From 7b41feed83b572567ed0f51b6f122207998267ec Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Sun, 9 Apr 2017 14:51:25 +0100 Subject: [PATCH] Support setting cacert/cert/key directly in cn=config entry --- servers/slapd/bconfig.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index d9229864c1..ea22c41391 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -200,6 +200,9 @@ enum { CFG_DISABLED, CFG_THREADQS, CFG_TLS_ECNAME, + CFG_TLS_CACERT, + CFG_TLS_CERT, + CFG_TLS_KEY, CFG_LAST }; @@ -696,6 +699,15 @@ static ConfigTable config_back_cf_table[] = { { "timelimit", "limit", 2, 0, 0, ARG_MAY_DB|ARG_MAGIC, &config_timelimit, "( OLcfgGlAt:67 NAME 'olcTimeLimit' " "SYNTAX OMsDirectoryString )", NULL, NULL }, + { "TLSCACertificate", NULL, 2, 2, 0, +#ifdef HAVE_TLS + CFG_TLS_CACERT|ARG_BINARY|ARG_MAGIC, &config_tls_option, +#else + ARG_IGNORED, NULL, +#endif + "( OLcfgGlAt:97 NAME 'olcTLSCACertificate' " + "DESC 'X.509 certificate, must use ;binary' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 SINGLE-VALUE )", NULL, NULL }, { "TLSCACertificateFile", NULL, 2, 2, 0, #ifdef HAVE_TLS CFG_TLS_CA_FILE|ARG_STRING|ARG_MAGIC, &config_tls_option, @@ -712,6 +724,15 @@ static ConfigTable config_back_cf_table[] = { #endif "( OLcfgGlAt:69 NAME 'olcTLSCACertificatePath' " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "TLSCertificate", NULL, 2, 2, 0, +#ifdef HAVE_TLS + CFG_TLS_CERT|ARG_BINARY|ARG_MAGIC, &config_tls_option, +#else + ARG_IGNORED, NULL, +#endif + "( OLcfgGlAt:98 NAME 'olcTLSCertificate' " + "DESC 'X.509 certificate, must use ;binary' " + "SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 SINGLE-VALUE )", NULL, NULL }, { "TLSCertificateFile", NULL, 2, 2, 0, #ifdef HAVE_TLS CFG_TLS_CERT_FILE|ARG_STRING|ARG_MAGIC, &config_tls_option, @@ -720,6 +741,15 @@ static ConfigTable config_back_cf_table[] = { #endif "( OLcfgGlAt:70 NAME 'olcTLSCertificateFile' " "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "TLSCertificateKey", NULL, 2, 2, 0, +#ifdef HAVE_TLS + CFG_TLS_KEY|ARG_BINARY|ARG_MAGIC, &config_tls_option, +#else + ARG_IGNORED, NULL, +#endif + "( OLcfgGlAt:99 NAME 'olcTLSCertificateKey' " + "DESC 'X.509 privateKey, must use ;binary' " + "SYNTAX 1.3.6.1.4.1.4203.666.2.13 SINGLE-VALUE )", NULL, NULL }, { "TLSCertificateKeyFile", NULL, 2, 2, 0, #ifdef HAVE_TLS CFG_TLS_CERT_KEY|ARG_STRING|ARG_MAGIC, &config_tls_option, @@ -868,6 +898,7 @@ static ConfigOCs cf_ocs[] = { "olcTimeLimit $ olcTLSCACertificateFile $ " "olcTLSCACertificatePath $ olcTLSCertificateFile $ " "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " + "olcTLSCACertificate $ olcTLSCertificate $ olcTLSCertificateKey $ " "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ " "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " @@ -4061,6 +4092,7 @@ config_tls_cleanup(ConfigArgs *c) { static int config_tls_option(ConfigArgs *c) { int flag; + int berval = 0; LDAP *ld = slap_tls_ld; switch(c->type) { case CFG_TLS_RAND: flag = LDAP_OPT_X_TLS_RANDOM_FILE; ld = NULL; break; @@ -4074,20 +4106,23 @@ config_tls_option(ConfigArgs *c) { #ifdef HAVE_GNUTLS case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; #endif + case CFG_TLS_CACERT: flag = LDAP_OPT_X_TLS_CACERT; berval = 1; break; + case CFG_TLS_CERT: flag = LDAP_OPT_X_TLS_CERT; berval = 1; break; + case CFG_TLS_KEY: flag = LDAP_OPT_X_TLS_KEY; berval = 1; break; default: Debug(LDAP_DEBUG_ANY, "%s: " "unknown tls_option <0x%x>\n", c->log, c->type, 0); return 1; } if (c->op == SLAP_CONFIG_EMIT) { - return ldap_pvt_tls_get_option( ld, flag, &c->value_string ); + return ldap_pvt_tls_get_option( ld, flag, berval ? &c->value_bv : &c->value_string ); } else if ( c->op == LDAP_MOD_DELETE ) { c->cleanup = config_tls_cleanup; return ldap_pvt_tls_set_option( ld, flag, NULL ); } ch_free(c->value_string); c->cleanup = config_tls_cleanup; - return(ldap_pvt_tls_set_option(ld, flag, c->argv[1])); + return(ldap_pvt_tls_set_option(ld, flag, berval ? &c->value_bv : c->argv[1])); } /* FIXME: this ought to be provided by libldap */ -- 2.39.5