void
ldap_int_tls_destroy( struct ldapoptions *lo )
{
if ( lo->ldo_tls_ctx ) {
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
}
#ifdef HAVE_SECURE_TRANSPORT
if ( lo->ldo_tls_identity ) {
LDAP_FREE( lo->ldo_tls_identity );
lo->ldo_tls_identity = NULL;
}
if ( lo->ldo_tls_trusted_certs ) {
LDAP_FREE( lo->ldo_tls_trusted_certs );
lo->ldo_tls_trusted_certs = NULL;
}
#else
if ( lo->ldo_tls_certfile ) {
LDAP_FREE( lo->ldo_tls_certfile );
lo->ldo_tls_certfile = NULL;
}
if ( lo->ldo_tls_keyfile ) {
LDAP_FREE( lo->ldo_tls_keyfile );
lo->ldo_tls_keyfile = NULL;
}
#endif
if ( lo->ldo_tls_dhfile ) {
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
#ifndef HAVE_SECURE_TRANSPORT
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
}
if ( lo->ldo_tls_cacertdir ) {
LDAP_FREE( lo->ldo_tls_cacertdir );
lo->ldo_tls_cacertdir = NULL;
}
#endif
if ( lo->ldo_tls_ciphersuite ) {
LDAP_FREE( lo->ldo_tls_ciphersuite );
lo->ldo_tls_ciphersuite = NULL;
}
if ( lo->ldo_tls_crlfile ) {
LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = NULL;
}
#if defined(__APPLE__) && !defined(HAVE_SECURE_TRANSPORT)
if ( lo->ldo_tls_cert_ref ) {
CFRelease( lo->ldo_tls_cert_ref );
lo->ldo_tls_cert_ref = NULL;
}
#endif
}
void
ldap_int_tls_destroy( struct ldapoptions *lo )
{
if ( lo->ldo_tls_ctx ) {
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
}
if ( lo->ldo_tls_certfile ) {
LDAP_FREE( lo->ldo_tls_certfile );
lo->ldo_tls_certfile = NULL;
}
if ( lo->ldo_tls_keyfile ) {
LDAP_FREE( lo->ldo_tls_keyfile );
lo->ldo_tls_keyfile = NULL;
}
if ( lo->ldo_tls_dhfile ) {
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
if ( lo->ldo_tls_ecname ) {
LDAP_FREE( lo->ldo_tls_ecname );
lo->ldo_tls_ecname = NULL;
}
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
}
if ( lo->ldo_tls_cacertdir ) {
LDAP_FREE( lo->ldo_tls_cacertdir );
lo->ldo_tls_cacertdir = NULL;
}
if ( lo->ldo_tls_ciphersuite ) {
LDAP_FREE( lo->ldo_tls_ciphersuite );
lo->ldo_tls_ciphersuite = NULL;
}
if ( lo->ldo_tls_crlfile ) {
LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = NULL;
}
}
int
ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
{
struct ldapoptions *lo;
if( ld != NULL ) {
assert( LDAP_VALID( ld ) );
if( !LDAP_VALID( ld ) ) {
return LDAP_OPT_ERROR;
}
lo = &ld->ld_options;
} else {
/* Get pointer to global option structure */
lo = LDAP_INT_GLOBAL_OPT();
if ( lo == NULL ) {
return LDAP_NO_MEMORY;
}
}
switch( option ) {
case LDAP_OPT_X_TLS:
if ( !arg ) return -1;
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_NEVER:
case LDAP_OPT_X_TLS_DEMAND:
case LDAP_OPT_X_TLS_ALLOW:
case LDAP_OPT_X_TLS_TRY:
case LDAP_OPT_X_TLS_HARD:
if (lo != NULL) {
lo->ldo_tls_mode = *(int *)arg;
}
return 0;
}
return -1;
case LDAP_OPT_X_TLS_CTX:
if ( lo->ldo_tls_ctx )
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = arg;
tls_ctx_ref( lo->ldo_tls_ctx );
return 0;
case LDAP_OPT_X_TLS_CONNECT_CB:
lo->ldo_tls_connect_cb = (LDAP_TLS_CONNECT_CB *)arg;
return 0;
case LDAP_OPT_X_TLS_CONNECT_ARG:
lo->ldo_tls_connect_arg = arg;
return 0;
case LDAP_OPT_X_TLS_CACERTFILE:
if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_CACERTDIR:
if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir );
lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_CERTFILE:
if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile );
lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_KEYFILE:
if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile );
lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_DHFILE:
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_REQUIRE_CERT:
if ( !arg ) return -1;
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_NEVER:
case LDAP_OPT_X_TLS_DEMAND:
case LDAP_OPT_X_TLS_ALLOW:
case LDAP_OPT_X_TLS_TRY:
case LDAP_OPT_X_TLS_HARD:
lo->ldo_tls_require_cert = * (int *) arg;
return 0;
}
return -1;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1;
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_CRL_NONE:
case LDAP_OPT_X_TLS_CRL_PEER:
case LDAP_OPT_X_TLS_CRL_ALL:
lo->ldo_tls_crlcheck = * (int *) arg;
return 0;
}
return -1;
#endif
case LDAP_OPT_X_TLS_CIPHER_SUITE:
if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite );
lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
if ( !arg ) return -1;
lo->ldo_tls_protocol_min = *(int *)arg;
return 0;
case LDAP_OPT_X_TLS_RANDOM_FILE:
if ( ld != NULL )
return -1;
if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile );
lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
break;
case LDAP_OPT_X_TLS_NEWCTX:
if ( !arg ) return -1;
if ( lo->ldo_tls_ctx )
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
return ldap_int_tls_init_ctx( lo, *(int *)arg );
default:
return -1;
}
return 0;
}
/*
* initialize a new TLS context
*/
static int
ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
{
int rc = 0;
tls_impl *ti = tls_imp;
struct ldaptls lts = lo->ldo_tls_info;
if ( lo->ldo_tls_ctx )
return 0;
tls_init( ti );
if ( is_server && !lts.lt_certfile && !lts.lt_keyfile &&
!lts.lt_cacertfile && !lts.lt_cacertdir ) {
/* minimum configuration not provided */
return LDAP_NOT_SUPPORTED;
}
#ifdef HAVE_EBCDIC
/* This ASCII/EBCDIC handling is a real pain! */
if ( lts.lt_ciphersuite ) {
lts.lt_ciphersuite = LDAP_STRDUP( lts.lt_ciphersuite );
__atoe( lts.lt_ciphersuite );
}
if ( lts.lt_cacertfile ) {
lts.lt_cacertfile = LDAP_STRDUP( lts.lt_cacertfile );
__atoe( lts.lt_cacertfile );
}
if ( lts.lt_certfile ) {
lts.lt_certfile = LDAP_STRDUP( lts.lt_certfile );
__atoe( lts.lt_certfile );
}
if ( lts.lt_keyfile ) {
lts.lt_keyfile = LDAP_STRDUP( lts.lt_keyfile );
__atoe( lts.lt_keyfile );
}
if ( lts.lt_crlfile ) {
lts.lt_crlfile = LDAP_STRDUP( lts.lt_crlfile );
__atoe( lts.lt_crlfile );
}
if ( lts.lt_cacertdir ) {
lts.lt_cacertdir = LDAP_STRDUP( lts.lt_cacertdir );
__atoe( lts.lt_cacertdir );
}
if ( lts.lt_dhfile ) {
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not allocate default ctx.\n",
0,0,0);
rc = -1;
goto error_exit;
}
rc = ti->ti_ctx_init( lo, <s, is_server );
error_exit:
if ( rc < 0 && lo->ldo_tls_ctx != NULL ) {
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
}
#ifdef HAVE_EBCDIC
LDAP_FREE( lts.lt_ciphersuite );
LDAP_FREE( lts.lt_cacertfile );
LDAP_FREE( lts.lt_certfile );
LDAP_FREE( lts.lt_keyfile );
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
#endif
return rc;
}
