Commit f883a575 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#8427 don't set tls_ctx if TLS wasn't requested

Also, set any remaining TLS options that weren't carried along
in the TLS ctx.
parent d5ed7c50
Pipeline #803 passed with stage
in 31 minutes and 46 seconds
......@@ -1939,76 +1939,99 @@ static struct {
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
{
int i, rc, res = 0;
int i, rc, newctx = 0, res = 0;
char *ptr = (char *)bc, **word;
bc->sb_tls_do_init = 0;
for (i=0; bindtlsopts[i].opt; i++) {
word = (char **)(ptr + bindtlsopts[i].offset);
if ( *word ) {
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
if ( bc->sb_tls_do_init ) {
for (i=0; bindtlsopts[i].opt; i++) {
word = (char **)(ptr + bindtlsopts[i].offset);
if ( *word ) {
rc = ldap_set_option( ld, bindtlsopts[i].opt, *word );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set %s to %s\n",
bindtlsopts[i].key, *word );
res = -1;
} else
newctx = 1;
}
}
if ( bc->sb_tls_reqcert ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
bc->sb_tls_reqcert );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set %s to %s\n",
bindtlsopts[i].key, *word );
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
bc->sb_tls_reqcert );
res = -1;
} else {
newctx = 1;
/* retrieve the parsed setting for later use */
ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
}
}
}
if ( bc->sb_tls_reqcert ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_CERT,
bc->sb_tls_reqcert );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
bc->sb_tls_reqcert );
res = -1;
}
}
if ( bc->sb_tls_reqsan ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
bc->sb_tls_reqsan );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_reqsan to %s\n",
bc->sb_tls_reqsan );
res = -1;
if ( bc->sb_tls_reqsan ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
bc->sb_tls_reqsan );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_reqsan to %s\n",
bc->sb_tls_reqsan );
res = -1;
} else {
newctx = 1;
/* retrieve the parsed setting for later use */
ldap_get_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
}
}
}
if ( bc->sb_tls_protocol_min ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
bc->sb_tls_protocol_min );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
bc->sb_tls_protocol_min );
res = -1;
if ( bc->sb_tls_protocol_min ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
bc->sb_tls_protocol_min );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
bc->sb_tls_protocol_min );
res = -1;
} else
newctx = 1;
}
}
#ifdef HAVE_OPENSSL
if ( bc->sb_tls_crlcheck ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
bc->sb_tls_crlcheck );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
bc->sb_tls_crlcheck );
res = -1;
if ( bc->sb_tls_crlcheck ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_CRLCHECK,
bc->sb_tls_crlcheck );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
bc->sb_tls_crlcheck );
res = -1;
} else
newctx = 1;
}
}
#endif
if ( bc->sb_tls_ctx ) {
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
if ( rc )
res = rc;
} else {
if ( !res )
bc->sb_tls_do_init = 0;
}
if ( newctx ) {
int opt = 0;
if ( bc->sb_tls_ctx ) {
ldap_pvt_tls_ctx_free( bc->sb_tls_ctx );
bc->sb_tls_ctx = NULL;
}
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
if ( rc )
res = rc;
else
ldap_get_option( ld, LDAP_OPT_X_TLS_CTX, &bc->sb_tls_ctx );
} else if ( bc->sb_tls_ctx ) {
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
if ( rc == LDAP_SUCCESS ) {
/* these options aren't actually inside the ctx, so have to be set again */
ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &bc->sb_tls_int_reqcert );
ldap_set_option( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, &bc->sb_tls_int_reqsan );
} else
res = rc;
}
return res;
......
......@@ -1658,6 +1658,8 @@ typedef struct slap_bindconf {
#ifdef HAVE_OPENSSL
char *sb_tls_crlcheck;
#endif
int sb_tls_int_reqcert;
int sb_tls_int_reqsan;
int sb_tls_do_init;
#endif
} slap_bindconf;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment