Skip to content
Snippets Groups Projects
Commit c6d0edc3 authored by Howard Chu's avatar Howard Chu
Browse files

Use TLS context stuff in syncrepl

parent 571ac24b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
servers/slapd/config.c
+ 74
0
View file @ c6d0edc3
...@@ -45,6 +45,10 @@ ...@@ -45,6 +45,10 @@
#include "lutil.h" #include "lutil.h"
#include "config.h" #include "config.h"
#ifdef HAVE_TLS
#include <openssl/ssl.h>
#endif
#define ARGS_STEP 512 #define ARGS_STEP 512
/* /*
...@@ -1255,6 +1259,10 @@ void bindconf_free( slap_bindconf *bc ) { ...@@ -1255,6 +1259,10 @@ void bindconf_free( slap_bindconf *bc ) {
BER_BVZERO( &bc->sb_authzId ); BER_BVZERO( &bc->sb_authzId );
} }
#ifdef HAVE_TLS #ifdef HAVE_TLS
if ( bc->sb_tls_ctx ) {
SSL_CTX_free( bc->sb_tls_ctx );
bc->sb_tls_ctx = NULL;
}
if ( bc->sb_tls_cert ) { if ( bc->sb_tls_cert ) {
ch_free( bc->sb_tls_cert ); ch_free( bc->sb_tls_cert );
bc->sb_tls_cert = NULL; bc->sb_tls_cert = NULL;
...@@ -1288,6 +1296,72 @@ void bindconf_free( slap_bindconf *bc ) { ...@@ -1288,6 +1296,72 @@ void bindconf_free( slap_bindconf *bc ) {
#endif #endif
} }
static struct {
const char *key;
size_t offset;
int opt;
} bindtlsopts[] = {
{ "tls_cert", offsetof(slap_bindconf, sb_tls_cert), LDAP_OPT_X_TLS_CERTFILE },
{ "tls_key", offsetof(slap_bindconf, sb_tls_key), LDAP_OPT_X_TLS_KEYFILE },
{ "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
{ "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
{ "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
{0, 0}
};
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
{
int i, rc, newctx = 0, res = 0;
char *ptr = (char *)bc, **word;
for (i=0; bindtlsopts[i].opt; i++) {
word = (char **)(ptr + bindtlsopts[i].offset);
if ( *word ) {
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set %s to %s\n",
bindtlsopts[i].key, *word, 0 );
res = -1;
} else
newctx = 1;
}
}
if ( bc->sb_tls_reqcert ) {
rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
bc->sb_tls_reqcert );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
bc->sb_tls_reqcert, 0, 0 );
res = -1;
} else
newctx = 1;
}
#ifdef HAVE_OPENSSL_CRL
if ( bc->sb_tls_crlcheck ) {
rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
bc->sb_tls_crlcheck );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
bc->sb_tls_crlcheck, 0, 0 );
res = -1;
} else
newctx = 1;
}
#endif
if ( newctx ) {
int opt = 0;
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
if ( rc )
res = rc;
else
ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
}
return res;
}
/* -------------------------------------- */ /* -------------------------------------- */
......
servers/slapd/proto-slap.h
+ 2
0
View file @ c6d0edc3
...@@ -606,6 +606,8 @@ LDAP_SLAPD_F (int) bindconf_parse LDAP_P(( ...@@ -606,6 +606,8 @@ LDAP_SLAPD_F (int) bindconf_parse LDAP_P((
const char *word, slap_bindconf *bc )); const char *word, slap_bindconf *bc ));
LDAP_SLAPD_F (int) bindconf_unparse LDAP_P(( LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
slap_bindconf *bc, struct berval *bv )); slap_bindconf *bc, struct berval *bv ));
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
slap_bindconf *bc, LDAP *ld ));
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc )); LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be, LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
const char *fname, int lineno, int argc, char **argv )); const char *fname, int lineno, int argc, char **argv ));
......
servers/slapd/slap.h
+ 1
0
View file @ c6d0edc3
...@@ -1521,6 +1521,7 @@ typedef struct slap_bindconf { ...@@ -1521,6 +1521,7 @@ typedef struct slap_bindconf {
struct berval sb_authcId; struct berval sb_authcId;
struct berval sb_authzId; struct berval sb_authzId;
#ifdef HAVE_TLS #ifdef HAVE_TLS
void *sb_tls_ctx;
char *sb_tls_cert; char *sb_tls_cert;
char *sb_tls_key; char *sb_tls_key;
char *sb_tls_cacert; char *sb_tls_cacert;
......
servers/slapd/syncrepl.c
+ 22
0
View file @ c6d0edc3
...@@ -83,6 +83,9 @@ typedef struct syncinfo_s { ...@@ -83,6 +83,9 @@ typedef struct syncinfo_s {
int si_syncdata; int si_syncdata;
int si_logstate; int si_logstate;
int si_conn_setup; int si_conn_setup;
#ifdef HAVE_TLS
int si_check_tls;
#endif
Avlnode *si_presentlist; Avlnode *si_presentlist;
LDAP *si_ld; LDAP *si_ld;
LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist; LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist;
...@@ -435,6 +438,21 @@ do_syncrep1( ...@@ -435,6 +438,21 @@ do_syncrep1(
op->o_protocol = LDAP_VERSION3; op->o_protocol = LDAP_VERSION3;
ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, &op->o_protocol ); ldap_set_option( si->si_ld, LDAP_OPT_PROTOCOL_VERSION, &op->o_protocol );
#ifdef HAVE_TLS
if ( si->si_check_tls ) {
si->si_check_tls = 0;
rc = bindconf_tls_set( &si->si_bindconf, si->si_ld );
} else if ( si->si_bindconf.sb_tls_ctx ) {
rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX,
si->si_bindconf.sb_tls_ctx );
}
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"do_syncrep1: TLS context initialization failed\n", 0, 0, 0 );
return rc;
}
#endif
/* Bind to master */ /* Bind to master */
if ( si->si_bindconf.sb_tls ) { if ( si->si_bindconf.sb_tls ) {
...@@ -3202,6 +3220,10 @@ add_syncrepl( ...@@ -3202,6 +3220,10 @@ add_syncrepl(
si->si_slimit = 0; si->si_slimit = 0;
si->si_conn_setup = 0; si->si_conn_setup = 0;
#ifdef HAVE_TLS
si->si_check_tls = 1;
#endif
si->si_presentlist = NULL; si->si_presentlist = NULL;
LDAP_LIST_INIT( &si->si_nonpresentlist ); LDAP_LIST_INIT( &si->si_nonpresentlist );
ldap_pvt_thread_mutex_init( &si->si_mutex ); ldap_pvt_thread_mutex_init( &si->si_mutex );
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment