set most SSL/TLS related options globally instead of per connection

git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-ldapd@853 ef36b2f9-881f-0410-afb5-c4e39611909c
author: Arthur de Jong <arthur@arthurdejong.org> 2009-05-01 13:03:59 +0000
committer: Arthur de Jong <arthur@arthurdejong.org> 2009-05-01 13:03:59 +0000
commit: 765f5942a21ae377b054a55d61651b86629c4de8 (patch)
tree: e6870dc85686b79144313268beed583c6d45133d
parent: 77c0429d691f1b3477803413210e55940330f9e8 (diff)
3 files changed, 44 insertions, 80 deletions
diff --git a/nslcd/cfg.c b/nslcd/cfg.c
index 5f0c620..786fbf4 100644
--- a/nslcd/cfg.c
+++ b/nslcd/cfg.c
@@ -60,6 +60,15 @@ struct ldap_config *nslcd_cfg=NULL;
 /* the delimiters of tokens */
 #define TOKEN_DELIM " \t\n\r"
 
+/* convenient wrapper macro for ldap_set_option() */
+#define LDAP_SET_OPTION(ld,option,invalue) \
+  rc=ldap_set_option(ld,option,invalue); \
+  if (rc!=LDAP_SUCCESS) \
+  { \
+    log_log(LOG_ERR,"ldap_set_option(" #option ") failed: %s",ldap_err2string(rc)); \
+    exit(EXIT_FAILURE); \
+  }
+
 /* set the configuration information to the defaults */
 static void cfg_defaults(struct ldap_config *cfg)
 {
@@ -98,13 +107,6 @@ static void cfg_defaults(struct ldap_config *cfg)
   cfg->ldc_reconnect_maxsleeptime=30;
 #ifdef LDAP_OPT_X_TLS
   cfg->ldc_ssl_on=SSL_OFF;
-  cfg->ldc_tls_reqcert=-1;
-  cfg->ldc_tls_cacertdir=NULL;
-  cfg->ldc_tls_cacertfile=NULL;
-  cfg->ldc_tls_randfile=NULL;
-  cfg->ldc_tls_ciphers=NULL;
-  cfg->ldc_tls_cert=NULL;
-  cfg->ldc_tls_key=NULL;
 #endif /* LDAP_OPT_X_TLS */
   cfg->ldc_restart=1;
   cfg->ldc_pagesize=0;
@@ -645,6 +647,8 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
   char keyword[32];
   char token[64];
   int i;
+  int rc;
+  char *value;
   /* open config file */
   if ((fp=fopen(filename,"r"))==NULL)
   {
@@ -844,57 +848,75 @@ static void cfg_read(const char *filename,struct ldap_config *cfg)
         cfg->ldc_ssl_on=SSL_LDAPS;
       get_eol(filename,lnr,keyword,&line);
     }
-    else if (strcasecmp(keyword,"tls_checkpeer")==0)
-    {
-      log_log(LOG_WARNING,"%s:%d: option %s is deprecated (and will be removed in an upcoming release), use tls_reqcert instead",filename,lnr,keyword);
-      get_reqcert(filename,lnr,keyword,&line,&cfg->ldc_tls_reqcert);
-      get_eol(filename,lnr,keyword,&line);
-    }
-    else if (strcasecmp(keyword,"tls_reqcert")==0)
+    else if ( (strcasecmp(keyword,"tls_reqcert")==0) ||
+              (strcasecmp(keyword,"tls_checkpeer")==0) )
     {
-      log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_reqcert(filename,lnr,keyword,&line,&cfg->ldc_tls_reqcert);
+      if (strcasecmp(keyword,"tls_reqcert")==0)
+        log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
+      else
+        log_log(LOG_WARNING,"%s:%d: option %s is deprecated (and will be removed in an upcoming release), use tls_reqcert instead",filename,lnr,keyword);
+      get_reqcert(filename,lnr,keyword,&line,&i);
       get_eol(filename,lnr,keyword,&line);
+      log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%d)",i);
+      LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&i);
     }
     else if (strcasecmp(keyword,"tls_cacertdir")==0)
     {
       log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_tls_cacertdir);
+      get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
+      log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,\"%s\")",value);
+      LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_CACERTDIR,value);
+      free(value);
     }
     else if (strcasecmp(keyword,"tls_cacertfile")==0)
     {
       log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_tls_cacertfile);
+      get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
+      log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,\"%s\")",value);
+      LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_CACERTFILE,value);
+      free(value);
     }
     else if (strcasecmp(keyword,"tls_randfile")==0)
     {
       log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_tls_randfile);
+      get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
+      log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE,\"%s\")",value);
+      LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_RANDOM_FILE,value);
+      free(value);
     }
     else if (strcasecmp(keyword,"tls_ciphers")==0)
     {
       log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_restdup(filename,lnr,keyword,&line,&cfg->ldc_tls_ciphers);
+      get_restdup(filename,lnr,keyword,&line,&value);
+      log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE,\"%s\")",value);
+      LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_CIPHER_SUITE,value);
+      free(value);
     }
     else if (strcasecmp(keyword,"tls_cert")==0)
     {
       log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_tls_cert);
+      get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
+      log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CERTFILE,\"%s\")",value);
+      LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_CERTFILE,value);
+      free(value);
     }
     else if (strcasecmp(keyword,"tls_key")==0)
     {
       log_log(LOG_WARNING,"%s:%d: option %s is currently untested (please report any successes)",filename,lnr,keyword);
-      get_strdup(filename,lnr,keyword,&line,&cfg->ldc_tls_key);
+      get_strdup(filename,lnr,keyword,&line,&value);
       get_eol(filename,lnr,keyword,&line);
       /* TODO: check that the path is valid */
+      log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_KEYFILE,\"%s\")",value);
+      LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_KEYFILE,value);
+      free(value);
     }
 #endif /* LDAP_OPT_X_TLS */
     /* other options */
diff --git a/nslcd/cfg.h b/nslcd/cfg.h
index 71a4417..48aea36 100644
--- a/nslcd/cfg.h
+++ b/nslcd/cfg.h
@@ -121,20 +121,6 @@ struct ldap_config
 #ifdef LDAP_OPT_X_TLS
   /* SSL enabled */
   enum ldap_ssl_options ldc_ssl_on;
-  /* tls check peer */
-  int ldc_tls_reqcert;
-  /* tls ca certificate dir */
-  char *ldc_tls_cacertdir;
-  /* tls ca certificate file */
-  char *ldc_tls_cacertfile;
-  /* tls randfile */
-  char *ldc_tls_randfile;
-  /* tls ciphersuite */
-  char *ldc_tls_ciphers;
-  /* tls certificate */
-  char *ldc_tls_cert;
-  /* tls key */
-  char *ldc_tls_key;
 #endif /* LDAP_OPT_X_TLS */
   /* whether the LDAP library should restart the select(2) system call when interrupted */
   int ldc_restart;
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
index f35b004..f4f4980 100644
--- a/nslcd/myldap.c
+++ b/nslcd/myldap.c
@@ -503,50 +503,6 @@ static int do_set_options(MYLDAP_SESSION *session)
     log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)");
     LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS,&i);
   }
-  /* rand file */
-  if (nslcd_cfg->ldc_tls_randfile!=NULL)
-  {
-    log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE,\"%s\")",nslcd_cfg->ldc_tls_randfile);
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_RANDOM_FILE,nslcd_cfg->ldc_tls_randfile);
-  }
-  /* ca cert file */
-  if (nslcd_cfg->ldc_tls_cacertfile!=NULL)
-  {
-    log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,\"%s\")",nslcd_cfg->ldc_tls_cacertfile);
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_CACERTFILE,nslcd_cfg->ldc_tls_cacertfile);
-  }
-  /* ca cert directory */
-  if (nslcd_cfg->ldc_tls_cacertdir!=NULL)
-  {
-    log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,\"%s\")",nslcd_cfg->ldc_tls_cacertdir);
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_CACERTDIR,nslcd_cfg->ldc_tls_cacertdir);
-  }
-  /* require cert? (certificate validation) */
-  if (nslcd_cfg->ldc_tls_reqcert>=0)
-  {
-    log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,%d)",nslcd_cfg->ldc_tls_reqcert);
-    /* FIXME: only set opion once */
-    LDAP_SET_OPTION(NULL,LDAP_OPT_X_TLS_REQUIRE_CERT,&nslcd_cfg->ldc_tls_reqcert);
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_REQUIRE_CERT,&nslcd_cfg->ldc_tls_reqcert);
-  }
-  /* set cipher suite, certificate and private key */
-  if (nslcd_cfg->ldc_tls_ciphers!=NULL)
-  {
-    log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE,\"%s\")",nslcd_cfg->ldc_tls_ciphers);
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_CIPHER_SUITE,nslcd_cfg->ldc_tls_ciphers);
-  }
-  /* set certificate */
-  if (nslcd_cfg->ldc_tls_cert!=NULL)
-  {
-    log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_CERTFILE,\"%s\")",nslcd_cfg->ldc_tls_cert);
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_CERTFILE,nslcd_cfg->ldc_tls_cert);
-  }
-  /* set up key */
-  if (nslcd_cfg->ldc_tls_key!=NULL)
-  {
-    log_log(LOG_DEBUG,"ldap_set_option(LDAP_OPT_X_TLS_KEYFILE,\"%s\")",nslcd_cfg->ldc_tls_key);
-    LDAP_SET_OPTION(session->ld,LDAP_OPT_X_TLS_KEYFILE,nslcd_cfg->ldc_tls_key);
-  }
 #endif /* LDAP_OPT_X_TLS */
   /* if nothing above failed, everything should be fine */
   return LDAP_SUCCESS;
author	Arthur de Jong <arthur@arthurdejong.org>	2009-05-01 13:03:59 +0000
committer	Arthur de Jong <arthur@arthurdejong.org>	2009-05-01 13:03:59 +0000
commit	765f5942a21ae377b054a55d61651b86629c4de8 (patch)
tree	e6870dc85686b79144313268beed583c6d45133d
parent	77c0429d691f1b3477803413210e55940330f9e8 (diff)