+is set, the system-wide default set of CA certificates is used. |
||||||
|
.TP |
||||||
|
.B TLS_CACERT <filename> |
||||||
|
Specifies the file that contains certificates for all of the Certificate |
||||||
|
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 |
||||||
|
--- a/doc/man/man5/slapd-config.5 |
||||||
|
+++ b/doc/man/man5/slapd-config.5 |
||||||
|
@@ -801,6 +801,10 @@ If |
||||||
|
.B slapd |
||||||
|
is built with support for Transport Layer Security, there are more options |
||||||
|
you can specify. |
||||||
|
+.LP |
||||||
|
+When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor |
||||||
|
+\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA |
||||||
|
+certificates is used. |
||||||
|
.TP |
||||||
|
.B olcTLSCipherSuite: <cipher-suite-spec> |
||||||
|
Permits configuring what ciphers will be accepted and the preference order. |
||||||
|
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 |
||||||
|
--- a/doc/man/man5/slapd.conf.5 |
||||||
|
+++ b/doc/man/man5/slapd.conf.5 |
||||||
|
@@ -1032,6 +1032,10 @@ If |
||||||
|
.B slapd |
||||||
|
is built with support for Transport Layer Security, there are more options |
||||||
|
you can specify. |
||||||
|
+.LP |
||||||
|
+When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor |
||||||
|
+\fBTLSCACertificatePath\fP is set, the system-wide default set of CA |
||||||
|
+certificates is used. |
||||||
|
.TP |
||||||
|
.B TLSCipherSuite <cipher-suite-spec> |
||||||
|
Permits configuring what ciphers will be accepted and the preference order. |
@ -0,0 +1,224 @@ |
|||||||
|
From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Christian Heimes <christian@python.org> |
||||||
|
Date: Fri, 10 Jan 2020 18:35:02 +0100 |
||||||
|
Subject: [PATCH] Use OpenSSL API to verify host |
||||||
|
|
||||||
|
Replace custom hostname and IP address verification with OpenSSL 1.0.2 |
||||||
|
APIs. |
||||||
|
--- |
||||||
|
libraries/libldap/tls_o.c | 184 ++++++-------------------------------- |
||||||
|
1 file changed, 28 insertions(+), 156 deletions(-) |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c |
||||||
|
index e52c5507c..5adf7b74f 100644 |
||||||
|
--- a/libraries/libldap/tls_o.c |
||||||
|
+++ b/libraries/libldap/tls_o.c |
||||||
|
@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn ) |
||||||
|
return 0; |
||||||
|
} |
||||||
|
|
||||||
|
-/* what kind of hostname were we given? */ |
||||||
|
-#define IS_DNS 0 |
||||||
|
-#define IS_IP4 1 |
||||||
|
-#define IS_IP6 2 |
||||||
|
- |
||||||
|
static int |
||||||
|
tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) |
||||||
|
{ |
||||||
|
tlso_session *s = (tlso_session *)sess; |
||||||
|
- int i, ret = LDAP_LOCAL_ERROR; |
||||||
|
+ int ret = LDAP_LOCAL_ERROR; |
||||||
|
X509 *x; |
||||||
|
const char *name; |
||||||
|
- char *ptr; |
||||||
|
- int ntype = IS_DNS, nlen; |
||||||
|
-#ifdef LDAP_PF_INET6 |
||||||
|
- struct in6_addr addr; |
||||||
|
-#else |
||||||
|
- struct in_addr addr; |
||||||
|
-#endif |
||||||
|
+ int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; |
||||||
|
+ ASN1_OCTET_STRING *ip; |
||||||
|
|
||||||
|
if( ldap_int_hostname && |
||||||
|
( !name_in || !strcasecmp( name_in, "localhost" ) ) ) |
||||||
|
@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) |
||||||
|
} else { |
||||||
|
name = name_in; |
||||||
|
} |
||||||
|
- nlen = strlen(name); |
||||||
|
|
||||||
|
x = tlso_get_cert(s); |
||||||
|
if (!x) { |
||||||
|
@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) |
||||||
|
return LDAP_SUCCESS; |
||||||
|
} |
||||||
|
|
||||||
|
-#ifdef LDAP_PF_INET6 |
||||||
|
- if (inet_pton(AF_INET6, name, &addr)) { |
||||||
|
- ntype = IS_IP6; |
||||||
|
- } else |
||||||
|
-#endif |
||||||
|
- if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) { |
||||||
|
- if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4; |
||||||
|
- } |
||||||
|
- |
||||||
|
- i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); |
||||||
|
- if (i >= 0) { |
||||||
|
- X509_EXTENSION *ex; |
||||||
|
- STACK_OF(GENERAL_NAME) *alt; |
||||||
|
- |
||||||
|
- ex = X509_get_ext(x, i); |
||||||
|
- alt = X509V3_EXT_d2i(ex); |
||||||
|
- if (alt) { |
||||||
|
- int n, len2 = 0; |
||||||
|
- char *domain = NULL; |
||||||
|
- GENERAL_NAME *gn; |
||||||
|
- |
||||||
|
- if (ntype == IS_DNS) { |
||||||
|
- domain = strchr(name, '.'); |
||||||
|
- if (domain) { |
||||||
|
- len2 = nlen - (domain-name); |
||||||
|
- } |
||||||
|
- } |
||||||
|
- n = sk_GENERAL_NAME_num(alt); |
||||||
|
- for (i=0; i<n; i++) { |
||||||
|
- char *sn; |
||||||
|
- int sl; |
||||||
|
- gn = sk_GENERAL_NAME_value(alt, i); |
||||||
|
- if (gn->type == GEN_DNS) { |
||||||
|
- if (ntype != IS_DNS) continue; |
||||||
|
- |
||||||
|
- sn = (char *) ASN1_STRING_data(gn->d.ia5); |
||||||
|
- sl = ASN1_STRING_length(gn->d.ia5); |
||||||
|
- |
||||||
|
- /* ignore empty */ |
||||||
|
- if (sl == 0) continue; |
||||||
|
- |
||||||
|
- /* Is this an exact match? */ |
||||||
|
- if ((nlen == sl) && !strncasecmp(name, sn, nlen)) { |
||||||
|
- break; |
||||||
|
- } |
||||||
|
- |
||||||
|
- /* Is this a wildcard match? */ |
||||||
|
- if (domain && (sn[0] == '*') && (sn[1] == '.') && |
||||||
|
- (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2)) |
||||||
|
- { |
||||||
|
- break; |
||||||
|
- } |
||||||
|
- |
||||||
|
- } else if (gn->type == GEN_IPADD) { |
||||||
|
- if (ntype == IS_DNS) continue; |
||||||
|
- |
||||||
|
- sn = (char *) ASN1_STRING_data(gn->d.ia5); |
||||||
|
- sl = ASN1_STRING_length(gn->d.ia5); |
||||||
|
- |
||||||
|
-#ifdef LDAP_PF_INET6 |
||||||
|
- if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) { |
||||||
|
- continue; |
||||||
|
- } else |
||||||
|
-#endif |
||||||
|
- if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) { |
||||||
|
- continue; |
||||||
|
- } |
||||||
|
- if (!memcmp(sn, &addr, sl)) { |
||||||
|
- break; |
||||||
|
- } |
||||||
|
- } |
||||||
|
- } |
||||||
|
- |
||||||
|
- GENERAL_NAMES_free(alt); |
||||||
|
- if (i < n) { /* Found a match */ |
||||||
|
- ret = LDAP_SUCCESS; |
||||||
|
- } |
||||||
|
- } |
||||||
|
- } |
||||||
|
- |
||||||
|
- if (ret != LDAP_SUCCESS) { |
||||||
|
- X509_NAME *xn; |
||||||
|
- X509_NAME_ENTRY *ne; |
||||||
|
- ASN1_OBJECT *obj; |
||||||
|
- ASN1_STRING *cn = NULL; |
||||||
|
- int navas; |
||||||
|
- |
||||||
|
- /* find the last CN */ |
||||||
|
- obj = OBJ_nid2obj( NID_commonName ); |
||||||
|
- if ( !obj ) goto no_cn; /* should never happen */ |
||||||
|
- |
||||||
|
- xn = X509_get_subject_name(x); |
||||||
|
- navas = X509_NAME_entry_count( xn ); |
||||||
|
- for ( i=navas-1; i>=0; i-- ) { |
||||||
|
- ne = X509_NAME_get_entry( xn, i ); |
||||||
|
- if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) { |
||||||
|
- cn = X509_NAME_ENTRY_get_data( ne ); |
||||||
|
- break; |
||||||
|
- } |
||||||
|
+ /* attempt to encode name as IP address */ |
||||||
|
+ ip = a2i_IPADDRESS(name); |
||||||
|
+ if (ip == NULL) { |
||||||
|
+ ERR_clear_error(); |
||||||
|
+ /* it's a hostname */ |
||||||
|
+ if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) { |
||||||
|
+ ret = LDAP_SUCCESS; |
||||||
|
} |
||||||
|
- |
||||||
|
- if( !cn ) |
||||||
|
- { |
||||||
|
-no_cn: |
||||||
|
- Debug( LDAP_DEBUG_ANY, |
||||||
|
- "TLS: unable to get common name from peer certificate.\n", |
||||||
|
- 0, 0, 0 ); |
||||||
|
- ret = LDAP_CONNECT_ERROR; |
||||||
|
- if ( ld->ld_error ) { |
||||||
|
- LDAP_FREE( ld->ld_error ); |
||||||
|
- } |
||||||
|
- ld->ld_error = LDAP_STRDUP( |
||||||
|
- _("TLS: unable to get CN from peer certificate")); |
||||||
|
- |
||||||
|
- } else if ( cn->length == nlen && |
||||||
|
- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) { |
||||||
|
+ } else { |
||||||
|
+ /* It's an IPv4 or IPv6 address */ |
||||||
|
+ if (X509_check_ip(x, ASN1_STRING_data(ip), |
||||||
|
+ ASN1_STRING_length(ip), 0) == 1) { |
||||||
|
ret = LDAP_SUCCESS; |
||||||
|
- |
||||||
|
- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) { |
||||||
|
- char *domain = strchr(name, '.'); |
||||||
|
- if( domain ) { |
||||||
|
- int dlen; |
||||||
|
- |
||||||
|
- dlen = nlen - (domain-name); |
||||||
|
- |
||||||
|
- /* Is this a wildcard match? */ |
||||||
|
- if ((dlen == cn->length-1) && |
||||||
|
- !strncasecmp(domain, (char *) &cn->data[1], dlen)) { |
||||||
|
- ret = LDAP_SUCCESS; |
||||||
|
- } |
||||||
|
- } |
||||||
|
} |
||||||
|
+ ASN1_OCTET_STRING_free(ip); |
||||||
|
+ } |
||||||
|
|
||||||
|
- if( ret == LDAP_LOCAL_ERROR ) { |
||||||
|
- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " |
||||||
|
- "common name in certificate (%.*s).\n", |
||||||
|
- name, cn->length, cn->data ); |
||||||
|
- ret = LDAP_CONNECT_ERROR; |
||||||
|
- if ( ld->ld_error ) { |
||||||
|
- LDAP_FREE( ld->ld_error ); |
||||||
|
- } |
||||||
|
- ld->ld_error = LDAP_STRDUP( |
||||||
|
- _("TLS: hostname does not match CN in peer certificate")); |
||||||
|
+ if( ret == LDAP_LOCAL_ERROR ) { |
||||||
|
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " |
||||||
|
+ "peer certificate.\n", name, 0, 0); |
||||||
|
+ ret = LDAP_CONNECT_ERROR; |
||||||
|
+ if ( ld->ld_error ) { |
||||||
|
+ LDAP_FREE( ld->ld_error ); |
||||||
|
} |
||||||
|
+ ld->ld_error = LDAP_STRDUP( |
||||||
|
+ _("TLS: hostname does not match peer certificate")); |
||||||
|
} |
||||||
|
X509_free(x); |
||||||
|
return ret; |
Loading…
Reference in new issue