From c6d0edc3b71064a074fc84fe942bed5b1dbbc2ea Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 7 Apr 2006 02:57:39 +0000
Subject: [PATCH] Use TLS context stuff in syncrepl

---
 servers/slapd/config.c     | 74 ++++++++++++++++++++++++++++++++++++++
 servers/slapd/proto-slap.h |  2 ++
 servers/slapd/slap.h       |  1 +
 servers/slapd/syncrepl.c   | 22 ++++++++++++
 4 files changed, 99 insertions(+)

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index de523df142..f12fd95cca 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -45,6 +45,10 @@
 #include "lutil.h"
 #include "config.h"
 
+#ifdef HAVE_TLS
+#include <openssl/ssl.h>
+#endif
+
 #define ARGS_STEP	512
 
 /*
@@ -1255,6 +1259,10 @@ void bindconf_free( slap_bindconf *bc ) {
 		BER_BVZERO( &bc->sb_authzId );
 	}
 #ifdef HAVE_TLS
+	if ( bc->sb_tls_ctx ) {
+		SSL_CTX_free( bc->sb_tls_ctx );
+		bc->sb_tls_ctx = NULL;
+	}
 	if ( bc->sb_tls_cert ) {
 		ch_free( bc->sb_tls_cert );
 		bc->sb_tls_cert = NULL;
@@ -1288,6 +1296,72 @@ void bindconf_free( slap_bindconf *bc ) {
 #endif
 }
 
+static struct {
+	const char *key;
+	size_t offset;
+	int opt;
+} bindtlsopts[] = {
+	{ "tls_cert", offsetof(slap_bindconf, sb_tls_cert), LDAP_OPT_X_TLS_CERTFILE },
+	{ "tls_key", offsetof(slap_bindconf, sb_tls_key), LDAP_OPT_X_TLS_KEYFILE },
+	{ "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
+	{ "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
+	{ "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
+	{0, 0}
+};
+
+int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
+{
+	int i, rc, newctx = 0, res = 0;
+	char *ptr = (char *)bc, **word;
+
+	for (i=0; bindtlsopts[i].opt; i++) {
+		word = (char **)(ptr + bindtlsopts[i].offset);
+		if ( *word ) {
+			rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
+			if ( rc ) {
+				Debug( LDAP_DEBUG_ANY,
+					"bindconf_tls_set: failed to set %s to %s\n",
+						bindtlsopts[i].key, *word, 0 );
+				res = -1;
+			} else
+				newctx = 1;
+		}
+	}
+	if ( bc->sb_tls_reqcert ) {
+		rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
+			bc->sb_tls_reqcert );
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"bindconf_tls_set: failed to set tls_reqcert to %s\n",
+					bc->sb_tls_reqcert, 0, 0 );
+			res = -1;
+		} else
+			newctx = 1;
+	}
+#ifdef HAVE_OPENSSL_CRL
+	if ( bc->sb_tls_crlcheck ) {
+		rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
+			bc->sb_tls_crlcheck );
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
+					bc->sb_tls_crlcheck, 0, 0 );
+			res = -1;
+		} else
+			newctx = 1;
+	}
+#endif
+	if ( newctx ) {
+		int opt = 0;
+		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
+		if ( rc )
+			res = rc;
+		else
+			ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
+	}
+	
+	return res;
+}
 
 /* -------------------------------------- */
 
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 47969a1d44..2ce5974c9a 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -606,6 +606,8 @@ LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
 	const char *word,  slap_bindconf *bc ));
 LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
 	slap_bindconf *bc, struct berval *bv ));
+LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
+	slap_bindconf *bc, LDAP *ld ));
 LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
 LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
 	const char *fname, int lineno, int argc, char **argv ));
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index cff8f0bfb4..fa76a6a304 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1521,6 +1521,7 @@ typedef struct slap_bindconf {
 	struct berval sb_authcId;
 	struct berval sb_authzId;
 #ifdef HAVE_TLS
+	void *sb_tls_ctx;
 	char *sb_tls_cert;
 	char *sb_tls_key;
 	char *sb_tls_cacert;
diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
index 3cac0d0a96..b166e014ac 100644
--- a/servers/slapd/syncrepl.c
+++ b/servers/slapd/syncrepl.c
@@ -83,6 +83,9 @@ typedef struct syncinfo_s {
 	int					si_syncdata;
 	int					si_logstate;
 	int					si_conn_setup;
+#ifdef HAVE_TLS
+	int					si_check_tls;
+#endif
 	Avlnode				*si_presentlist;
 	LDAP				*si_ld;
 	LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist;
@@ -435,6 +438,21 @@ do_syncrep1(
 	op->o_protocol = LDAP_VERSION3;
 	ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, &op->o_protocol );
 
+#ifdef HAVE_TLS
+	if ( si->si_check_tls ) {
+		si->si_check_tls = 0;
+		rc = bindconf_tls_set( &si->si_bindconf, si->si_ld );
+	} else if ( si->si_bindconf.sb_tls_ctx ) {
+		rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX,
+			si->si_bindconf.sb_tls_ctx );
+	}
+	if ( rc ) {
+		Debug( LDAP_DEBUG_ANY,
+			"do_syncrep1: TLS context initialization failed\n", 0, 0, 0 );
+		return rc;
+	}
+#endif
+
 	/* Bind to master */
 
 	if ( si->si_bindconf.sb_tls ) {
@@ -3202,6 +3220,10 @@ add_syncrepl(
 	si->si_slimit = 0;
 	si->si_conn_setup = 0;
 
+#ifdef HAVE_TLS
+	si->si_check_tls = 1;
+#endif
+
 	si->si_presentlist = NULL;
 	LDAP_LIST_INIT( &si->si_nonpresentlist );
 	ldap_pvt_thread_mutex_init( &si->si_mutex );
-- 
2.39.5