From a9f42b12db40bf329fcb7f7e4eb3dbadcde6ee0f Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Fri, 21 Aug 2020 20:06:56 +0100 Subject: [PATCH] ITS#9054, #9318 add new TLS options to slapd bindconf For use with back-ldap/back-meta/syncrepl/etc --- servers/slapd/config.c | 27 ++++++++++++++++++++++++++- servers/slapd/slap.h | 2 ++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/servers/slapd/config.c b/servers/slapd/config.c index fb7c48a944..6edfdb2aa4 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1428,8 +1428,10 @@ static slap_cf_aux_table bindkey[] = { { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, { BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL }, { BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL }, + { BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL }, { BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL }, { BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL }, + { BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL }, #ifdef HAVE_OPENSSL_CRL { BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL }, #endif @@ -1795,6 +1797,10 @@ void bindconf_free( slap_bindconf *bc ) { ch_free( bc->sb_tls_reqcert ); bc->sb_tls_reqcert = NULL; } + if ( bc->sb_tls_reqsan ) { + ch_free( bc->sb_tls_reqsan ); + bc->sb_tls_reqsan = NULL; + } if ( bc->sb_tls_cipher_suite ) { ch_free( bc->sb_tls_cipher_suite ); bc->sb_tls_cipher_suite = NULL; @@ -1803,6 +1809,10 @@ void bindconf_free( slap_bindconf *bc ) { ch_free( bc->sb_tls_protocol_min ); bc->sb_tls_protocol_min = NULL; } + if ( bc->sb_tls_ecname ) { + ch_free( bc->sb_tls_ecname ); + bc->sb_tls_ecname = NULL; + } #ifdef HAVE_OPENSSL_CRL if ( bc->sb_tls_crlcheck ) { ch_free( bc->sb_tls_crlcheck ); @@ -1838,6 +1848,11 @@ bindconf_tls_defaults( slap_bindconf *bc ) &bc->sb_tls_cipher_suite ); if ( !bc->sb_tls_reqcert ) bc->sb_tls_reqcert = ch_strdup("demand"); + if ( !bc->sb_tls_reqsan ) + bc->sb_tls_reqsan = ch_strdup("allow"); + if ( !bc->sb_tls_ecname ) + slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME, + &bc->sb_tls_ecname ); #ifdef HAVE_OPENSSL_CRL if ( !bc->sb_tls_crlcheck ) slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK, @@ -1858,7 +1873,7 @@ static struct { { "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE }, { "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR }, { "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE }, - { "tls_protocol_min", offsetof(slap_bindconf, sb_tls_protocol_min), LDAP_OPT_X_TLS_PROTOCOL_MIN }, + { "tls_ecname", offsetof(slap_bindconf, sb_tls_ecname), LDAP_OPT_X_TLS_ECNAME }, {0, 0} }; @@ -1893,6 +1908,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) } else newctx = 1; } + if ( bc->sb_tls_reqsan ) { + rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN, + bc->sb_tls_reqsan ); + if ( rc ) { + Debug( LDAP_DEBUG_ANY, + "bindconf_tls_set: failed to set tls_reqsan to %s\n", + bc->sb_tls_reqsan, 0, 0 ); + res = -1; + } + } if ( bc->sb_tls_protocol_min ) { rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, bc->sb_tls_protocol_min ); diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index 0e60aa1756..e803e4af0e 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1639,8 +1639,10 @@ typedef struct slap_bindconf { char *sb_tls_cacert; char *sb_tls_cacertdir; char *sb_tls_reqcert; + char *sb_tls_reqsan; char *sb_tls_cipher_suite; char *sb_tls_protocol_min; + char *sb_tls_ecname; #ifdef HAVE_OPENSSL_CRL char *sb_tls_crlcheck; #endif -- 2.47.2