From c6d0edc3b71064a074fc84fe942bed5b1dbbc2ea Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Fri, 7 Apr 2006 02:57:39 +0000 Subject: [PATCH] Use TLS context stuff in syncrepl --- servers/slapd/config.c | 74 ++++++++++++++++++++++++++++++++++++++ servers/slapd/proto-slap.h | 2 ++ servers/slapd/slap.h | 1 + servers/slapd/syncrepl.c | 22 ++++++++++++ 4 files changed, 99 insertions(+) diff --git a/servers/slapd/config.c b/servers/slapd/config.c index de523df142..f12fd95cca 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -45,6 +45,10 @@ #include "lutil.h" #include "config.h" +#ifdef HAVE_TLS +#include +#endif + #define ARGS_STEP 512 /* @@ -1255,6 +1259,10 @@ void bindconf_free( slap_bindconf *bc ) { BER_BVZERO( &bc->sb_authzId ); } #ifdef HAVE_TLS + if ( bc->sb_tls_ctx ) { + SSL_CTX_free( bc->sb_tls_ctx ); + bc->sb_tls_ctx = NULL; + } if ( bc->sb_tls_cert ) { ch_free( bc->sb_tls_cert ); bc->sb_tls_cert = NULL; @@ -1288,6 +1296,72 @@ void bindconf_free( slap_bindconf *bc ) { #endif } +static struct { + const char *key; + size_t offset; + int opt; +} bindtlsopts[] = { + { "tls_cert", offsetof(slap_bindconf, sb_tls_cert), LDAP_OPT_X_TLS_CERTFILE }, + { "tls_key", offsetof(slap_bindconf, sb_tls_key), LDAP_OPT_X_TLS_KEYFILE }, + { "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE }, + { "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR }, + { "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE }, + {0, 0} +}; + +int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) +{ + int i, rc, newctx = 0, res = 0; + char *ptr = (char *)bc, **word; + + for (i=0; bindtlsopts[i].opt; i++) { + word = (char **)(ptr + bindtlsopts[i].offset); + if ( *word ) { + rc = ldap_set_option( ld, bindtlsopts[i].opt, *word ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set %s to %s\n", + bindtlsopts[i].key, *word, 0 ); + res = -1; + } else + newctx = 1; + } + } + if ( bc->sb_tls_reqcert ) { + rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, + bc->sb_tls_reqcert ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set tls_reqcert to %s\n", + bc->sb_tls_reqcert, 0, 0 ); + res = -1; + } else + newctx = 1; + } +#ifdef HAVE_OPENSSL_CRL + if ( bc->sb_tls_crlcheck ) { + rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, + bc->sb_tls_crlcheck ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set tls_crlcheck to %s\n", + bc->sb_tls_crlcheck, 0, 0 ); + res = -1; + } else + newctx = 1; + } +#endif + if ( newctx ) { + int opt = 0; + rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt ); + if ( rc ) + res = rc; + else + ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx ); + } + + return res; +} /* -------------------------------------- */ diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 47969a1d44..2ce5974c9a 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -606,6 +606,8 @@ LDAP_SLAPD_F (int) bindconf_parse LDAP_P(( const char *word, slap_bindconf *bc )); LDAP_SLAPD_F (int) bindconf_unparse LDAP_P(( slap_bindconf *bc, struct berval *bv )); +LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P(( + slap_bindconf *bc, LDAP *ld )); LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc )); LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be, const char *fname, int lineno, int argc, char **argv )); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index cff8f0bfb4..fa76a6a304 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1521,6 +1521,7 @@ typedef struct slap_bindconf { struct berval sb_authcId; struct berval sb_authzId; #ifdef HAVE_TLS + void *sb_tls_ctx; char *sb_tls_cert; char *sb_tls_key; char *sb_tls_cacert; diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c index 3cac0d0a96..b166e014ac 100644 --- a/servers/slapd/syncrepl.c +++ b/servers/slapd/syncrepl.c @@ -83,6 +83,9 @@ typedef struct syncinfo_s { int si_syncdata; int si_logstate; int si_conn_setup; +#ifdef HAVE_TLS + int si_check_tls; +#endif Avlnode *si_presentlist; LDAP *si_ld; LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist; @@ -435,6 +438,21 @@ do_syncrep1( op->o_protocol = LDAP_VERSION3; ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, &op->o_protocol ); +#ifdef HAVE_TLS + if ( si->si_check_tls ) { + si->si_check_tls = 0; + rc = bindconf_tls_set( &si->si_bindconf, si->si_ld ); + } else if ( si->si_bindconf.sb_tls_ctx ) { + rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX, + si->si_bindconf.sb_tls_ctx ); + } + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "do_syncrep1: TLS context initialization failed\n", 0, 0, 0 ); + return rc; + } +#endif + /* Bind to master */ if ( si->si_bindconf.sb_tls ) { @@ -3202,6 +3220,10 @@ add_syncrepl( si->si_slimit = 0; si->si_conn_setup = 0; +#ifdef HAVE_TLS + si->si_check_tls = 1; +#endif + si->si_presentlist = NULL; LDAP_LIST_INIT( &si->si_nonpresentlist ); ldap_pvt_thread_mutex_init( &si->si_mutex );