937a200089
This is actually a fully functional build except: * All internal shared libraries are static linked to make sure there is no interference with ports (and to reduce build time). * It does not have the python/perl/etc plugin or API support. * By default, it installs as "svnlite" rather than "svn". * If WITH_SVN added in make.conf, you get "svn". * If WITHOUT_SVNLITE is in make.conf, this is completely disabled. To be absolutely clear, this is not intended for any use other than checking out freebsd source and committing, like we once did with cvs. It should be usable for small scale local repositories that don't need the python/perl plugin architecture.
653 lines
23 KiB
C
653 lines
23 KiB
C
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
* contributor license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright ownership.
|
|
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
* (the "License"); you may not use this file except in compliance with
|
|
* the License. You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
/* apr_ldap_option.c -- LDAP options
|
|
*
|
|
* The LDAP SDK allows the getting and setting of options on an LDAP
|
|
* connection.
|
|
*
|
|
*/
|
|
|
|
#include "apr.h"
|
|
#include "apu.h"
|
|
#include "apu_config.h"
|
|
|
|
#if APU_DSO_BUILD
|
|
#define APU_DSO_LDAP_BUILD
|
|
#endif
|
|
|
|
#include "apr_ldap.h"
|
|
#include "apr_errno.h"
|
|
#include "apr_pools.h"
|
|
#include "apr_strings.h"
|
|
#include "apr_tables.h"
|
|
|
|
#if APR_HAS_LDAP
|
|
|
|
static void option_set_cert(apr_pool_t *pool, LDAP *ldap, const void *invalue,
|
|
apr_ldap_err_t *result);
|
|
static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
|
|
apr_ldap_err_t *result);
|
|
|
|
/**
|
|
* APR LDAP get option function
|
|
*
|
|
* This function gets option values from a given LDAP session if
|
|
* one was specified.
|
|
*/
|
|
APU_DECLARE_LDAP(int) apr_ldap_get_option(apr_pool_t *pool,
|
|
LDAP *ldap,
|
|
int option,
|
|
void *outvalue,
|
|
apr_ldap_err_t **result_err)
|
|
{
|
|
apr_ldap_err_t *result;
|
|
|
|
result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
|
|
*result_err = result;
|
|
if (!result) {
|
|
return APR_ENOMEM;
|
|
}
|
|
|
|
/* get the option specified using the native LDAP function */
|
|
result->rc = ldap_get_option(ldap, option, outvalue);
|
|
|
|
/* handle the error case */
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result-> rc);
|
|
result->reason = apr_pstrdup(pool, "LDAP: Could not get an option");
|
|
return APR_EGENERAL;
|
|
}
|
|
|
|
return APR_SUCCESS;
|
|
|
|
}
|
|
|
|
/**
|
|
* APR LDAP set option function
|
|
*
|
|
* This function sets option values to a given LDAP session if
|
|
* one was specified.
|
|
*
|
|
* Where an option is not supported by an LDAP toolkit, this function
|
|
* will try and apply legacy functions to achieve the same effect,
|
|
* depending on the platform.
|
|
*/
|
|
APU_DECLARE_LDAP(int) apr_ldap_set_option(apr_pool_t *pool,
|
|
LDAP *ldap,
|
|
int option,
|
|
const void *invalue,
|
|
apr_ldap_err_t **result_err)
|
|
{
|
|
apr_ldap_err_t *result;
|
|
|
|
result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
|
|
*result_err = result;
|
|
if (!result) {
|
|
return APR_ENOMEM;
|
|
}
|
|
|
|
switch (option) {
|
|
case APR_LDAP_OPT_TLS_CERT:
|
|
option_set_cert(pool, ldap, invalue, result);
|
|
break;
|
|
|
|
case APR_LDAP_OPT_TLS:
|
|
option_set_tls(pool, ldap, invalue, result);
|
|
break;
|
|
|
|
case APR_LDAP_OPT_VERIFY_CERT:
|
|
#if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
|
|
result->reason = "LDAP: Verify certificate not yet supported by APR on the "
|
|
"Netscape, Solaris or Mozilla LDAP SDKs";
|
|
result->rc = -1;
|
|
return APR_EGENERAL;
|
|
#endif
|
|
#if APR_HAS_NOVELL_LDAPSDK
|
|
if (*((int*)invalue)) {
|
|
result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
|
|
}
|
|
else {
|
|
result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
|
|
}
|
|
#endif
|
|
#if APR_HAS_OPENLDAP_LDAPSDK
|
|
#ifdef LDAP_OPT_X_TLS
|
|
/* This is not a per-connection setting so just pass NULL for the
|
|
Ldap connection handle */
|
|
if (*((int*)invalue)) {
|
|
int i = LDAP_OPT_X_TLS_DEMAND;
|
|
result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
|
|
}
|
|
else {
|
|
int i = LDAP_OPT_X_TLS_NEVER;
|
|
result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
|
|
}
|
|
#else
|
|
result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
|
|
"version of the OpenLDAP toolkit";
|
|
result->rc = -1;
|
|
return APR_EGENERAL;
|
|
#endif
|
|
#endif
|
|
|
|
/* handle the error case */
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result->rc);
|
|
result->reason = "LDAP: Could not set verify mode";
|
|
}
|
|
break;
|
|
|
|
case APR_LDAP_OPT_REFERRALS:
|
|
/* Setting this option is supported on at least TIVOLI_SDK and OpenLDAP. Folks
|
|
* who know the NOVELL, NETSCAPE, MOZILLA, and SOLARIS SDKs should note here if
|
|
* the SDK at least tolerates this option being set, or add an elif to handle
|
|
* special cases (i.e. different LDAP_OPT_X value).
|
|
*/
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_REFERRALS, (void *)invalue);
|
|
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "Unable to set LDAP_OPT_REFERRALS.";
|
|
return(result->rc);
|
|
}
|
|
break;
|
|
|
|
case APR_LDAP_OPT_REFHOPLIMIT:
|
|
#if !defined(LDAP_OPT_REFHOPLIMIT) || APR_HAS_NOVELL_LDAPSDK
|
|
/* If the LDAP_OPT_REFHOPLIMIT symbol is missing, assume that the
|
|
* particular LDAP library has a reasonable default. So far certain
|
|
* versions of the OpenLDAP SDK miss this symbol (but default to 5),
|
|
* and the Microsoft SDK misses the symbol (the default is not known).
|
|
*/
|
|
result->rc = LDAP_SUCCESS;
|
|
#else
|
|
/* Setting this option is supported on at least TIVOLI_SDK. Folks who know
|
|
* the NOVELL, NETSCAPE, MOZILLA, and SOLARIS SDKs should note here if
|
|
* the SDK at least tolerates this option being set, or add an elif to handle
|
|
* special cases so an error isn't returned if there is a perfectly good
|
|
* default value that just can't be changed (like openLDAP).
|
|
*/
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_REFHOPLIMIT, (void *)invalue);
|
|
#endif
|
|
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "Unable to set LDAP_OPT_REFHOPLIMIT.";
|
|
return(result->rc);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
/* set the option specified using the native LDAP function */
|
|
result->rc = ldap_set_option(ldap, option, (void *)invalue);
|
|
|
|
/* handle the error case */
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result->rc);
|
|
result->reason = "LDAP: Could not set an option";
|
|
}
|
|
break;
|
|
}
|
|
|
|
/* handle the error case */
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
return APR_EGENERAL;
|
|
}
|
|
|
|
return APR_SUCCESS;
|
|
|
|
}
|
|
|
|
/**
|
|
* Handle APR_LDAP_OPT_TLS
|
|
*
|
|
* This function sets the type of TLS to be applied to this connection.
|
|
* The options are:
|
|
* APR_LDAP_NONE: no encryption
|
|
* APR_LDAP_SSL: SSL encryption (ldaps://)
|
|
* APR_LDAP_STARTTLS: STARTTLS encryption
|
|
* APR_LDAP_STOPTLS: Stop existing TLS connecttion
|
|
*/
|
|
static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
|
|
apr_ldap_err_t *result)
|
|
{
|
|
#if APR_HAS_LDAP_SSL /* compiled with ssl support */
|
|
|
|
int tls = * (const int *)invalue;
|
|
|
|
/* Netscape/Mozilla/Solaris SDK */
|
|
#if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
|
|
#if APR_HAS_LDAPSSL_INSTALL_ROUTINES
|
|
if (tls == APR_LDAP_SSL) {
|
|
result->rc = ldapssl_install_routines(ldap);
|
|
#ifdef LDAP_OPT_SSL
|
|
/* apparently Netscape and Mozilla need this too, Solaris doesn't */
|
|
if (result->rc == LDAP_SUCCESS) {
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
|
|
}
|
|
#endif
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result->rc);
|
|
result->reason = "LDAP: Could not switch SSL on for this "
|
|
"connection.";
|
|
}
|
|
}
|
|
else if (tls == APR_LDAP_STARTTLS) {
|
|
result->reason = "LDAP: STARTTLS is not supported by the "
|
|
"Netscape/Mozilla/Solaris SDK";
|
|
result->rc = -1;
|
|
}
|
|
else if (tls == APR_LDAP_STOPTLS) {
|
|
result->reason = "LDAP: STOPTLS is not supported by the "
|
|
"Netscape/Mozilla/Solaris SDK";
|
|
result->rc = -1;
|
|
}
|
|
#else
|
|
if (tls != APR_LDAP_NONE) {
|
|
result->reason = "LDAP: SSL/TLS is not supported by this version "
|
|
"of the Netscape/Mozilla/Solaris SDK";
|
|
result->rc = -1;
|
|
}
|
|
#endif
|
|
#endif
|
|
|
|
/* Novell SDK */
|
|
#if APR_HAS_NOVELL_LDAPSDK
|
|
/* ldapssl_install_routines(ldap)
|
|
* Behavior is unpredictable when other LDAP functions are called
|
|
* between the ldap_init function and the ldapssl_install_routines
|
|
* function.
|
|
*
|
|
* STARTTLS is supported by the ldap_start_tls_s() method
|
|
*/
|
|
if (tls == APR_LDAP_SSL) {
|
|
result->rc = ldapssl_install_routines(ldap);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result->rc);
|
|
result->reason = "LDAP: Could not switch SSL on for this "
|
|
"connection.";
|
|
}
|
|
}
|
|
if (tls == APR_LDAP_STARTTLS) {
|
|
result->rc = ldapssl_start_tls(ldap);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result->rc);
|
|
result->reason = "LDAP: Could not start TLS on this connection";
|
|
}
|
|
}
|
|
else if (tls == APR_LDAP_STOPTLS) {
|
|
result->rc = ldapssl_stop_tls(ldap);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result->rc);
|
|
result->reason = "LDAP: Could not stop TLS on this connection";
|
|
}
|
|
}
|
|
#endif
|
|
|
|
/* OpenLDAP SDK */
|
|
#if APR_HAS_OPENLDAP_LDAPSDK
|
|
#ifdef LDAP_OPT_X_TLS
|
|
if (tls == APR_LDAP_SSL) {
|
|
int SSLmode = LDAP_OPT_X_TLS_HARD;
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS, &SSLmode);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: ldap_set_option failed. "
|
|
"Could not set LDAP_OPT_X_TLS to "
|
|
"LDAP_OPT_X_TLS_HARD";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
else if (tls == APR_LDAP_STARTTLS) {
|
|
result->rc = ldap_start_tls_s(ldap, NULL, NULL);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: ldap_start_tls_s() failed";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
else if (tls == APR_LDAP_STOPTLS) {
|
|
result->reason = "LDAP: STOPTLS is not supported by the "
|
|
"OpenLDAP SDK";
|
|
result->rc = -1;
|
|
}
|
|
#else
|
|
if (tls != APR_LDAP_NONE) {
|
|
result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
|
|
"version of the OpenLDAP toolkit";
|
|
result->rc = -1;
|
|
}
|
|
#endif
|
|
#endif
|
|
|
|
/* Microsoft SDK */
|
|
#if APR_HAS_MICROSOFT_LDAPSDK
|
|
if (tls == APR_LDAP_NONE) {
|
|
ULONG ul = (ULONG) LDAP_OPT_OFF;
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, &ul);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: an attempt to set LDAP_OPT_SSL off "
|
|
"failed.";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
else if (tls == APR_LDAP_SSL) {
|
|
ULONG ul = (ULONG) LDAP_OPT_ON;
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, &ul);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: an attempt to set LDAP_OPT_SSL on "
|
|
"failed.";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
#if APR_HAS_LDAP_START_TLS_S
|
|
else if (tls == APR_LDAP_STARTTLS) {
|
|
result->rc = ldap_start_tls_s(ldap, NULL, NULL, NULL, NULL);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: ldap_start_tls_s() failed";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
else if (tls == APR_LDAP_STOPTLS) {
|
|
result->rc = ldap_stop_tls_s(ldap);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: ldap_stop_tls_s() failed";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
#endif
|
|
#endif
|
|
|
|
#if APR_HAS_OTHER_LDAPSDK
|
|
if (tls != APR_LDAP_NONE) {
|
|
result->reason = "LDAP: SSL/TLS is currently not supported by "
|
|
"APR on this LDAP SDK";
|
|
result->rc = -1;
|
|
}
|
|
#endif
|
|
|
|
#endif /* APR_HAS_LDAP_SSL */
|
|
|
|
}
|
|
|
|
/**
|
|
* Handle APR_LDAP_OPT_TLS_CACERTFILE
|
|
*
|
|
* This function sets the CA certificate for further SSL/TLS connections.
|
|
*
|
|
* The file provided are in different formats depending on the toolkit used:
|
|
*
|
|
* Netscape: cert7.db file
|
|
* Novell: PEM or DER
|
|
* OpenLDAP: PEM (others supported?)
|
|
* Microsoft: unknown
|
|
* Solaris: unknown
|
|
*/
|
|
static void option_set_cert(apr_pool_t *pool, LDAP *ldap,
|
|
const void *invalue, apr_ldap_err_t *result)
|
|
{
|
|
#if APR_HAS_LDAP_SSL
|
|
#if APR_HAS_LDAPSSL_CLIENT_INIT || APR_HAS_OPENLDAP_LDAPSDK
|
|
apr_array_header_t *certs = (apr_array_header_t *)invalue;
|
|
struct apr_ldap_opt_tls_cert_t *ents = (struct apr_ldap_opt_tls_cert_t *)certs->elts;
|
|
int i = 0;
|
|
#endif
|
|
|
|
/* Netscape/Mozilla/Solaris SDK */
|
|
#if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSDK
|
|
#if APR_HAS_LDAPSSL_CLIENT_INIT
|
|
const char *nickname = NULL;
|
|
const char *secmod = NULL;
|
|
const char *key3db = NULL;
|
|
const char *cert7db = NULL;
|
|
const char *password = NULL;
|
|
|
|
/* set up cert7.db, key3.db and secmod parameters */
|
|
for (i = 0; i < certs->nelts; i++) {
|
|
switch (ents[i].type) {
|
|
case APR_LDAP_CA_TYPE_CERT7_DB:
|
|
cert7db = ents[i].path;
|
|
break;
|
|
case APR_LDAP_CA_TYPE_SECMOD:
|
|
secmod = ents[i].path;
|
|
break;
|
|
case APR_LDAP_CERT_TYPE_KEY3_DB:
|
|
key3db = ents[i].path;
|
|
break;
|
|
case APR_LDAP_CERT_TYPE_NICKNAME:
|
|
nickname = ents[i].path;
|
|
password = ents[i].password;
|
|
break;
|
|
default:
|
|
result->rc = -1;
|
|
result->reason = "LDAP: The Netscape/Mozilla LDAP SDK only "
|
|
"understands the CERT7, KEY3 and SECMOD "
|
|
"file types.";
|
|
break;
|
|
}
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* actually set the certificate parameters */
|
|
if (result->rc == LDAP_SUCCESS) {
|
|
if (nickname) {
|
|
result->rc = ldapssl_enable_clientauth(ldap, "",
|
|
(char *)password,
|
|
(char *)nickname);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: could not set client certificate: "
|
|
"ldapssl_enable_clientauth() failed.";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
else if (secmod) {
|
|
result->rc = ldapssl_advclientauth_init(cert7db, NULL,
|
|
key3db ? 1 : 0, key3db, NULL,
|
|
1, secmod, LDAPSSL_AUTH_CNCHECK);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: ldapssl_advclientauth_init() failed.";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
else if (key3db) {
|
|
result->rc = ldapssl_clientauth_init(cert7db, NULL,
|
|
1, key3db, NULL);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: ldapssl_clientauth_init() failed.";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
else {
|
|
result->rc = ldapssl_client_init(cert7db, NULL);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->reason = "LDAP: ldapssl_client_init() failed.";
|
|
result->msg = ldap_err2string(result->rc);
|
|
}
|
|
}
|
|
}
|
|
#else
|
|
result->reason = "LDAP: SSL/TLS ldapssl_client_init() function not "
|
|
"supported by this Netscape/Mozilla/Solaris SDK. "
|
|
"Certificate authority file not set";
|
|
result->rc = -1;
|
|
#endif
|
|
#endif
|
|
|
|
/* Novell SDK */
|
|
#if APR_HAS_NOVELL_LDAPSDK
|
|
#if APR_HAS_LDAPSSL_CLIENT_INIT && APR_HAS_LDAPSSL_ADD_TRUSTED_CERT && APR_HAS_LDAPSSL_CLIENT_DEINIT
|
|
/* The Novell library cannot support per connection certificates. Error
|
|
* out if the ldap handle is provided.
|
|
*/
|
|
if (ldap) {
|
|
result->rc = -1;
|
|
result->reason = "LDAP: The Novell LDAP SDK cannot support the setting "
|
|
"of certificates or keys on a per connection basis.";
|
|
}
|
|
/* Novell's library needs to be initialised first */
|
|
else {
|
|
result->rc = ldapssl_client_init(NULL, NULL);
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
result->msg = ldap_err2string(result-> rc);
|
|
result->reason = apr_pstrdup(pool, "LDAP: Could not "
|
|
"initialize SSL");
|
|
}
|
|
}
|
|
/* set one or more certificates */
|
|
for (i = 0; LDAP_SUCCESS == result->rc && i < certs->nelts; i++) {
|
|
/* Novell SDK supports DER or BASE64 files. */
|
|
switch (ents[i].type) {
|
|
case APR_LDAP_CA_TYPE_DER:
|
|
result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
|
|
LDAPSSL_CERT_FILETYPE_DER);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_CA_TYPE_BASE64:
|
|
result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
|
|
LDAPSSL_CERT_FILETYPE_B64);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_CERT_TYPE_DER:
|
|
result->rc = ldapssl_set_client_cert((void *)ents[i].path,
|
|
LDAPSSL_CERT_FILETYPE_DER,
|
|
(void*)ents[i].password);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_CERT_TYPE_BASE64:
|
|
result->rc = ldapssl_set_client_cert((void *)ents[i].path,
|
|
LDAPSSL_CERT_FILETYPE_B64,
|
|
(void*)ents[i].password);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_CERT_TYPE_PFX:
|
|
result->rc = ldapssl_set_client_cert((void *)ents[i].path,
|
|
LDAPSSL_FILETYPE_P12,
|
|
(void*)ents[i].password);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_KEY_TYPE_DER:
|
|
result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
|
|
LDAPSSL_CERT_FILETYPE_DER,
|
|
(void*)ents[i].password);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_KEY_TYPE_BASE64:
|
|
result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
|
|
LDAPSSL_CERT_FILETYPE_B64,
|
|
(void*)ents[i].password);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_KEY_TYPE_PFX:
|
|
result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
|
|
LDAPSSL_FILETYPE_P12,
|
|
(void*)ents[i].password);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
default:
|
|
result->rc = -1;
|
|
result->reason = "LDAP: The Novell LDAP SDK only understands the "
|
|
"DER and PEM (BASE64) file types.";
|
|
break;
|
|
}
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
break;
|
|
}
|
|
}
|
|
#else
|
|
result->reason = "LDAP: ldapssl_client_init(), "
|
|
"ldapssl_add_trusted_cert() or "
|
|
"ldapssl_client_deinit() functions not supported "
|
|
"by this Novell SDK. Certificate authority file "
|
|
"not set";
|
|
result->rc = -1;
|
|
#endif
|
|
#endif
|
|
|
|
/* OpenLDAP SDK */
|
|
#if APR_HAS_OPENLDAP_LDAPSDK
|
|
#ifdef LDAP_OPT_X_TLS_CACERTFILE
|
|
/* set one or more certificates */
|
|
/* FIXME: make it support setting directories as well as files */
|
|
for (i = 0; i < certs->nelts; i++) {
|
|
/* OpenLDAP SDK supports BASE64 files. */
|
|
switch (ents[i].type) {
|
|
case APR_LDAP_CA_TYPE_BASE64:
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE,
|
|
(void *)ents[i].path);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_CERT_TYPE_BASE64:
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CERTFILE,
|
|
(void *)ents[i].path);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
case APR_LDAP_KEY_TYPE_BASE64:
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_KEYFILE,
|
|
(void *)ents[i].path);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
#ifdef LDAP_OPT_X_TLS_CACERTDIR
|
|
case APR_LDAP_CA_TYPE_CACERTDIR_BASE64:
|
|
result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTDIR,
|
|
(void *)ents[i].path);
|
|
result->msg = ldap_err2string(result->rc);
|
|
break;
|
|
#endif
|
|
default:
|
|
result->rc = -1;
|
|
result->reason = "LDAP: The OpenLDAP SDK only understands the "
|
|
"PEM (BASE64) file type.";
|
|
break;
|
|
}
|
|
if (result->rc != LDAP_SUCCESS) {
|
|
break;
|
|
}
|
|
}
|
|
#else
|
|
result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
|
|
"defined by this OpenLDAP SDK. Certificate "
|
|
"authority file not set";
|
|
result->rc = -1;
|
|
#endif
|
|
#endif
|
|
|
|
/* Microsoft SDK */
|
|
#if APR_HAS_MICROSOFT_LDAPSDK
|
|
/* Microsoft SDK use the registry certificate store - error out
|
|
* here with a message explaining this. */
|
|
result->reason = "LDAP: CA certificates cannot be set using this method, "
|
|
"as they are stored in the registry instead.";
|
|
result->rc = -1;
|
|
#endif
|
|
|
|
/* SDK not recognised */
|
|
#if APR_HAS_OTHER_LDAPSDK
|
|
result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
|
|
"defined by this LDAP SDK. Certificate "
|
|
"authority file not set";
|
|
result->rc = -1;
|
|
#endif
|
|
|
|
#else /* not compiled with SSL Support */
|
|
result->reason = "LDAP: Attempt to set certificate(s) failed. "
|
|
"Not built with SSL support";
|
|
result->rc = -1;
|
|
#endif /* APR_HAS_LDAP_SSL */
|
|
|
|
}
|
|
|
|
#endif /* APR_HAS_LDAP */
|
|
|