ITS#8427 don't set tls_ctx if TLS wasn't requested

Also, set any remaining TLS options that weren't carried along in the TLS ctx.
2024-12-21 03:10:25 +08:00 · 2020-08-28 18:43:54 +01:00 · 2020-08-28 18:43:54 +01:00 · f883a57593
commit f883a57593
parent d5ed7c5027
2 changed files with 79 additions and 54 deletions
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -1939,76 +1939,99 @@ static struct {

 int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 {
-	int i, rc, res = 0;
+	int i, rc, newctx = 0, res = 0;
 	char *ptr = (char *)bc, **word;

-	bc->sb_tls_do_init = 0;
-
-	for (i=0; bindtlsopts[i].opt; i++) {
-		word = (char **)(ptr + bindtlsopts[i].offset);
-		if ( *word ) {
-			rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
-			if ( rc ) {
-				Debug( LDAP_DEBUG_ANY,
-					"bindconf_tls_set: failed to set %s to %s\n",
-						bindtlsopts[i].key, *word );
-				res = -1;
+	if ( bc->sb_tls_do_init ) {
+		for (i=0; bindtlsopts[i].opt; i++) {
+			word = (char **)(ptr + bindtlsopts[i].offset);
+			if ( *word ) {
+				rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
+				if ( rc ) {
+					Debug( LDAP_DEBUG_ANY,
+						"bindconf_tls_set: failed to set %s to %s\n",
+							bindtlsopts[i].key, *word );
+					res = -1;
+				} else
+					newctx = 1;
 			}
 		}
-	}
-	if ( bc->sb_tls_reqcert ) {
-		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
-			bc->sb_tls_reqcert );
-		if ( rc ) {
-			Debug( LDAP_DEBUG_ANY,
-				"bindconf_tls_set: failed to set tls_reqcert to %s\n",
-					bc->sb_tls_reqcert );
-			res = -1;
+		if ( bc->sb_tls_reqcert ) {
+			rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
+				bc->sb_tls_reqcert );
+			if ( rc ) {
+				Debug( LDAP_DEBUG_ANY,
+					"bindconf_tls_set: failed to set tls_reqcert to %s\n",
+						bc->sb_tls_reqcert );
+				res = -1;
+			} else {
+				newctx = 1;
+				/* retrieve the parsed setting for later use */
+				ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
+			}
 		}
-	}
-	if ( bc->sb_tls_reqsan ) {
-		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
-			bc->sb_tls_reqsan );
-		if ( rc ) {
-			Debug( LDAP_DEBUG_ANY,
-				"bindconf_tls_set: failed to set tls_reqsan to %s\n",
-					bc->sb_tls_reqsan );
-			res = -1;
+		if ( bc->sb_tls_reqsan ) {
+			rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
+				bc->sb_tls_reqsan );
+			if ( rc ) {
+				Debug( LDAP_DEBUG_ANY,
+					"bindconf_tls_set: failed to set tls_reqsan to %s\n",
+						bc->sb_tls_reqsan );
+				res = -1;
+			} else {
+				newctx = 1;
+				/* retrieve the parsed setting for later use */
+				ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
+			}
 		}
-	}
-	if ( bc->sb_tls_protocol_min ) {
-		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
-			bc->sb_tls_protocol_min );
-		if ( rc ) {
-			Debug( LDAP_DEBUG_ANY,
-				"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
-					bc->sb_tls_protocol_min );
-			res = -1;
+		if ( bc->sb_tls_protocol_min ) {
+			rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
+				bc->sb_tls_protocol_min );
+			if ( rc ) {
+				Debug( LDAP_DEBUG_ANY,
+					"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
+						bc->sb_tls_protocol_min );
+				res = -1;
+			} else
+				newctx = 1;
 		}
-	}
 #ifdef HAVE_OPENSSL
-	if ( bc->sb_tls_crlcheck ) {
-		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
-			bc->sb_tls_crlcheck );
-		if ( rc ) {
-			Debug( LDAP_DEBUG_ANY,
-				"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
-					bc->sb_tls_crlcheck );
-			res = -1;
+		if ( bc->sb_tls_crlcheck ) {
+			rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
+				bc->sb_tls_crlcheck );
+			if ( rc ) {
+				Debug( LDAP_DEBUG_ANY,
+					"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
+						bc->sb_tls_crlcheck );
+				res = -1;
+			} else
+				newctx = 1;
 		}
-	}
 #endif
-	if ( bc->sb_tls_ctx ) {
-		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
-		if ( rc )
-			res = rc;
-	} else {
+		if ( !res )
+			bc->sb_tls_do_init = 0;
+	}
+
+	if ( newctx ) {
 		int opt = 0;
+
+		if ( bc->sb_tls_ctx ) {
+			ldap_pvt_tls_ctx_free( bc->sb_tls_ctx );
+			bc->sb_tls_ctx = NULL;
+		}
 		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
 		if ( rc )
 			res = rc;
 		else
 			ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
+	} else if ( bc->sb_tls_ctx ) {
+		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
+		if ( rc == LDAP_SUCCESS ) {
+			/* these options aren't actually inside the ctx, so have to be set again */
+			ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
+			ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
+		} else
+			res = rc;
 	}
 	
 	return res;
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -1658,6 +1658,8 @@ typedef struct slap_bindconf {
 #ifdef HAVE_OPENSSL
 	char *sb_tls_crlcheck;
 #endif
+	int sb_tls_int_reqcert;
+	int sb_tls_int_reqsan;
 	int sb_tls_do_init;
 #endif
 } slap_bindconf;