ITS#9054, #9318 add new TLS options to slapd bindconf

author Howard Chu <hyc@openldap.org>

Fri, 21 Aug 2020 19:06:56 +0000 (20:06 +0100)

committer Quanah Gibson-Mount <quanah@openldap.org>

Fri, 21 Aug 2020 23:02:11 +0000 (23:02 +0000)
author Howard Chu <hyc@openldap.org>
Fri, 21 Aug 2020 19:06:56 +0000 (20:06 +0100)
committer Quanah Gibson-Mount <quanah@openldap.org>
Fri, 21 Aug 2020 23:02:11 +0000 (23:02 +0000)
diff --git a/servers/slapd/config.c b/servers/slapd/config.c

index fb7c48a944a73ef5d6132e1dff19e2a4ff23d886..6edfdb2aa488c681d764dadefc82d88c31830f3b 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1428,8 +1428,10 @@ static slap_cf_aux_table bindkey[] = {
         { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
         { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL },
         { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL },
+       { BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL },
         { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
         { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
+       { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
  #ifdef HAVE_OPENSSL_CRL
         { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
  #endif
@@ -1795,6 +1797,10 @@ void bindconf_free( slap_bindconf *bc ) {
                 ch_free( bc->sb_tls_reqcert );
                 bc->sb_tls_reqcert = NULL;
         }
+       if ( bc->sb_tls_reqsan ) {
+               ch_free( bc->sb_tls_reqsan );
+               bc->sb_tls_reqsan = NULL;
+       }
         if ( bc->sb_tls_cipher_suite ) {
                 ch_free( bc->sb_tls_cipher_suite );
                 bc->sb_tls_cipher_suite = NULL;
@@ -1803,6 +1809,10 @@ void bindconf_free( slap_bindconf *bc ) {
                 ch_free( bc->sb_tls_protocol_min );
                 bc->sb_tls_protocol_min = NULL;
         }
+       if ( bc->sb_tls_ecname ) {
+               ch_free( bc->sb_tls_ecname );
+               bc->sb_tls_ecname = NULL;
+       }
  #ifdef HAVE_OPENSSL_CRL
         if ( bc->sb_tls_crlcheck ) {
                 ch_free( bc->sb_tls_crlcheck );
@@ -1838,6 +1848,11 @@ bindconf_tls_defaults( slap_bindconf *bc )
                                 &bc->sb_tls_cipher_suite );
                 if ( !bc->sb_tls_reqcert )
                         bc->sb_tls_reqcert = ch_strdup("demand");
+               if ( !bc->sb_tls_reqsan )
+                       bc->sb_tls_reqsan = ch_strdup("allow");
+               if ( !bc->sb_tls_ecname )
+                       slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
+                               &bc->sb_tls_ecname );
  #ifdef HAVE_OPENSSL_CRL
                 if ( !bc->sb_tls_crlcheck )
                         slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
@@ -1858,7 +1873,7 @@ static struct {
         { "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
         { "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
         { "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
-       { "tls_protocol_min", offsetof(slap_bindconf, sb_tls_protocol_min), LDAP_OPT_X_TLS_PROTOCOL_MIN },
+       { "tls_ecname", offsetof(slap_bindconf, sb_tls_ecname), LDAP_OPT_X_TLS_ECNAME },
         {0, 0}
  };
  
@@ -1893,6 +1908,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
                 } else
                         newctx = 1;
         }
+       if ( bc->sb_tls_reqsan ) {
+               rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
+                       bc->sb_tls_reqsan );
+               if ( rc ) {
+                       Debug( LDAP_DEBUG_ANY,
+                               "bindconf_tls_set: failed to set tls_reqsan to %s\n",
+                                       bc->sb_tls_reqsan, 0, 0 );
+                       res = -1;
+               }
+       }
         if ( bc->sb_tls_protocol_min ) {
                 rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
                         bc->sb_tls_protocol_min );
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h

index 0e60aa1756813556fb3ab21364f64152af273185..e803e4af0e23ac1625e9c5f6a8e980b66a8879d8 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1639,8 +1639,10 @@ typedef struct slap_bindconf {
         char *sb_tls_cacert;
         char *sb_tls_cacertdir;
         char *sb_tls_reqcert;
+       char *sb_tls_reqsan;
         char *sb_tls_cipher_suite;
         char *sb_tls_protocol_min;
+       char *sb_tls_ecname;
  #ifdef HAVE_OPENSSL_CRL
         char *sb_tls_crlcheck;
  #endif
author	Howard Chu <hyc@openldap.org>
	Fri, 21 Aug 2020 19:06:56 +0000 (20:06 +0100)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Fri, 21 Aug 2020 23:02:11 +0000 (23:02 +0000)
servers/slapd/config.c		patch \| blob \| blame \| history
servers/slapd/slap.h		patch \| blob \| blame \| history