From: Marco Bettini <marco.bettini@open-xchange.com>
Date: Thu, 12 Dec 2024 11:07:31 +0000 (+0000)
Subject: lib-ldap: ldap-utils - Add SSL setting paths parsing and validation
X-Git-Tag: 2.4.0~122
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0ab86faf1fbfc9617ef845766385fb1d9b5ed67;p=thirdparty%2Fdovecot%2Fcore.git

lib-ldap: ldap-utils - Add SSL setting paths parsing and validation
---

diff --git a/src/auth/db-ldap.c b/src/auth/db-ldap.c
index 9c9a8653bc..d015de4169 100644
--- a/src/auth/db-ldap.c
+++ b/src/auth/db-ldap.c
@@ -1479,8 +1479,9 @@ struct ldap_connection *db_ldap_init(struct event *event)
 
 	set     = settings_get_or_fatal(event, &ldap_setting_parser_info);
 	ssl_set = settings_get_or_fatal(event, &ssl_setting_parser_info);
-	if (ldap_setting_post_check(set, &error) < 0)
-		i_fatal("%s%s", set->uris, error);
+	if (ldap_setting_post_check(set, &error) < 0 ||
+	    ldap_set_tls_validate(ssl_set, &error) < 0)
+		i_fatal("%s: %s", set->uris, error);
 
 	/* see if it already exists */
 	struct ldap_connection *conn = db_ldap_conn_find(set, ssl_set);
diff --git a/src/lib-ldap/ldap-settings.c b/src/lib-ldap/ldap-settings.c
index 7906b51172..fb21199710 100644
--- a/src/lib-ldap/ldap-settings.c
+++ b/src/lib-ldap/ldap-settings.c
@@ -6,6 +6,7 @@
 #include "ldap-settings.h"
 #include "ssl-settings.h"
 #include "iostream-ssl.h"
+#include "ldap-utils.h"
 
 #undef DEF
 #undef DEFN
@@ -76,7 +77,8 @@ int ldap_client_settings_get(struct event *event,
 	const struct ssl_settings *ssl_set = NULL;
 	if (settings_get(event, &ldap_client_setting_parser_info, 0, &set, error_r) < 0 ||
 	    settings_get(event, &ssl_setting_parser_info, 0, &ssl_set, error_r) < 0 ||
-	    ldap_client_settings_postcheck(set, error_r) < 0) {
+	    ldap_client_settings_postcheck(set, error_r) < 0 ||
+	    ldap_set_tls_validate(ssl_set, error_r) < 0) {
 		settings_free(set);
 		settings_free(ssl_set);
 		return -1;
diff --git a/src/lib-ldap/ldap-utils.c b/src/lib-ldap/ldap-utils.c
index bf5f815b1d..d646e623b6 100644
--- a/src/lib-ldap/ldap-utils.c
+++ b/src/lib-ldap/ldap-utils.c
@@ -3,6 +3,7 @@
 #include "lib.h"
 #include "ldap-utils.h"
 #include "ssl-settings.h"
+#include "settings-parser.h"
 
 void ldap_set_opt(const char *prefix, LDAP *ld, int opt, const void *value,
 		  const char *optname, const char *value_str)
@@ -35,21 +36,22 @@ void ldap_set_tls_options(const char *prefix, LDAP *ld, bool starttls,
 	if (!starttls && strstr(uris, "ldaps:") == NULL)
 		return;
 
-	const char *ssl_client_ca_file = t_strcut(ssl_set->ssl_client_ca_file, '\n');
-	ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CACERTFILE,
-			 ssl_client_ca_file, "ssl_client_ca_file");
+	struct settings_file key_file, cert_file, ca_file;
+	settings_file_get(ssl_set->ssl_client_key_file,
+			  unsafe_data_stack_pool, &key_file);
+	settings_file_get(ssl_set->ssl_client_cert_file,
+			  unsafe_data_stack_pool, &cert_file);
+	settings_file_get(ssl_set->ssl_client_ca_file,
+			  unsafe_data_stack_pool, &ca_file);
 
+	ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CACERTFILE,
+			 ca_file.path, "ssl_client_ca_file");
 	ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CACERTDIR,
 			 ssl_set->ssl_client_ca_dir, "ssl_client_ca_dir");
-
-	const char *ssl_client_cert_file = t_strcut(ssl_set->ssl_client_cert_file, '\n');
 	ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CERTFILE,
-			 ssl_client_cert_file, "ssl_client_cert_file");
-
-	const char *ssl_client_key_file = t_strcut(ssl_set->ssl_client_key_file, '\n');
+			 cert_file.path, "ssl_client_cert_file");
 	ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_KEYFILE,
-			 ssl_client_key_file, "ssl_client_key_file");
-
+			 key_file.path, "ssl_client_key_file");
 	ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_CIPHER_SUITE,
 			 ssl_set->ssl_cipher_list, "ssl_cipher_list");
 	ldap_set_opt_str(prefix, ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
@@ -69,4 +71,25 @@ void ldap_set_tls_options(const char *prefix, LDAP *ld, bool starttls,
 		     "ssl_client_require_valid_cert", requires ? "yes" : "no");
 }
 
+static int ldap_set_tls_validate_file(const char *file, const char *name,
+				      const char **error_r)
+{
+	if (*file != '\0' && !settings_file_has_path(file)) {
+		*error_r = t_strdup_printf("LDAP doesn't support inline content for %s", name);
+		return -1;
+	}
+	return 0;
+}
+
+int ldap_set_tls_validate(const struct ssl_settings *set, const char **error_r)
+{
+	return ldap_set_tls_validate_file(set->ssl_client_ca_file,
+					  "ssl_client_ca_file", error_r) < 0 ||
+	       ldap_set_tls_validate_file(set->ssl_client_cert_file,
+					  "ssl_client_cert_file", error_r) < 0 ||
+	       ldap_set_tls_validate_file(set->ssl_client_key_file,
+					  "ssl_client_key_file", error_r) < 0 ?
+		-1 : 0;
+}
+
 #endif
diff --git a/src/lib-ldap/ldap-utils.h b/src/lib-ldap/ldap-utils.h
index 146a371c24..c42f636d1e 100644
--- a/src/lib-ldap/ldap-utils.h
+++ b/src/lib-ldap/ldap-utils.h
@@ -13,4 +13,7 @@ void ldap_set_opt_str(const char *prefix, LDAP *ld, int opt, const char *value,
 
 void ldap_set_tls_options(const char *prefix, LDAP *ld, bool starttls,
 			  const char *uris, const struct ssl_settings *ssl_set);
+
+int ldap_set_tls_validate(const struct ssl_settings *set, const char **error_r);
+
 #endif