Commit c6d0edc3 authored by Howard Chu's avatar Howard Chu
Browse files

Use TLS context stuff in syncrepl

parent 571ac24b
......@@ -45,6 +45,10 @@
#include "lutil.h"
#include "config.h"
#ifdef HAVE_TLS
#include <openssl/ssl.h>
#endif
#define ARGS_STEP 512
/*
......@@ -1255,6 +1259,10 @@ void bindconf_free( slap_bindconf *bc ) {
BER_BVZERO( &bc->sb_authzId );
}
#ifdef HAVE_TLS
if ( bc->sb_tls_ctx ) {
SSL_CTX_free( bc->sb_tls_ctx );
bc->sb_tls_ctx = NULL;
}
if ( bc->sb_tls_cert ) {
ch_free( bc->sb_tls_cert );
bc->sb_tls_cert = NULL;
......@@ -1288,6 +1296,72 @@ void bindconf_free( slap_bindconf *bc ) {
#endif
}
static struct {
const char *key;
size_t offset;
int opt;
} bindtlsopts[] = {
{ "tls_cert", offsetof(slap_bindconf, sb_tls_cert), LDAP_OPT_X_TLS_CERTFILE },
{ "tls_key", offsetof(slap_bindconf, sb_tls_key), LDAP_OPT_X_TLS_KEYFILE },
{ "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
{ "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
{ "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
{0, 0}
};
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
{
int i, rc, newctx = 0, res = 0;
char *ptr = (char *)bc, **word;
for (i=0; bindtlsopts[i].opt; i++) {
word = (char **)(ptr + bindtlsopts[i].offset);
if ( *word ) {
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set %s to %s\n",
bindtlsopts[i].key, *word, 0 );
res = -1;
} else
newctx = 1;
}
}
if ( bc->sb_tls_reqcert ) {
rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
bc->sb_tls_reqcert );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
bc->sb_tls_reqcert, 0, 0 );
res = -1;
} else
newctx = 1;
}
#ifdef HAVE_OPENSSL_CRL
if ( bc->sb_tls_crlcheck ) {
rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
bc->sb_tls_crlcheck );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
bc->sb_tls_crlcheck, 0, 0 );
res = -1;
} else
newctx = 1;
}
#endif
if ( newctx ) {
int opt = 0;
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
if ( rc )
res = rc;
else
ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
}
return res;
}
/* -------------------------------------- */
......
......@@ -606,6 +606,8 @@ LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
const char *word, slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
slap_bindconf *bc, struct berval *bv ));
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
slap_bindconf *bc, LDAP *ld ));
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
const char *fname, int lineno, int argc, char **argv ));
......
......@@ -1521,6 +1521,7 @@ typedef struct slap_bindconf {
struct berval sb_authcId;
struct berval sb_authzId;
#ifdef HAVE_TLS
void *sb_tls_ctx;
char *sb_tls_cert;
char *sb_tls_key;
char *sb_tls_cacert;
......
......@@ -83,6 +83,9 @@ typedef struct syncinfo_s {
int si_syncdata;
int si_logstate;
int si_conn_setup;
#ifdef HAVE_TLS
int si_check_tls;
#endif
Avlnode *si_presentlist;
LDAP *si_ld;
LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist;
......@@ -435,6 +438,21 @@ do_syncrep1(
op->o_protocol = LDAP_VERSION3;
ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, &op->o_protocol );
#ifdef HAVE_TLS
if ( si->si_check_tls ) {
si->si_check_tls = 0;
rc = bindconf_tls_set( &si->si_bindconf, si->si_ld );
} else if ( si->si_bindconf.sb_tls_ctx ) {
rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX,
si->si_bindconf.sb_tls_ctx );
}
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"do_syncrep1: TLS context initialization failed\n", 0, 0, 0 );
return rc;
}
#endif
/* Bind to master */
if ( si->si_bindconf.sb_tls ) {
......@@ -3202,6 +3220,10 @@ add_syncrepl(
si->si_slimit = 0;
si->si_conn_setup = 0;
#ifdef HAVE_TLS
si->si_check_tls = 1;
#endif
si->si_presentlist = NULL;
LDAP_LIST_INIT( &si->si_nonpresentlist );
ldap_pvt_thread_mutex_init( &si->si_mutex );
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment