ITS#8427 don't set tls_ctx if TLS wasn't requested

Also, set any remaining TLS options that weren't carried along
in the TLS ctx.
This commit is contained in:
Howard Chu 2020-08-28 18:43:54 +01:00
parent d5ed7c5027
commit f883a57593
2 changed files with 79 additions and 54 deletions

View File

@ -1939,76 +1939,99 @@ static struct {
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
{ {
int i, rc, res = 0; int i, rc, newctx = 0, res = 0;
char *ptr = (char *)bc, **word; char *ptr = (char *)bc, **word;
bc->sb_tls_do_init = 0; if ( bc->sb_tls_do_init ) {
for (i=0; bindtlsopts[i].opt; i++) {
for (i=0; bindtlsopts[i].opt; i++) { word = (char **)(ptr + bindtlsopts[i].offset);
word = (char **)(ptr + bindtlsopts[i].offset); if ( *word ) {
if ( *word ) { rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word ); if ( rc ) {
if ( rc ) { Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ANY, "bindconf_tls_set: failed to set %s to %s\n",
"bindconf_tls_set: failed to set %s to %s\n", bindtlsopts[i].key, *word );
bindtlsopts[i].key, *word ); res = -1;
res = -1; } else
newctx = 1;
} }
} }
} if ( bc->sb_tls_reqcert ) {
if ( bc->sb_tls_reqcert ) { rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, bc->sb_tls_reqcert );
bc->sb_tls_reqcert ); if ( rc ) {
if ( rc ) { Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ANY, "bindconf_tls_set: failed to set tls_reqcert to %s\n",
"bindconf_tls_set: failed to set tls_reqcert to %s\n", bc->sb_tls_reqcert );
bc->sb_tls_reqcert ); res = -1;
res = -1; } else {
newctx = 1;
/* retrieve the parsed setting for later use */
ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
}
} }
} if ( bc->sb_tls_reqsan ) {
if ( bc->sb_tls_reqsan ) { rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, bc->sb_tls_reqsan );
bc->sb_tls_reqsan ); if ( rc ) {
if ( rc ) { Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ANY, "bindconf_tls_set: failed to set tls_reqsan to %s\n",
"bindconf_tls_set: failed to set tls_reqsan to %s\n", bc->sb_tls_reqsan );
bc->sb_tls_reqsan ); res = -1;
res = -1; } else {
newctx = 1;
/* retrieve the parsed setting for later use */
ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
}
} }
} if ( bc->sb_tls_protocol_min ) {
if ( bc->sb_tls_protocol_min ) { rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, bc->sb_tls_protocol_min );
bc->sb_tls_protocol_min ); if ( rc ) {
if ( rc ) { Debug( LDAP_DEBUG_ANY,
Debug( LDAP_DEBUG_ANY, "bindconf_tls_set: failed to set tls_protocol_min to %s\n",
"bindconf_tls_set: failed to set tls_protocol_min to %s\n", bc->sb_tls_protocol_min );
bc->sb_tls_protocol_min ); res = -1;
res = -1; } else
newctx = 1;
} }
}
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) { if ( bc->sb_tls_crlcheck ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK, rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
bc->sb_tls_crlcheck ); bc->sb_tls_crlcheck );
if ( rc ) { if ( rc ) {
Debug( LDAP_DEBUG_ANY, Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_crlcheck to %s\n", "bindconf_tls_set: failed to set tls_crlcheck to %s\n",
bc->sb_tls_crlcheck ); bc->sb_tls_crlcheck );
res = -1; res = -1;
} else
newctx = 1;
} }
}
#endif #endif
if ( bc->sb_tls_ctx ) { if ( !res )
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx ); bc->sb_tls_do_init = 0;
if ( rc ) }
res = rc;
} else { if ( newctx ) {
int opt = 0; int opt = 0;
if ( bc->sb_tls_ctx ) {
ldap_pvt_tls_ctx_free( bc->sb_tls_ctx );
bc->sb_tls_ctx = NULL;
}
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt ); rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
if ( rc ) if ( rc )
res = rc; res = rc;
else else
ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx ); ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
} else if ( bc->sb_tls_ctx ) {
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
if ( rc == LDAP_SUCCESS ) {
/* these options aren't actually inside the ctx, so have to be set again */
ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
} else
res = rc;
} }
return res; return res;

View File

@ -1658,6 +1658,8 @@ typedef struct slap_bindconf {
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
char *sb_tls_crlcheck; char *sb_tls_crlcheck;
#endif #endif
int sb_tls_int_reqcert;
int sb_tls_int_reqsan;
int sb_tls_do_init; int sb_tls_do_init;
#endif #endif
} slap_bindconf; } slap_bindconf;