📄 apr_ldap_option.c
字号:
result->rc = -1; }#endif#endif /* Microsoft SDK */#if APR_HAS_MICROSOFT_LDAPSDK if (tls == APR_LDAP_NONE) { ULONG ul = (ULONG) LDAP_OPT_OFF; result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, &ul); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: an attempt to set LDAP_OPT_SSL off " "failed."; result->msg = ldap_err2string(result->rc); } } else if (tls == APR_LDAP_SSL) { ULONG ul = (ULONG) LDAP_OPT_ON; result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, &ul); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: an attempt to set LDAP_OPT_SSL on " "failed."; result->msg = ldap_err2string(result->rc); } }#if APR_HAS_LDAP_START_TLS_S else if (tls == APR_LDAP_STARTTLS) { result->rc = ldap_start_tls_s(ldap, NULL, NULL, NULL, NULL); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: ldap_start_tls_s() failed"; result->msg = ldap_err2string(result->rc); } } else if (tls == APR_LDAP_STOPTLS) { result->rc = ldap_stop_tls_s(ldap); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: ldap_stop_tls_s() failed"; result->msg = ldap_err2string(result->rc); } }#endif#endif#if APR_HAS_OTHER_LDAPSDK if (tls != APR_LDAP_NONE) { result->reason = "LDAP: SSL/TLS is currently not supported by " "APR on this LDAP SDK"; result->rc = -1; }#endif#endif /* APR_HAS_LDAP_SSL */}/** * Handle APR_LDAP_OPT_TLS_CACERTFILE * * This function sets the CA certificate for further SSL/TLS connections. * * The file provided are in different formats depending on the toolkit used: * * Netscape: cert7.db file * Novell: PEM or DER * OpenLDAP: PEM (others supported?) * Microsoft: unknown * Solaris: unknown */static void option_set_cert(apr_pool_t *pool, LDAP *ldap, const void *invalue, apr_ldap_err_t *result){#if APR_HAS_LDAP_SSL#if APR_HAS_LDAPSSL_CLIENT_INIT || APR_HAS_OPENLDAP_LDAPSDK apr_array_header_t *certs = (apr_array_header_t *)invalue; struct apr_ldap_opt_tls_cert_t *ents = (struct apr_ldap_opt_tls_cert_t *)certs->elts; int i = 0;#endif /* Netscape/Mozilla/Solaris SDK */#if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSDK#if APR_HAS_LDAPSSL_CLIENT_INIT const char *nickname = NULL; const char *secmod = NULL; const char *key3db = NULL; const char *cert7db = NULL; const char *password = NULL; /* set up cert7.db, key3.db and secmod parameters */ for (i = 0; i < certs->nelts; i++) { switch (ents[i].type) { case APR_LDAP_CA_TYPE_CERT7_DB: cert7db = ents[i].path; break; case APR_LDAP_CA_TYPE_SECMOD: secmod = ents[i].path; break; case APR_LDAP_CERT_TYPE_KEY3_DB: key3db = ents[i].path; break; case APR_LDAP_CERT_TYPE_NICKNAME: nickname = ents[i].path; password = ents[i].password; break; default: result->rc = -1; result->reason = "LDAP: The Netscape/Mozilla LDAP SDK only " "understands the CERT7, KEY3 and SECMOD " "file types."; break; } if (result->rc != LDAP_SUCCESS) { break; } } /* actually set the certificate parameters */ if (result->rc == LDAP_SUCCESS) { if (nickname) { result->rc = ldapssl_enable_clientauth(ldap, "", (char *)password, (char *)nickname); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: could not set client certificate: " "ldapssl_enable_clientauth() failed."; result->msg = ldap_err2string(result->rc); } } else if (secmod) { result->rc = ldapssl_advclientauth_init(cert7db, NULL, key3db ? 1 : 0, key3db, NULL, 1, secmod, LDAPSSL_AUTH_CNCHECK); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: ldapssl_advclientauth_init() failed."; result->msg = ldap_err2string(result->rc); } } else if (key3db) { result->rc = ldapssl_clientauth_init(cert7db, NULL, 1, key3db, NULL); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: ldapssl_clientauth_init() failed."; result->msg = ldap_err2string(result->rc); } } else { result->rc = ldapssl_client_init(cert7db, NULL); if (result->rc != LDAP_SUCCESS) { result->reason = "LDAP: ldapssl_client_init() failed."; result->msg = ldap_err2string(result->rc); } } }#else result->reason = "LDAP: SSL/TLS ldapssl_client_init() function not " "supported by this Netscape/Mozilla/Solaris SDK. " "Certificate authority file not set"; result->rc = -1;#endif#endif /* Novell SDK */#if APR_HAS_NOVELL_LDAPSDK#if APR_HAS_LDAPSSL_CLIENT_INIT && APR_HAS_LDAPSSL_ADD_TRUSTED_CERT && APR_HAS_LDAPSSL_CLIENT_DEINIT /* The Novell library cannot support per connection certificates. Error * out if the ldap handle is provided. */ if (ldap) { result->rc = -1; result->reason = "LDAP: The Novell LDAP SDK cannot support the setting " "of certificates or keys on a per connection basis."; } /* Novell's library needs to be initialised first */ else { result->rc = ldapssl_client_init(NULL, NULL); if (result->rc != LDAP_SUCCESS) { result->msg = ldap_err2string(result-> rc); result->reason = apr_pstrdup(pool, "LDAP: Could not " "initialize SSL"); } } /* set one or more certificates */ for (i = 0; LDAP_SUCCESS == result->rc && i < certs->nelts; i++) { /* Novell SDK supports DER or BASE64 files. */ switch (ents[i].type) { case APR_LDAP_CA_TYPE_DER: result->rc = ldapssl_add_trusted_cert((void *)ents[i].path, LDAPSSL_CERT_FILETYPE_DER); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_CA_TYPE_BASE64: result->rc = ldapssl_add_trusted_cert((void *)ents[i].path, LDAPSSL_CERT_FILETYPE_B64); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_CERT_TYPE_DER: result->rc = ldapssl_set_client_cert((void *)ents[i].path, LDAPSSL_CERT_FILETYPE_DER, (void*)ents[i].password); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_CERT_TYPE_BASE64: result->rc = ldapssl_set_client_cert((void *)ents[i].path, LDAPSSL_CERT_FILETYPE_B64, (void*)ents[i].password); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_CERT_TYPE_PFX: result->rc = ldapssl_set_client_cert((void *)ents[i].path, LDAPSSL_FILETYPE_P12, (void*)ents[i].password); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_KEY_TYPE_DER: result->rc = ldapssl_set_client_private_key((void *)ents[i].path, LDAPSSL_CERT_FILETYPE_DER, (void*)ents[i].password); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_KEY_TYPE_BASE64: result->rc = ldapssl_set_client_private_key((void *)ents[i].path, LDAPSSL_CERT_FILETYPE_B64, (void*)ents[i].password); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_KEY_TYPE_PFX: result->rc = ldapssl_set_client_private_key((void *)ents[i].path, LDAPSSL_FILETYPE_P12, (void*)ents[i].password); result->msg = ldap_err2string(result->rc); break; default: result->rc = -1; result->reason = "LDAP: The Novell LDAP SDK only understands the " "DER and PEM (BASE64) file types."; break; } if (result->rc != LDAP_SUCCESS) { break; } }#else result->reason = "LDAP: ldapssl_client_init(), " "ldapssl_add_trusted_cert() or " "ldapssl_client_deinit() functions not supported " "by this Novell SDK. Certificate authority file " "not set"; result->rc = -1;#endif#endif /* OpenLDAP SDK */#if APR_HAS_OPENLDAP_LDAPSDK#ifdef LDAP_OPT_X_TLS_CACERTFILE /* set one or more certificates */ /* FIXME: make it support setting directories as well as files */ for (i = 0; i < certs->nelts; i++) { /* OpenLDAP SDK supports BASE64 files. */ switch (ents[i].type) { case APR_LDAP_CA_TYPE_BASE64: result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE, (void *)ents[i].path); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_CERT_TYPE_BASE64: result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CERTFILE, (void *)ents[i].path); result->msg = ldap_err2string(result->rc); break; case APR_LDAP_KEY_TYPE_BASE64: result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_KEYFILE, (void *)ents[i].path); result->msg = ldap_err2string(result->rc); break;#ifdef LDAP_OPT_X_TLS_CACERTDIR case APR_LDAP_CA_TYPE_CACERTDIR_BASE64: result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTDIR, (void *)ents[i].path); result->msg = ldap_err2string(result->rc); break;#endif default: result->rc = -1; result->reason = "LDAP: The OpenLDAP SDK only understands the " "PEM (BASE64) file type."; break; } if (result->rc != LDAP_SUCCESS) { break; } }#else result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not " "defined by this OpenLDAP SDK. Certificate " "authority file not set"; result->rc = -1;#endif#endif /* Microsoft SDK */#if APR_HAS_MICROSOFT_LDAPSDK /* Microsoft SDK use the registry certificate store - error out * here with a message explaining this. */ result->reason = "LDAP: CA certificates cannot be set using this method, " "as they are stored in the registry instead."; result->rc = -1;#endif /* SDK not recognised */#if APR_HAS_OTHER_LDAPSDK result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not " "defined by this LDAP SDK. Certificate " "authority file not set"; result->rc = -1;#endif#else /* not compiled with SSL Support */ result->reason = "LDAP: Attempt to set certificate(s) failed. " "Not built with SSL support"; result->rc = -1;#endif /* APR_HAS_LDAP_SSL */}#endif /* APR_HAS_LDAP */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -