Backport TLS SNI feature from OpenLDAP 2.5

Resolves: #2009534
2021-09-13 10:26:25 -07:00 · 2021-09-13 10:26:25 -07:00 · 005aba9f80
commit 005aba9f80
parent 4ac8ebe5cf
2 changed files with 203 additions and 1 deletions
--- a/openldap-add-tls-sni-support-to-libldap.patch
+++ b/openldap-add-tls-sni-support-to-libldap.patch
@ -0,0 +1,197 @@
 From 19e631e977c4f57905b2380cf79ccaf8e6d99e9d Mon Sep 17 00:00:00 2001
 From: Howard Chu <hyc@openldap.org>
 Date: Mon, 27 Apr 2020 03:41:12 +0100
 Subject: [PATCH 1/4] ITS#9176 Add TLS SNI support to libldap
 Implemented for OpenSSL, GnuTLS just stubbed
 ---
 libraries/libldap/ldap-tls.h | 2 +-
 libraries/libldap/tls2.c     | 2 +-
 libraries/libldap/tls_g.c    | 2 +-
 libraries/libldap/tls_o.c    | 8 ++++++--
 4 files changed, 9 insertions(+), 5 deletions(-)
 diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
 index c8a27112f1..c149b1867c 100644
 --- a/libraries/libldap/ldap-tls.h
 +++ b/libraries/libldap/ldap-tls.h
@@ -34,7 +34,7 @@ typedef void (TI_ctx_free)(tls_ctx *ctx);
 typedef int (TI_ctx_init)(struct ldapoptions *lo, struct ldaptls *lt, int is_server);
 typedef tls_session *(TI_session_new)(tls_ctx *ctx, int is_server);
 -typedef int (TI_session_connect)(LDAP *ld, tls_session *s);
 +typedef int (TI_session_connect)(LDAP *ld, tls_session *s, const char *name_in);
 typedef int (TI_session_accept)(tls_session *s);
 typedef int (TI_session_upflags)(Sockbuf *sb, tls_session *s, int rc);
 typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len );
 diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 index 82ca5272cc..cbeea8c6c4 100644
 --- a/libraries/libldap/tls2.c
 +++ b/libraries/libldap/tls2.c
@@ -368,7 +368,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
 	}
 -	err = tls_imp->ti_session_connect( ld, ssl );
 +	err = tls_imp->ti_session_connect( ld, ssl, host );
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
 diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
 index 3b72cd2a1f..5468ed3f05 100644
 --- a/libraries/libldap/tls_g.c
 +++ b/libraries/libldap/tls_g.c
@@ -336,7 +336,7 @@ tlsg_session_accept( tls_session *session )
 }
 static int
 -tlsg_session_connect( LDAP *ld, tls_session *session )
 +tlsg_session_connect( LDAP *ld, tls_session *session, const char *name_in )
 {
 	return tlsg_session_accept( session);
 }
 diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 index 498f805fa1..455b23c0e9 100644
 --- a/libraries/libldap/tls_o.c
 +++ b/libraries/libldap/tls_o.c
@@ -548,12 +548,16 @@ tlso_session_new( tls_ctx *ctx, int is_server )
 }
 static int
 -tlso_session_connect( LDAP *ld, tls_session *sess )
 +tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
 {
 	tlso_session *s = (tlso_session *)sess;
 +	int rc;
 +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 +	SSL_set_tlsext_host_name( s, name_in );
 +#endif
 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
 -	int rc = SSL_connect( s ) - 1;
 +	rc = SSL_connect( s ) - 1;
 #ifdef LDAP_USE_NON_BLOCKING_TLS
 	if ( rc < 0 ) {
 		int sockerr = sock_errno();
 From 421c2021c7209bd7cd947ccb8b989bddab7b63cb Mon Sep 17 00:00:00 2001
 From: Howard Chu <hyc@openldap.org>
 Date: Mon, 27 Apr 2020 18:25:10 +0100
 Subject: [PATCH 2/4] ITS#9176 check for numeric addrs before passing SNI
 ---
 libraries/libldap/tls2.c  | 22 +++++++++++++++++++++-
 libraries/libldap/tls_o.c |  4 +++-
 2 files changed, 24 insertions(+), 2 deletions(-)
 diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 index cbeea8c6c4..85628bc3b3 100644
 --- a/libraries/libldap/tls2.c
 +++ b/libraries/libldap/tls2.c
@@ -334,6 +334,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 	Sockbuf *sb = conn->lconn_sb;
 	int	err;
 	tls_session	*ssl = NULL;
 +	char *sni = host;
 	if ( HAS_TLS( sb )) {
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
@@ -368,7 +369,26 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
 	}
 -	err = tls_imp->ti_session_connect( ld, ssl, host );
 +	/* pass hostname for SNI, but only if it's an actual name
 +	 * and not a numeric address
 +	 */
 +	{
 +		int numeric = 1;
 +		char *c;
 +		for ( c = sni; *c; c++ ) {
 +			if ( *c == ':' )	/* IPv6 address */
 +				break;
 +			if ( *c == '.' )
 +				continue;
 +			if ( !isdigit( *c )) {
 +				numeric = 0;
 +				break;
 +			}
 +		}
 +		if ( numeric )
 +			sni = NULL;
 +	}
 +	err = tls_imp->ti_session_connect( ld, ssl, sni );
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
 diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 index 455b23c0e9..45948dbc64 100644
 --- a/libraries/libldap/tls_o.c
 +++ b/libraries/libldap/tls_o.c
@@ -554,7 +554,9 @@ tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
 	int rc;
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 -	SSL_set_tlsext_host_name( s, name_in );
 +	if ( name_in ) {
 +		SSL_set_tlsext_host_name( s, name_in );
 +	}
 #endif
 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
 	rc = SSL_connect( s ) - 1;
 From 05a65a46c684031a841bcc39cf01a82e8cc713a0 Mon Sep 17 00:00:00 2001
 From: Howard Chu <hyc@openldap.org>
 Date: Mon, 27 Apr 2020 18:54:02 +0100
 Subject: [PATCH 3/4] ITS#9176 check for failure setting SNI
 ---
 libraries/libldap/tls_o.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
 index 45948dbc64..86e86db3b6 100644
 --- a/libraries/libldap/tls_o.c
 +++ b/libraries/libldap/tls_o.c
@@ -555,7 +555,9 @@ tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 	if ( name_in ) {
 -		SSL_set_tlsext_host_name( s, name_in );
 +		rc = SSL_set_tlsext_host_name( s, name_in );
 +		if ( !rc )		/* can fail to strdup the name */
 +			return -1;
 	}
 #endif
 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
 From d059488fa86b58744ad70819516d3bf4a37dbb8e Mon Sep 17 00:00:00 2001
 From: Ryan Tandy <ryan@nardis.ca>
 Date: Mon, 27 Apr 2020 11:01:01 -0700
 Subject: [PATCH 4/4] ITS#9176 Implement SNI for GnuTLS
 ---
 libraries/libldap/tls_g.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
 diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
 index 5468ed3f05..5fceb3e935 100644
 --- a/libraries/libldap/tls_g.c
 +++ b/libraries/libldap/tls_g.c
@@ -338,6 +338,16 @@ tlsg_session_accept( tls_session *session )
 static int
 tlsg_session_connect( LDAP *ld, tls_session *session, const char *name_in )
 {
 +	tlsg_session *s = (tlsg_session *)session;
 +	int rc;
 +
 +	if ( name_in ) {
 +		rc = gnutls_server_name_set( s->session, GNUTLS_NAME_DNS, name_in, strlen(name_in) );
 +		if ( rc != GNUTLS_E_SUCCESS ) {
 +			return rc;
 +		}
 +	}
 +
 	return tlsg_session_accept( session);
 }
--- a/openldap.spec
+++ b/openldap.spec
@ -7,7 +7,7 @@
 Name: openldap
 Version: 2.4.59
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: LDAP support libraries
 License: OpenLDAP
 URL: http://www.openldap.org/
@ -54,6 +54,7 @@ Patch60: openldap-cbinding-Fix-slaptest-in-test077.patch
 Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch
 Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch
 Patch63: openldap-cbinding-ITS-9215-fix-for-glibc-again.patch
 Patch64: openldap-add-tls-sni-support-to-libldap.patch
 # check-password module specific patches
 Patch90: check-password-makefile.patch
@ -159,6 +160,7 @@ pushd openldap-%{version}
 %patch61 -p1
 %patch62 -p1
 %patch63 -p1
 %patch64 -p1
 # The change is needed for autoconf-2.71
 sed 's@^AM_INIT_AUTOMAKE.*@AC_PROG_MAKE_SET@' -i configure.in
@ -556,6 +558,9 @@ exit 0
 %{_libdir}/libldap-2.4*.so.*
 %changelog
 * Thu Sep 30 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.59-4
 - Backport TLS SNI feature from OpenLDAP 2.5 (#2009534)
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.4.59-3
 - Rebuilt with OpenSSL 3.0.0