From 1cc1f9b18a04dbd2a5860d350ea1083a7628f526 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 8 Jan 2007 20:16:45 +0000 Subject: [PATCH] Make syncrepl inherit default TLS settings from main slapd config (except for reqcert, default demand) --- servers/slapd/bconfig.c | 26 ++------------ servers/slapd/config.c | 73 ++++++++++++++++++++++++++++++++++++++ servers/slapd/proto-slap.h | 3 ++ servers/slapd/syncrepl.c | 5 +++ 4 files changed, 84 insertions(+), 23 deletions(-) diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 07e3de2bd4..4899bc3dfe 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -3094,22 +3094,9 @@ config_tls_option(ConfigArgs *c) { static int config_tls_config(ConfigArgs *c) { int i, flag; - slap_verbmasks crlkeys[] = { - { BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE }, - { BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER }, - { BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL }, - { BER_BVNULL, 0 } - }; - slap_verbmasks vfykeys[] = { - { BER_BVC("never"), LDAP_OPT_X_TLS_NEVER }, - { BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND }, - { BER_BVC("try"), LDAP_OPT_X_TLS_TRY }, - { BER_BVC("hard"), LDAP_OPT_X_TLS_HARD }, - { BER_BVNULL, 0 } - }, *keys; switch(c->type) { - case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; keys = crlkeys; break; - case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; keys = vfykeys; break; + case CFG_TLS_CRLCHECK: flag = LDAP_OPT_X_TLS_CRLCHECK; break; + case CFG_TLS_VERIFY: flag = LDAP_OPT_X_TLS_REQUIRE_CERT; break; default: Debug(LDAP_DEBUG_ANY, "%s: " "unknown tls_option <0x%x>\n", @@ -3117,14 +3104,7 @@ config_tls_config(ConfigArgs *c) { return 1; } if (c->op == SLAP_CONFIG_EMIT) { - ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int ); - for (i=0; !BER_BVISNULL(&keys[i].word); i++) { - if (keys[i].mask == c->value_int) { - c->value_string = ch_strdup( keys[i].word.bv_val ); - return 0; - } - } - return 1; + return slap_tls_get_config( slap_tls_ld, flag, &c->value_string ); } else if ( c->op == LDAP_MOD_DELETE ) { int i = 0; return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i ); diff --git a/servers/slapd/config.c b/servers/slapd/config.c index ca80cf65e1..f4fb95618c 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -998,6 +998,21 @@ static slap_verbmasks tlskey[] = { { BER_BVC("critical"), SB_TLS_CRITICAL }, { BER_BVNULL, 0 } }; + +static slap_verbmasks crlkeys[] = { + { BER_BVC("none"), LDAP_OPT_X_TLS_CRL_NONE }, + { BER_BVC("peer"), LDAP_OPT_X_TLS_CRL_PEER }, + { BER_BVC("all"), LDAP_OPT_X_TLS_CRL_ALL }, + { BER_BVNULL, 0 } + }; + +static slap_verbmasks vfykeys[] = { + { BER_BVC("never"), LDAP_OPT_X_TLS_NEVER }, + { BER_BVC("demand"), LDAP_OPT_X_TLS_DEMAND }, + { BER_BVC("try"), LDAP_OPT_X_TLS_TRY }, + { BER_BVC("hard"), LDAP_OPT_X_TLS_HARD }, + { BER_BVNULL, 0 } + }; #endif static slap_verbmasks methkey[] = { @@ -1232,6 +1247,33 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 return 0; } +int +slap_tls_get_config( LDAP *ld, int opt, char **val ) +{ + slap_verbmasks *keys; + int i, ival; + + *val = NULL; + switch( opt ) { + case LDAP_OPT_X_TLS_CRLCHECK: + keys = crlkeys; + break; + case LDAP_OPT_X_TLS_REQUIRE_CERT: + keys = vfykeys; + break; + default: + return -1; + } + ldap_pvt_tls_get_option( ld, opt, &ival ); + for (i=0; !BER_BVISNULL(&keys[i].word); i++) { + if (keys[i].mask == ival) { + *val = ch_strdup( keys[i].word.bv_val ); + return 0; + } + } + return -1; +} + int bindconf_parse( const char *word, slap_bindconf *bc ) { @@ -1324,6 +1366,37 @@ void bindconf_free( slap_bindconf *bc ) { #endif } +void +bindconf_tls_defaults( slap_bindconf *bc ) +{ +#ifdef HAVE_TLS + if ( bc->sb_tls_do_init ) { + if ( !bc->sb_tls_cacert ) + ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTFILE, + &bc->sb_tls_cacert ); + if ( !bc->sb_tls_cacertdir ) + ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CACERTDIR, + &bc->sb_tls_cacertdir ); + if ( !bc->sb_tls_cert ) + ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CERTFILE, + &bc->sb_tls_cert ); + if ( !bc->sb_tls_key ) + ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_KEYFILE, + &bc->sb_tls_key ); + if ( !bc->sb_tls_cipher_suite ) + ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CIPHER_SUITE, + &bc->sb_tls_cipher_suite ); + if ( !bc->sb_tls_reqcert ) + bc->sb_tls_reqcert = ch_strdup("demand"); +#ifdef HAVE_OPENSSL_CRL + if ( !bc->sb_tls_crlcheck ) + slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK, + &bc->sb_tls_crlcheck ); +#endif + } +#endif +} + #ifdef HAVE_TLS static struct { const char *key; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 63a3009cfb..ea4cab8dfb 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -632,6 +632,9 @@ LDAP_SLAPD_F (int) slap_verbmasks_init LDAP_P(( slap_verbmasks **vp, slap_verbma LDAP_SLAPD_F (int) slap_verbmasks_destroy LDAP_P(( slap_verbmasks *v )); LDAP_SLAPD_F (int) slap_verbmasks_append LDAP_P(( slap_verbmasks **vp, slap_mask_t m, struct berval *v, slap_mask_t *ignore )); +LDAP_SLAPD_F (int) slap_tls_get_config LDAP_P(( + LDAP *ld, int opt, char **val )); +LDAP_SLAPD_F (void) bindconf_tls_defaults LDAP_P(( slap_bindconf *bc )); LDAP_SLAPD_F (int) bindconf_parse LDAP_P(( const char *word, slap_bindconf *bc )); LDAP_SLAPD_F (int) bindconf_unparse LDAP_P(( diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c index 5a5bd80cc6..67c0f8cd46 100644 --- a/servers/slapd/syncrepl.c +++ b/servers/slapd/syncrepl.c @@ -3248,6 +3248,11 @@ add_syncrepl( if ( !si->si_re ) rc = -1; } + +#ifdef HAVE_TLS + /* Use main slapd defaults */ + bindconf_tls_defaults( &si->si_bindconf ); +#endif if ( rc < 0 ) { Debug( LDAP_DEBUG_ANY, "failed to add syncinfo\n", 0, 0, 0 ); syncinfo_free( si ); -- 2.39.5