mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
ITS#8427 don't set tls_ctx if TLS wasn't requested
Also, set any remaining TLS options that weren't carried along in the TLS ctx.
This commit is contained in:
parent
d5ed7c5027
commit
f883a57593
@ -1939,76 +1939,99 @@ static struct {
|
|||||||
|
|
||||||
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
|
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
|
||||||
{
|
{
|
||||||
int i, rc, res = 0;
|
int i, rc, newctx = 0, res = 0;
|
||||||
char *ptr = (char *)bc, **word;
|
char *ptr = (char *)bc, **word;
|
||||||
|
|
||||||
bc->sb_tls_do_init = 0;
|
if ( bc->sb_tls_do_init ) {
|
||||||
|
for (i=0; bindtlsopts[i].opt; i++) {
|
||||||
for (i=0; bindtlsopts[i].opt; i++) {
|
word = (char **)(ptr + bindtlsopts[i].offset);
|
||||||
word = (char **)(ptr + bindtlsopts[i].offset);
|
if ( *word ) {
|
||||||
if ( *word ) {
|
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
|
||||||
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
|
if ( rc ) {
|
||||||
if ( rc ) {
|
Debug( LDAP_DEBUG_ANY,
|
||||||
Debug( LDAP_DEBUG_ANY,
|
"bindconf_tls_set: failed to set %s to %s\n",
|
||||||
"bindconf_tls_set: failed to set %s to %s\n",
|
bindtlsopts[i].key, *word );
|
||||||
bindtlsopts[i].key, *word );
|
res = -1;
|
||||||
res = -1;
|
} else
|
||||||
|
newctx = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
if ( bc->sb_tls_reqcert ) {
|
||||||
if ( bc->sb_tls_reqcert ) {
|
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
|
||||||
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
|
bc->sb_tls_reqcert );
|
||||||
bc->sb_tls_reqcert );
|
if ( rc ) {
|
||||||
if ( rc ) {
|
Debug( LDAP_DEBUG_ANY,
|
||||||
Debug( LDAP_DEBUG_ANY,
|
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
|
||||||
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
|
bc->sb_tls_reqcert );
|
||||||
bc->sb_tls_reqcert );
|
res = -1;
|
||||||
res = -1;
|
} else {
|
||||||
|
newctx = 1;
|
||||||
|
/* retrieve the parsed setting for later use */
|
||||||
|
ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
if ( bc->sb_tls_reqsan ) {
|
||||||
if ( bc->sb_tls_reqsan ) {
|
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
|
||||||
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
|
bc->sb_tls_reqsan );
|
||||||
bc->sb_tls_reqsan );
|
if ( rc ) {
|
||||||
if ( rc ) {
|
Debug( LDAP_DEBUG_ANY,
|
||||||
Debug( LDAP_DEBUG_ANY,
|
"bindconf_tls_set: failed to set tls_reqsan to %s\n",
|
||||||
"bindconf_tls_set: failed to set tls_reqsan to %s\n",
|
bc->sb_tls_reqsan );
|
||||||
bc->sb_tls_reqsan );
|
res = -1;
|
||||||
res = -1;
|
} else {
|
||||||
|
newctx = 1;
|
||||||
|
/* retrieve the parsed setting for later use */
|
||||||
|
ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
if ( bc->sb_tls_protocol_min ) {
|
||||||
if ( bc->sb_tls_protocol_min ) {
|
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
|
||||||
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
|
bc->sb_tls_protocol_min );
|
||||||
bc->sb_tls_protocol_min );
|
if ( rc ) {
|
||||||
if ( rc ) {
|
Debug( LDAP_DEBUG_ANY,
|
||||||
Debug( LDAP_DEBUG_ANY,
|
"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
|
||||||
"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
|
bc->sb_tls_protocol_min );
|
||||||
bc->sb_tls_protocol_min );
|
res = -1;
|
||||||
res = -1;
|
} else
|
||||||
|
newctx = 1;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
if ( bc->sb_tls_crlcheck ) {
|
if ( bc->sb_tls_crlcheck ) {
|
||||||
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
|
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
|
||||||
bc->sb_tls_crlcheck );
|
bc->sb_tls_crlcheck );
|
||||||
if ( rc ) {
|
if ( rc ) {
|
||||||
Debug( LDAP_DEBUG_ANY,
|
Debug( LDAP_DEBUG_ANY,
|
||||||
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
|
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
|
||||||
bc->sb_tls_crlcheck );
|
bc->sb_tls_crlcheck );
|
||||||
res = -1;
|
res = -1;
|
||||||
|
} else
|
||||||
|
newctx = 1;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
if ( bc->sb_tls_ctx ) {
|
if ( !res )
|
||||||
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
|
bc->sb_tls_do_init = 0;
|
||||||
if ( rc )
|
}
|
||||||
res = rc;
|
|
||||||
} else {
|
if ( newctx ) {
|
||||||
int opt = 0;
|
int opt = 0;
|
||||||
|
|
||||||
|
if ( bc->sb_tls_ctx ) {
|
||||||
|
ldap_pvt_tls_ctx_free( bc->sb_tls_ctx );
|
||||||
|
bc->sb_tls_ctx = NULL;
|
||||||
|
}
|
||||||
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
|
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
|
||||||
if ( rc )
|
if ( rc )
|
||||||
res = rc;
|
res = rc;
|
||||||
else
|
else
|
||||||
ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
|
ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
|
||||||
|
} else if ( bc->sb_tls_ctx ) {
|
||||||
|
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
|
||||||
|
if ( rc == LDAP_SUCCESS ) {
|
||||||
|
/* these options aren't actually inside the ctx, so have to be set again */
|
||||||
|
ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
|
||||||
|
ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
|
||||||
|
} else
|
||||||
|
res = rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
return res;
|
return res;
|
||||||
|
@ -1658,6 +1658,8 @@ typedef struct slap_bindconf {
|
|||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
char *sb_tls_crlcheck;
|
char *sb_tls_crlcheck;
|
||||||
#endif
|
#endif
|
||||||
|
int sb_tls_int_reqcert;
|
||||||
|
int sb_tls_int_reqsan;
|
||||||
int sb_tls_do_init;
|
int sb_tls_do_init;
|
||||||
#endif
|
#endif
|
||||||
} slap_bindconf;
|
} slap_bindconf;
|
||||||
|
Loading…
Reference in New Issue
Block a user