Commit 20736efd authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

ITS#5981

parent 783ea588
OpenLDAP 2.4 Change Log
OpenLDAP 2.4.16 Engineering
Fixed libldap GnuTLS TLSVerifyCilent try (ITS#5981)
Fixed libldap segfault in checking cert/DN (ITS#5976)
Fixed slapd-ldap/meta with broken AD results (ITS#5977)
Fixed slapd-ldap/meta with invalid attrs again (ITS#5959)
......
......@@ -402,9 +402,18 @@ tlsg_session_accept( tls_session *session )
rc = gnutls_handshake( s->session );
if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
rc = tlsg_cert_verify( s );
if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
peer_cert_list = gnutls_certificate_get_peers( s->session,
&list_size );
if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
rc = 0;
else {
rc = tlsg_cert_verify( s );
if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
rc = 0;
}
}
return rc;
}
......@@ -483,7 +492,7 @@ tlsg_session_my_dn( tls_session *session, struct berval *der_dn )
if (!x) return LDAP_INVALID_CREDENTIALS;
bv.bv_val = x->data;
bv.bv_val = (char *) x->data;
bv.bv_len = x->size;
tlsg_x509_cert_dn( &bv, der_dn, 1 );
......@@ -496,7 +505,7 @@ tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
tlsg_session *s = (tlsg_session *)session;
if ( !s->peer_der_dn.bv_val ) {
const gnutls_datum_t *peer_cert_list;
int list_size;
unsigned int list_size;
struct berval bv;
peer_cert_list = gnutls_certificate_get_peers( s->session,
......@@ -504,7 +513,7 @@ tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
bv.bv_len = peer_cert_list->size;
bv.bv_val = peer_cert_list->data;
bv.bv_val = (char *) peer_cert_list->data;
tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
}
......@@ -525,13 +534,11 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
tlsg_session *s = (tlsg_session *)session;
int i, ret;
const gnutls_datum_t *peer_cert_list;
int list_size;
struct berval bv;
unsigned int list_size;
char altname[NI_MAXHOST];
size_t altnamesize;
gnutls_x509_crt_t cert;
gnutls_datum_t *x;
const char *name;
char *ptr;
char *domain = NULL;
......@@ -540,9 +547,8 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
#else
struct in_addr addr;
#endif
int n, len1 = 0, len2 = 0;
int len1 = 0, len2 = 0;
int ntype = IS_DNS;
time_t now = time(0);
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
......@@ -896,7 +902,6 @@ tlsg_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
{
struct tls_data *p;
ber_slen_t ret;
int err;
assert( sbiod != NULL );
assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
......@@ -929,7 +934,6 @@ tlsg_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
{
struct tls_data *p;
ber_slen_t ret;
int err;
assert( sbiod != NULL );
assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
......@@ -965,6 +969,7 @@ tlsg_cert_verify( tlsg_session *ssl )
unsigned int status = 0;
int err;
time_t now = time(0);
time_t peertime;
err = gnutls_certificate_verify_peers2( ssl->session, &status );
if ( err < 0 ) {
......@@ -977,12 +982,24 @@ tlsg_cert_verify( tlsg_session *ssl )
status, 0,0 );
return -1;
}
if ( gnutls_certificate_expiration_time_peers( ssl->session ) < now ) {
peertime = gnutls_certificate_expiration_time_peers( ssl->session );
if ( peertime == (time_t) -1 ) {
Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_expiration_time_peers failed\n",
0, 0, 0 );
return -1;
}
if ( peertime < now ) {
Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
0, 0, 0 );
return -1;
}
if ( gnutls_certificate_activation_time_peers( ssl->session ) > now ) {
peertime = gnutls_certificate_activation_time_peers( ssl->session );
if ( peertime == (time_t) -1 ) {
Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_activation_time_peers failed\n",
0, 0, 0 );
return -1;
}
if ( peertime > now ) {
Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
0, 0, 0 );
return -1;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment