From: Howard Chu Date: Mon, 8 Jan 2007 23:36:24 +0000 (+0000) Subject: Add TLS context configuration X-Git-Tag: OPENLDAP_REL_ENG_2_4_4ALPHA~8^2~237 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=a6a8fb514b85c59b75028e3839cb06a2468c5901;p=openldap Add TLS context configuration --- diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h index 263ca069d9..ab673b0041 100644 --- a/servers/slapd/back-ldap/back-ldap.h +++ b/servers/slapd/back-ldap/back-ldap.h @@ -247,6 +247,9 @@ typedef struct ldapinfo_t { LDAP_URLLIST_PROC *li_urllist_f; void *li_urllist_p; + /* we only care about the TLS options here */ + slap_bindconf li_tls; + slap_bindconf li_acl; #define li_acl_authcID li_acl.sb_authcId #define li_acl_authcDN li_acl.sb_binddn @@ -276,27 +279,29 @@ typedef struct ldapinfo_t { #define LDAP_BACK_F_USE_TLS (0x00000002U) #define LDAP_BACK_F_PROPAGATE_TLS (0x00000004U) #define LDAP_BACK_F_TLS_CRITICAL (0x00000008U) +#define LDAP_BACK_F_TLS_LDAPS (0x00000010U) + #define LDAP_BACK_F_TLS_USE_MASK (LDAP_BACK_F_USE_TLS|LDAP_BACK_F_TLS_CRITICAL) #define LDAP_BACK_F_TLS_PROPAGATE_MASK (LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL) -#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK) -#define LDAP_BACK_F_CHASE_REFERRALS (0x00000010U) -#define LDAP_BACK_F_PROXY_WHOAMI (0x00000020U) +#define LDAP_BACK_F_TLS_MASK (LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK|LDAP_BACK_F_TLS_LDAPS) +#define LDAP_BACK_F_CHASE_REFERRALS (0x00000020U) +#define LDAP_BACK_F_PROXY_WHOAMI (0x00000040U) -#define LDAP_BACK_F_T_F (0x00000040U) -#define LDAP_BACK_F_T_F_DISCOVER (0x00000080U) +#define LDAP_BACK_F_T_F (0x00000080U) +#define LDAP_BACK_F_T_F_DISCOVER (0x00000100U) #define LDAP_BACK_F_T_F_MASK (LDAP_BACK_F_T_F) #define LDAP_BACK_F_T_F_MASK2 (LDAP_BACK_F_T_F_MASK|LDAP_BACK_F_T_F_DISCOVER) -#define LDAP_BACK_F_MONITOR (0x00000100U) -#define LDAP_BACK_F_SINGLECONN (0x00000200U) -#define LDAP_BACK_F_USE_TEMPORARIES (0x00000400U) +#define LDAP_BACK_F_MONITOR (0x00000200U) +#define LDAP_BACK_F_SINGLECONN (0x00000400U) +#define LDAP_BACK_F_USE_TEMPORARIES (0x00000800U) -#define LDAP_BACK_F_ISOPEN (0x00000800U) +#define LDAP_BACK_F_ISOPEN (0x00001000U) #define LDAP_BACK_F_CANCEL_ABANDON (0x00000000U) -#define LDAP_BACK_F_CANCEL_IGNORE (0x00001000U) -#define LDAP_BACK_F_CANCEL_EXOP (0x00002000U) -#define LDAP_BACK_F_CANCEL_EXOP_DISCOVER (0x00004000U) +#define LDAP_BACK_F_CANCEL_IGNORE (0x00002000U) +#define LDAP_BACK_F_CANCEL_EXOP (0x00004000U) +#define LDAP_BACK_F_CANCEL_EXOP_DISCOVER (0x00008000U) #define LDAP_BACK_F_CANCEL_MASK (LDAP_BACK_F_CANCEL_IGNORE|LDAP_BACK_F_CANCEL_EXOP) #define LDAP_BACK_F_CANCEL_MASK2 (LDAP_BACK_F_CANCEL_MASK|LDAP_BACK_F_CANCEL_EXOP_DISCOVER) diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 89724c4e23..26bdcb67f6 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -127,7 +127,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok, struct berval *binddn, struct berval *bindcred ); static int -ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, +ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ); static int @@ -610,7 +610,7 @@ retry:; #endif /* HAVE_TLS */ static int -ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) +ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok ) { ldapinfo_t *li = (ldapinfo_t *)op->o_bd->be_private; int version; @@ -618,10 +618,9 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac #ifdef HAVE_TLS int is_tls = op->o_conn->c_is_tls; time_t lc_time = (time_t)(-1); + slap_bindconf *sb; #endif /* HAVE_TLS */ - assert( lcp != NULL ); - ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); rs->sr_err = ldap_initialize( &ld, li->li_uri ); ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex ); @@ -661,6 +660,19 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac } #ifdef HAVE_TLS + if ( LDAP_BACK_CONN_ISPRIV( lc )) + sb = &li->li_acl; + else if ( LDAP_BACK_CONN_ISIDASSERT( lc )) + sb = &li->li_idassert.si_bc; + else + sb = &li->li_tls; + + if ( sb->sb_tls_do_init ) { + bindconf_tls_set( sb, ld ); + } else if ( sb->sb_tls_ctx ) { + ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx ); + } + ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls, li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text ); @@ -675,21 +687,17 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac } #endif /* HAVE_TLS */ - if ( *lcp == NULL ) { - *lcp = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); - (*lcp)->lc_flags = li->li_flags; - } - (*lcp)->lc_ld = ld; - (*lcp)->lc_refcnt = 1; - (*lcp)->lc_binding = 1; + lc->lc_ld = ld; + lc->lc_refcnt = 1; + lc->lc_binding = 1; #ifdef HAVE_TLS if ( is_tls ) { - LDAP_BACK_CONN_ISTLS_SET( *lcp ); + LDAP_BACK_CONN_ISTLS_SET( lc ); } else { - LDAP_BACK_CONN_ISTLS_CLEAR( *lcp ); + LDAP_BACK_CONN_ISTLS_CLEAR( lc ); } if ( lc_time != (time_t)(-1) ) { - (*lcp)->lc_time = lc_time; + lc->lc_time = lc_time; } #endif /* HAVE_TLS */ @@ -706,7 +714,7 @@ error_return:; } else { if ( li->li_conn_ttl > 0 ) { - (*lcp)->lc_create_time = op->o_time; + lc->lc_create_time = op->o_time; } } @@ -892,7 +900,11 @@ retry_lock: /* Looks like we didn't get a bind. Open a new session... */ if ( lc == NULL ) { - if ( ldap_back_prepare_conn( &lc, op, rs, sendok ) != LDAP_SUCCESS ) { + lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); + lc->lc_flags = li->li_flags; + lc->lc_lcflags = lc_curr.lc_lcflags; + if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) { + ch_free( lc ); return NULL; } diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c index a67464fbc3..41ec3b6940 100644 --- a/servers/slapd/back-ldap/config.c +++ b/servers/slapd/back-ldap/config.c @@ -83,7 +83,7 @@ static ConfigTable ldapcfg[] = { "SYNTAX OMsDirectoryString " "SINGLE-VALUE )", NULL, NULL }, - { "tls", "what", 2, 2, 0, + { "tls", "what", 2, 0, 0, ARG_MAGIC|LDAP_BACK_CFG_TLS, ldap_back_cf_gen, "( OLcfgDbAt:3.1 " "NAME 'olcDbStartTLS' " @@ -352,6 +352,7 @@ static slap_verbmasks tls_mode[] = { { BER_BVC( "try-propagate" ), LDAP_BACK_F_PROPAGATE_TLS }, { BER_BVC( "start" ), LDAP_BACK_F_TLS_USE_MASK }, { BER_BVC( "try-start" ), LDAP_BACK_F_USE_TLS }, + { BER_BVC( "ldaps" ), LDAP_BACK_F_TLS_LDAPS }, { BER_BVC( "none" ), LDAP_BACK_F_NONE }, { BER_BVNULL, 0 } }; @@ -712,6 +713,7 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si ) return 1; } } + bindconf_tls_defaults( &si->si_bc ); return 0; } @@ -776,10 +778,23 @@ ldap_back_cf_gen( ConfigArgs *c ) } break; - case LDAP_BACK_CFG_TLS: + case LDAP_BACK_CFG_TLS: { + struct berval bc = BER_BVNULL, bv2; enum_to_verb( tls_mode, ( li->li_flags & LDAP_BACK_F_TLS_MASK ), &bv ); assert( !BER_BVISNULL( &bv ) ); - value_add_one( &c->rvalue_vals, &bv ); + bindconf_tls_unparse( &li->li_tls, &bc ); + + if ( !BER_BVISEMPTY( &bc )) { + bv2.bv_len = bv.bv_len + bc.bv_len + 1; + bv2.bv_val = ch_malloc(bv2.bv_len + 1 ); + strcpy( bv2.bv_val, bv.bv_val ); + bv2.bv_val[bv.bv_len] = ' '; + strcpy( bv2.bv_val+bv.bv_len+1, bc.bv_val ); + ber_bvarray_add( &c->rvalue_vals, &bv2 ); + } else { + value_add_one( &c->rvalue_vals, &bv ); + } + } break; case LDAP_BACK_CFG_ACL_AUTHCDN: @@ -1379,6 +1394,13 @@ done_url:; } li->li_flags &= ~LDAP_BACK_F_TLS_MASK; li->li_flags |= tls_mode[i].mask; + if ( c->argc > 2 ) { + for ( i=0; iargc; i++ ) { + if ( bindconf_tls_parse( c->argv[i], &li->li_tls )) + return 1; + } + bindconf_tls_defaults( &li->li_tls ); + } break; case LDAP_BACK_CFG_ACL_AUTHCDN: @@ -1437,6 +1459,7 @@ done_url:; return 1; } } + bindconf_tls_defaults( &li->li_acl ); break; case LDAP_BACK_CFG_IDASSERT_MODE: diff --git a/servers/slapd/config.c b/servers/slapd/config.c index f4fb95618c..165077d7d0 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1275,14 +1275,31 @@ slap_tls_get_config( LDAP *ld, int opt, char **val ) } int -bindconf_parse( const char *word, slap_bindconf *bc ) +bindconf_tls_parse( const char *word, slap_bindconf *bc ) { #ifdef HAVE_TLS - /* Detect TLS config changes explicitly */ if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) { bc->sb_tls_do_init = 1; return 0; } +#endif + return -1; +} + +int +bindconf_tls_unparse( slap_bindconf *bc, struct berval *bv ) +{ + return slap_cf_aux_table_unparse( bc, bv, aux_TLS ); +} + +int +bindconf_parse( const char *word, slap_bindconf *bc ) +{ +#ifdef HAVE_TLS + /* Detect TLS config changes explicitly */ + if ( bindconf_tls_parse( word, bc ) == 0 ) { + return 0; + } #endif return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" ); } diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index ea4cab8dfb..1017c8cf46 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -635,6 +635,10 @@ LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp, LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P(( LDAP *ld, int opt, char **val )); LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc )); +LDAP_SLAPD_F (int) bindconf_tls_parse LDAP_P(( + const char *word, slap_bindconf *bc )); +LDAP_SLAPD_F (int) bindconf_tls_unparse LDAP_P(( + slap_bindconf *bc, struct berval *bv )); LDAP_SLAPD_F (int) bindconf_parse LDAP_P(( const char *word, slap_bindconf *bc )); LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((