From: Howard Chu <hyc@openldap.org>
Date: Mon, 8 Jan 2007 23:36:24 +0000 (+0000)
Subject: Add TLS context configuration
X-Git-Tag: OPENLDAP_REL_ENG_2_4_4ALPHA~8^2~237
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=a6a8fb514b85c59b75028e3839cb06a2468c5901;p=openldap

Add TLS context configuration
---

diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
index 263ca069d9..ab673b0041 100644
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -247,6 +247,9 @@ typedef struct ldapinfo_t {
 	LDAP_URLLIST_PROC	*li_urllist_f;
 	void			*li_urllist_p;
 
+	/* we only care about the TLS options here */
+	slap_bindconf		li_tls;
+
 	slap_bindconf		li_acl;
 #define	li_acl_authcID		li_acl.sb_authcId
 #define	li_acl_authcDN		li_acl.sb_binddn
@@ -276,27 +279,29 @@ typedef struct ldapinfo_t {
 #define LDAP_BACK_F_USE_TLS		(0x00000002U)
 #define LDAP_BACK_F_PROPAGATE_TLS	(0x00000004U)
 #define LDAP_BACK_F_TLS_CRITICAL	(0x00000008U)
+#define LDAP_BACK_F_TLS_LDAPS	(0x00000010U)
+
 #define LDAP_BACK_F_TLS_USE_MASK	(LDAP_BACK_F_USE_TLS|LDAP_BACK_F_TLS_CRITICAL)
 #define LDAP_BACK_F_TLS_PROPAGATE_MASK	(LDAP_BACK_F_PROPAGATE_TLS|LDAP_BACK_F_TLS_CRITICAL)
-#define LDAP_BACK_F_TLS_MASK		(LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK)
-#define LDAP_BACK_F_CHASE_REFERRALS	(0x00000010U)
-#define LDAP_BACK_F_PROXY_WHOAMI	(0x00000020U)
+#define LDAP_BACK_F_TLS_MASK		(LDAP_BACK_F_TLS_USE_MASK|LDAP_BACK_F_TLS_PROPAGATE_MASK|LDAP_BACK_F_TLS_LDAPS)
+#define LDAP_BACK_F_CHASE_REFERRALS	(0x00000020U)
+#define LDAP_BACK_F_PROXY_WHOAMI	(0x00000040U)
 
-#define	LDAP_BACK_F_T_F			(0x00000040U)
-#define	LDAP_BACK_F_T_F_DISCOVER	(0x00000080U)
+#define	LDAP_BACK_F_T_F			(0x00000080U)
+#define	LDAP_BACK_F_T_F_DISCOVER	(0x00000100U)
 #define	LDAP_BACK_F_T_F_MASK		(LDAP_BACK_F_T_F)
 #define	LDAP_BACK_F_T_F_MASK2		(LDAP_BACK_F_T_F_MASK|LDAP_BACK_F_T_F_DISCOVER)
 
-#define LDAP_BACK_F_MONITOR		(0x00000100U)
-#define	LDAP_BACK_F_SINGLECONN		(0x00000200U)
-#define LDAP_BACK_F_USE_TEMPORARIES	(0x00000400U)
+#define LDAP_BACK_F_MONITOR		(0x00000200U)
+#define	LDAP_BACK_F_SINGLECONN		(0x00000400U)
+#define LDAP_BACK_F_USE_TEMPORARIES	(0x00000800U)
 
-#define	LDAP_BACK_F_ISOPEN		(0x00000800U)
+#define	LDAP_BACK_F_ISOPEN		(0x00001000U)
 
 #define	LDAP_BACK_F_CANCEL_ABANDON	(0x00000000U)
-#define	LDAP_BACK_F_CANCEL_IGNORE	(0x00001000U)
-#define	LDAP_BACK_F_CANCEL_EXOP		(0x00002000U)
-#define	LDAP_BACK_F_CANCEL_EXOP_DISCOVER	(0x00004000U)
+#define	LDAP_BACK_F_CANCEL_IGNORE	(0x00002000U)
+#define	LDAP_BACK_F_CANCEL_EXOP		(0x00004000U)
+#define	LDAP_BACK_F_CANCEL_EXOP_DISCOVER	(0x00008000U)
 #define	LDAP_BACK_F_CANCEL_MASK		(LDAP_BACK_F_CANCEL_IGNORE|LDAP_BACK_F_CANCEL_EXOP)
 #define	LDAP_BACK_F_CANCEL_MASK2	(LDAP_BACK_F_CANCEL_MASK|LDAP_BACK_F_CANCEL_EXOP_DISCOVER)
 
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index 89724c4e23..26bdcb67f6 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -127,7 +127,7 @@ ldap_back_proxy_authz_bind( ldapconn_t *lc, Operation *op, SlapReply *rs,
 	ldap_back_send_t sendok, struct berval *binddn, struct berval *bindcred );
 
 static int
-ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs,
+ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs,
 	ldap_back_send_t sendok );
 
 static int
@@ -610,7 +610,7 @@ retry:;
 #endif /* HAVE_TLS */
 
 static int
-ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
+ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 {
 	ldapinfo_t	*li = (ldapinfo_t *)op->o_bd->be_private;
 	int		version;
@@ -618,10 +618,9 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
 #ifdef HAVE_TLS
 	int		is_tls = op->o_conn->c_is_tls;
 	time_t		lc_time = (time_t)(-1);
+	slap_bindconf *sb;
 #endif /* HAVE_TLS */
 
-	assert( lcp != NULL );
-
 	ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
 	rs->sr_err = ldap_initialize( &ld, li->li_uri );
 	ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex );
@@ -661,6 +660,19 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
 	}
 
 #ifdef HAVE_TLS
+	if ( LDAP_BACK_CONN_ISPRIV( lc ))
+		sb = &li->li_acl;
+	else if ( LDAP_BACK_CONN_ISIDASSERT( lc ))
+		sb = &li->li_idassert.si_bc;
+	else
+		sb = &li->li_tls;
+
+	if ( sb->sb_tls_do_init ) {
+		bindconf_tls_set( sb, ld );
+	} else if ( sb->sb_tls_ctx ) {
+		ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+	}
+
 	ldap_pvt_thread_mutex_lock( &li->li_uri_mutex );
 	rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls,
 			li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text );
@@ -675,21 +687,17 @@ ldap_back_prepare_conn( ldapconn_t **lcp, Operation *op, SlapReply *rs, ldap_bac
 	}
 #endif /* HAVE_TLS */
 
-	if ( *lcp == NULL ) {
-		*lcp = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) );
-		(*lcp)->lc_flags = li->li_flags;
-	}
-	(*lcp)->lc_ld = ld;
-	(*lcp)->lc_refcnt = 1;
-	(*lcp)->lc_binding = 1;
+	lc->lc_ld = ld;
+	lc->lc_refcnt = 1;
+	lc->lc_binding = 1;
 #ifdef HAVE_TLS
 	if ( is_tls ) {
-		LDAP_BACK_CONN_ISTLS_SET( *lcp );
+		LDAP_BACK_CONN_ISTLS_SET( lc );
 	} else {
-		LDAP_BACK_CONN_ISTLS_CLEAR( *lcp );
+		LDAP_BACK_CONN_ISTLS_CLEAR( lc );
 	}
 	if ( lc_time != (time_t)(-1) ) {
-		(*lcp)->lc_time = lc_time;
+		lc->lc_time = lc_time;
 	}
 #endif /* HAVE_TLS */
 
@@ -706,7 +714,7 @@ error_return:;
 
 	} else {
 		if ( li->li_conn_ttl > 0 ) {
-			(*lcp)->lc_create_time = op->o_time;
+			lc->lc_create_time = op->o_time;
 		}
 	}
 
@@ -892,7 +900,11 @@ retry_lock:
 
 	/* Looks like we didn't get a bind. Open a new session... */
 	if ( lc == NULL ) {
-		if ( ldap_back_prepare_conn( &lc, op, rs, sendok ) != LDAP_SUCCESS ) {
+		lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) );
+		lc->lc_flags = li->li_flags;
+		lc->lc_lcflags = lc_curr.lc_lcflags;
+		if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) {
+			ch_free( lc );
 			return NULL;
 		}
 
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index a67464fbc3..41ec3b6940 100644
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -83,7 +83,7 @@ static ConfigTable ldapcfg[] = {
 			"SYNTAX OMsDirectoryString "
 			"SINGLE-VALUE )",
 		NULL, NULL },
-	{ "tls", "what", 2, 2, 0,
+	{ "tls", "what", 2, 0, 0,
 		ARG_MAGIC|LDAP_BACK_CFG_TLS,
 		ldap_back_cf_gen, "( OLcfgDbAt:3.1 "
 			"NAME 'olcDbStartTLS' "
@@ -352,6 +352,7 @@ static slap_verbmasks tls_mode[] = {
 	{ BER_BVC( "try-propagate" ),	LDAP_BACK_F_PROPAGATE_TLS },
 	{ BER_BVC( "start" ),		LDAP_BACK_F_TLS_USE_MASK },
 	{ BER_BVC( "try-start" ),	LDAP_BACK_F_USE_TLS },
+	{ BER_BVC( "ldaps" ),		LDAP_BACK_F_TLS_LDAPS },
 	{ BER_BVC( "none" ),		LDAP_BACK_F_NONE },
 	{ BER_BVNULL,			0 }
 };
@@ -712,6 +713,7 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
 			return 1;
 		}
 	}
+	bindconf_tls_defaults( &si->si_bc );
 
 	return 0;
 }
@@ -776,10 +778,23 @@ ldap_back_cf_gen( ConfigArgs *c )
 			}
 			break;
 
-		case LDAP_BACK_CFG_TLS:
+		case LDAP_BACK_CFG_TLS: {
+			struct berval bc = BER_BVNULL, bv2;
 			enum_to_verb( tls_mode, ( li->li_flags & LDAP_BACK_F_TLS_MASK ), &bv );
 			assert( !BER_BVISNULL( &bv ) );
-			value_add_one( &c->rvalue_vals, &bv );
+			bindconf_tls_unparse( &li->li_tls, &bc );
+
+			if ( !BER_BVISEMPTY( &bc )) {
+				bv2.bv_len = bv.bv_len + bc.bv_len + 1;
+				bv2.bv_val = ch_malloc(bv2.bv_len + 1 );
+				strcpy( bv2.bv_val, bv.bv_val );
+				bv2.bv_val[bv.bv_len] = ' ';
+				strcpy( bv2.bv_val+bv.bv_len+1, bc.bv_val );
+				ber_bvarray_add( &c->rvalue_vals, &bv2 );
+			} else {
+				value_add_one( &c->rvalue_vals, &bv );
+			}
+			}
 			break;
 
 		case LDAP_BACK_CFG_ACL_AUTHCDN:
@@ -1379,6 +1394,13 @@ done_url:;
 		}
 		li->li_flags &= ~LDAP_BACK_F_TLS_MASK;
 		li->li_flags |= tls_mode[i].mask;
+		if ( c->argc > 2 ) {
+			for ( i=0; i<c->argc; i++ ) {
+				if ( bindconf_tls_parse( c->argv[i], &li->li_tls ))
+					return 1;
+			}
+			bindconf_tls_defaults( &li->li_tls );
+		}
 		break;
 
 	case LDAP_BACK_CFG_ACL_AUTHCDN:
@@ -1437,6 +1459,7 @@ done_url:;
 				return 1;
 			}
 		}
+		bindconf_tls_defaults( &li->li_acl );
 		break;
 
 	case LDAP_BACK_CFG_IDASSERT_MODE:
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index f4fb95618c..165077d7d0 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1275,14 +1275,31 @@ slap_tls_get_config( LDAP *ld, int opt, char **val )
 }
 
 int
-bindconf_parse( const char *word, slap_bindconf *bc )
+bindconf_tls_parse( const char *word, slap_bindconf *bc )
 {
 #ifdef HAVE_TLS
-	/* Detect TLS config changes explicitly */
 	if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) {
 		bc->sb_tls_do_init = 1;
 		return 0;
 	}
+#endif
+	return -1;
+}
+
+int
+bindconf_tls_unparse( slap_bindconf *bc, struct berval *bv )
+{
+	return slap_cf_aux_table_unparse( bc, bv, aux_TLS );
+}
+
+int
+bindconf_parse( const char *word, slap_bindconf *bc )
+{
+#ifdef HAVE_TLS
+	/* Detect TLS config changes explicitly */
+	if ( bindconf_tls_parse( word, bc ) == 0 ) {
+		return 0;
+	}
 #endif
 	return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" );
 }
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index ea4cab8dfb..1017c8cf46 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -635,6 +635,10 @@ LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp,
 LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P((
 	LDAP *ld, int opt, char **val ));
 LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc ));
+LDAP_SLAPD_F (int) bindconf_tls_parse LDAP_P((
+	const char *word,  slap_bindconf *bc ));
+LDAP_SLAPD_F (int) bindconf_tls_unparse LDAP_P((
+	slap_bindconf *bc, struct berval *bv ));
 LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
 	const char *word,  slap_bindconf *bc ));
 LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((