set = settings_get_or_fatal(event, &ldap_setting_parser_info);
ssl_set = settings_get_or_fatal(event, &ssl_setting_parser_info);
- if (ldap_setting_post_check(set, &error) < 0)
- i_fatal("%s%s", set->uris, error);
+ if (ldap_setting_post_check(set, &error) < 0 ||
+ ldap_set_tls_validate(ssl_set, &error) < 0)
+ i_fatal("%s: %s", set->uris, error);
/* see if it already exists */
struct ldap_connection *conn = db_ldap_conn_find(set, ssl_set);
#include "ldap-settings.h"
#include "ssl-settings.h"
#include "iostream-ssl.h"
+#include "ldap-utils.h"
#undef DEF
#undef DEFN
const struct ssl_settings *ssl_set = NULL;
if (settings_get(event, &ldap_client_setting_parser_info, 0, &set, error_r) < 0 ||
settings_get(event, &ssl_setting_parser_info, 0, &ssl_set, error_r) < 0 ||
- ldap_client_settings_postcheck(set, error_r) < 0) {
+ ldap_client_settings_postcheck(set, error_r) < 0 ||
+ ldap_set_tls_validate(ssl_set, error_r) < 0) {
settings_free(set);
settings_free(ssl_set);
return -1;
#include "lib.h"
#include "ldap-utils.h"
#include "ssl-settings.h"
+#include "settings-parser.h"
void ldap_set_opt(const char *prefix, LDAP *ld, int opt, const void *value,
const char *optname, const char *value_str)
if (!starttls && strstr(uris, "ldaps:") == NULL)
return;
- const char *ssl_client_ca_file = t_strcut(ssl_set->ssl_client_ca_file, '\n');
- ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CACERTFILE,
- ssl_client_ca_file, "ssl_client_ca_file");
+ struct settings_file key_file, cert_file, ca_file;
+ settings_file_get(ssl_set->ssl_client_key_file,
+ unsafe_data_stack_pool, &key_file);
+ settings_file_get(ssl_set->ssl_client_cert_file,
+ unsafe_data_stack_pool, &cert_file);
+ settings_file_get(ssl_set->ssl_client_ca_file,
+ unsafe_data_stack_pool, &ca_file);
+ ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CACERTFILE,
+ ca_file.path, "ssl_client_ca_file");
ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CACERTDIR,
ssl_set->ssl_client_ca_dir, "ssl_client_ca_dir");
-
- const char *ssl_client_cert_file = t_strcut(ssl_set->ssl_client_cert_file, '\n');
ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CERTFILE,
- ssl_client_cert_file, "ssl_client_cert_file");
-
- const char *ssl_client_key_file = t_strcut(ssl_set->ssl_client_key_file, '\n');
+ cert_file.path, "ssl_client_cert_file");
ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_KEYFILE,
- ssl_client_key_file, "ssl_client_key_file");
-
+ key_file.path, "ssl_client_key_file");
ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
ssl_set->ssl_cipher_list, "ssl_cipher_list");
ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
"ssl_client_require_valid_cert", requires ? "yes" : "no");
}
+static int ldap_set_tls_validate_file(const char *file, const char *name,
+ const char **error_r)
+{
+ if (*file != '\0' && !settings_file_has_path(file)) {
+ *error_r = t_strdup_printf("LDAP doesn't support inline content for %s", name);
+ return -1;
+ }
+ return 0;
+}
+
+int ldap_set_tls_validate(const struct ssl_settings *set, const char **error_r)
+{
+ return ldap_set_tls_validate_file(set->ssl_client_ca_file,
+ "ssl_client_ca_file", error_r) < 0 ||
+ ldap_set_tls_validate_file(set->ssl_client_cert_file,
+ "ssl_client_cert_file", error_r) < 0 ||
+ ldap_set_tls_validate_file(set->ssl_client_key_file,
+ "ssl_client_key_file", error_r) < 0 ?
+ -1 : 0;
+}
+
#endif
projects / thirdparty / dovecot / core.git / commitdiff
