Re: Idea for security module: Using dnX509peerNormalize() to validate client certificates

Fri, 04 Aug 2023 00:33:04 -0700

I was thinking more about what would be required to provide the necessary hook in the main code. Here is a sketch of following the idea through.
I have maintained all the existing entry points and their current semantics in case any modules out there call them. I would be the first to admit this looks ugly. It also occurred to me that it doesn't make much sense. If it were possible to add a hook to the core slapd code, it would be simpler to just add another callback to validate the client cert. 


But yeah, allowing modules to call back into the core without the 
discipline of a formal API _really_ ossifies the core quickly!


  Sean.

|==========================================================================================||
||--- proto-slap.h.orig||
||+++ proto-slap.h||
||@@ -994,6 +994,7 @@||

|| LDAP_SLAPD_F (int) dnX509normalize LDAP_P(( void *x509_name, struct 
berval *out ));||

||||

|| LDAP_SLAPD_F (int) dnX509peerNormalize LDAP_P(( void *ssl, struct 
berval *dn ));||
||+LDAP_SLAPD_F (int) dnX509peerNormalize3 LDAP_P(( void *ssl, struct 
berval *dn, int *aliencert ));||

||||

|| LDAP_SLAPD_F (int) dnPrettyNormalDN LDAP_P(( Syntax *syntax, struct 
berval *val, LDAPDN *dn, int flags, void *ctx ));||

|| #define dnPrettyDN(syntax, val, dn, ctx) \||
||@@ -1003,6 +1004,9 @@||
||||

|| typedef int (SLAP_CERT_MAP_FN) LDAP_P(( void *ssl, struct berval *dn 
));||
|| LDAP_SLAPD_F (int) register_certificate_map_function LDAP_P(( 
SLAP_CERT_MAP_FN *fn ));||

||+||

||+typedef int (SLAP_CERT_MAP_FN3) LDAP_P(( void *ssl, struct berval 
*dn, int *alientcert ));||
||+LDAP_SLAPD_F (int) register_certificate_map_function3 LDAP_P(( 
SLAP_CERT_MAP_FN3 *fn ));||

||||
|| /*||
||  * entry.c||
||==========================================================================================||
||--- connection.c.orig||
||+++ connection.c||
||@@ -1369,7 +1369,17 @@||
||                                c->c_ssf = c->c_tls_ssf;||
||                        }||
||||
||-                       rc = dnX509peerNormalize( ssl, &authid );||
||+                       int aliencert = 0;||

||+                       rc = dnX509peerNormalize3( ssl, &authid, 
&aliencert );||

||+                       if ( alientcert ) {||

||+                                Debug( LDAP_DEBUG_TRACE, 
"connection_read(%d): " ||
||+                                        "TLS client certificate looks 
alien, error=%d id=%lu\n",||

||+                                        s, rc, c->c_connid );||

||+                               connection_closing( c, "TLS alien 
client certificate rejected" ); ||

||+                               connection_close( c ); ||
||+                               connection_return( c );||
||+                               return 0; ||
||+ } ||
||                        if ( rc != LDAP_SUCCESS ) {||

||                                Debug( LDAP_DEBUG_TRACE, 
"connection_read(%d): "||
||                                        "unable to get TLS client DN, 
error=%d id=%lu\n",||

||
||==========================================================================================||
||--- dn.c.orig||
||+++ dn.c||
||@@ -1295,6 +1295,11 @@||
||        return -1;||
|| }||
||||
||+int register_certificate_map_function3(SLAP_CERT_MAP_FN3 *fn)||
||+{||

||+       return register_certificate_map_function((SLAP_CERT_MAP_FN 
*)fn);||

||+}||
||+||
|| /*||
||  * Convert an X.509 DN into a normalized LDAP DN||
||  */||
||@@ -1318,16 +1323,32 @@||
|| int||
|| dnX509peerNormalize( void *ssl, struct berval *dn )||
|| {||
||-       int rc = LDAP_INVALID_CREDENTIALS;||
||+       int alientcert = 0;||
||||
||-       if ( DNX509PeerNormalizeCertMap != NULL )||
||-               rc = (*DNX509PeerNormalizeCertMap)( ssl, dn );||
||+       int rc = dnX509peerNormalize3( ssl, dn, &alientcert )||
||||
||-       if ( rc != LDAP_SUCCESS ) {||
||-               rc = ldap_pvt_tls_get_peer_dn( ssl, dn,||
||-                       (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );||
||-       }||
||+       /* mimic behaviour of original 2-parameter fn */||
||+       if ( aliencert && rc != LDAP_SUCCESS ) {||
||+                rc = ldap_pvt_tls_get_peer_dn( ssl, dn,||
||+                        (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );||
||+        }||
||||
||-       return rc;||
||+        return rc;||
||+}||
||+||
||+int||
||+dnX509peerNormalize3( void *ssl, struct berval *dn, int *alientcert )||
||+{||
||+        int rc = LDAP_INVALID_CREDENTIALS;||
||+||
||+        if ( DNX509PeerNormalizeCertMap != NULL )||

||+                rc = (*DNX509PeerNormalizeCertMap)( ssl, dn, 
alientcert );||

||+||
||+        if ( !alientcert && rc != LDAP_SUCCESS ) {||
||+                rc = ldap_pvt_tls_get_peer_dn( ssl, dn,||
||+                        (LDAPDN_rewrite_dummy *)LDAPDN_rewrite, 0 );||
||+        }||
||+||
||+        return rc;||
|| }||
|| #endif||
||==========================================================================================||
|



--
This email has been checked for viruses by AVG antivirus software.
www.avg.com





















					Reply via email to