Home Verkennen Help
Registreren Inloggen
third
/
freeswitch
2
0
Vork 0
Bestanden
Aftakking: bootstrap
Aftakkingen Labels
freeswitch
/
libs
/
apr-util
/
ldap
/
apr_ldap_option.c

apr_ldap_option.c 21 KB
Permalink Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598 
  1. /* Copyright 2000-2005 The Apache Software Foundation or its licensors, as
    2. 

  2.  * applicable.
    3. 

  3.  *
    4. 

  4.  * Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5.  * you may not use this file except in compliance with the License.
    6. 

  6.  * You may obtain a copy of the License at
    7. 

  7.  *
    8. 

  8.  *     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9.  *
    10. 

  10.  * Unless required by applicable law or agreed to in writing, software
    11. 

  11.  * distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13.  * See the License for the specific language governing permissions and
    14. 

  14.  * limitations under the License.
    15. 

  15.  */
    16. 

  16. 

  17. /*  apr_ldap_option.c -- LDAP options
    18. 

  18.  *
    19. 

  19.  *  The LDAP SDK allows the getting and setting of options on an LDAP
    20. 

  20.  *  connection.
    21. 

  21.  *
    22. 

  22.  */
    23. 

  23. 

  24. #include "apr.h"
    25. 

  25. #include "apu.h"
    26. 

  26. #include "apr_ldap.h"
    27. 

  27. #include "apr_errno.h"
    28. 

  28. #include "apr_pools.h"
    29. 

  29. #include "apr_strings.h"
    30. 

  30. #include "apr_tables.h"
    31. 

  31. 

  32. #if APR_HAS_LDAP
    33. 

  33. 

  34. static void option_set_cert(apr_pool_t *pool, LDAP *ldap, const void *invalue,
    35. 

  35.                            apr_ldap_err_t *result);
    36. 

  36. static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
    37. 

  37.                           apr_ldap_err_t *result);
    38. 

  38. 

  39. /**
    40. 

  40.  * APR LDAP get option function
    41. 

  41.  *
    42. 

  42.  * This function gets option values from a given LDAP session if
    43. 

  43.  * one was specified.
    44. 

  44.  */
    45. 

  45. APU_DECLARE(int) apr_ldap_get_option(apr_pool_t *pool,
    46. 

  46.                                      LDAP *ldap,
    47. 

  47.                                      int option,
    48. 

  48.                                      void *outvalue,
    49. 

  49.                                      apr_ldap_err_t **result_err)
    50. 

  50. {
    51. 

  51.     apr_ldap_err_t *result;
    52. 

  52. 

  53.     result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
    54. 

  54.     *result_err = result;
    55. 

  55.     if (!result) {
    56. 

  56.         return APR_ENOMEM;
    57. 

  57.     }
    58. 

  58. 

  59.     /* get the option specified using the native LDAP function */
    60. 

  60.     result->rc = ldap_get_option(ldap, option, outvalue);
    61. 

  61. 

  62.     /* handle the error case */
    63. 

  63.     if (result->rc != LDAP_SUCCESS) {
    64. 

  64.         result->msg = ldap_err2string(result-> rc);
    65. 

  65.         result->reason = apr_pstrdup(pool, "LDAP: Could not get an option");
    66. 

  66.         return APR_EGENERAL;
    67. 

  67.     }
    68. 

  68. 

  69.     return APR_SUCCESS;
    70. 

  70. 

  71. } 
    72. 

  72. 

  73. /**
    74. 

  74.  * APR LDAP set option function
    75. 

  75.  *
    76. 

  76.  * This function sets option values to a given LDAP session if
    77. 

  77.  * one was specified.
    78. 

  78.  *
    79. 

  79.  * Where an option is not supported by an LDAP toolkit, this function
    80. 

  80.  * will try and apply legacy functions to achieve the same effect,
    81. 

  81.  * depending on the platform.
    82. 

  82.  */
    83. 

  83. APU_DECLARE(int) apr_ldap_set_option(apr_pool_t *pool,
    84. 

  84.                                      LDAP *ldap,
    85. 

  85.                                      int option,
    86. 

  86.                                      const void *invalue,
    87. 

  87.                                      apr_ldap_err_t **result_err)
    88. 

  88. {
    89. 

  89.     apr_ldap_err_t *result;
    90. 

  90. 

  91.     result = apr_pcalloc(pool, sizeof(apr_ldap_err_t));
    92. 

  92.     *result_err = result;
    93. 

  93.     if (!result) {
    94. 

  94.         return APR_ENOMEM;
    95. 

  95.     }
    96. 

  96. 

  97.     switch (option) {
    98. 

  98.     case APR_LDAP_OPT_TLS_CERT:
    99. 

  99.         option_set_cert(pool, ldap, invalue, result);
    100. 

  100.         break;
    101. 

  101. 

  102.     case APR_LDAP_OPT_TLS:
    103. 

  103.         option_set_tls(pool, ldap, invalue, result);
    104. 

  104.         break;
    105. 

  105.         
    106. 

  106.     case APR_LDAP_OPT_VERIFY_CERT:
    107. 

  107. #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
    108. 

  108.         result->reason = "LDAP: Verify certificate not yet supported by APR on the "
    109. 

  109.                          "Netscape, Solaris or Mozilla LDAP SDKs";
    110. 

  110.         result->rc = -1;
    111. 

  111.         return APR_EGENERAL;
    112. 

  112. #endif
    113. 

  113. #if APR_HAS_NOVELL_LDAPSDK
    114. 

  114.         if (*((int*)invalue)) {
    115. 

  115.             result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_SERVER);
    116. 

  116.         }
    117. 

  117.         else {
    118. 

  118.             result->rc = ldapssl_set_verify_mode(LDAPSSL_VERIFY_NONE);
    119. 

  119.         }
    120. 

  120. #endif
    121. 

  121. #if APR_HAS_OPENLDAP_LDAPSDK
    122. 

  122. #ifdef LDAP_OPT_X_TLS
    123. 

  123. 		/* This is not a per-connection setting so just pass NULL for the
    124. 

  124. 		   Ldap connection handle */
    125. 

  125.         if (*((int*)invalue)) {
    126. 

  126. 			int i = LDAP_OPT_X_TLS_DEMAND;
    127. 

  127. 			result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
    128. 

  128.         }
    129. 

  129.         else {
    130. 

  130. 			int i = LDAP_OPT_X_TLS_NEVER;
    131. 

  131. 			result->rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &i);
    132. 

  132.         }
    133. 

  133. #else
    134. 

  134.         result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
    135. 

  135.                          "version of the OpenLDAP toolkit";
    136. 

  136.         result->rc = -1;
    137. 

  137.         return APR_EGENERAL;
    138. 

  138. #endif
    139. 

  139. #endif
    140. 

  140. 

  141.         /* handle the error case */
    142. 

  142.         if (result->rc != LDAP_SUCCESS) {
    143. 

  143.             result->msg = ldap_err2string(result->rc);
    144. 

  144.             result->reason = "LDAP: Could not set verify mode";
    145. 

  145.         }
    146. 

  146.         break;
    147. 

  147.         
    148. 

  148.     default:
    149. 

  149.         /* set the option specified using the native LDAP function */
    150. 

  150.         result->rc = ldap_set_option(ldap, option, (void *)invalue);
    151. 

  151.         
    152. 

  152.         /* handle the error case */
    153. 

  153.         if (result->rc != LDAP_SUCCESS) {
    154. 

  154.             result->msg = ldap_err2string(result->rc);
    155. 

  155.             result->reason = "LDAP: Could not set an option";
    156. 

  156.         }
    157. 

  157.         break;
    158. 

  158.     }
    159. 

  159. 

  160.     /* handle the error case */
    161. 

  161.     if (result->rc != LDAP_SUCCESS) {
    162. 

  162.         return APR_EGENERAL;
    163. 

  163.     }
    164. 

  164. 

  165.     return APR_SUCCESS;
    166. 

  166. 

  167. }
    168. 

  168. 

  169. /**
    170. 

  170.  * Handle APR_LDAP_OPT_TLS
    171. 

  171.  *
    172. 

  172.  * This function sets the type of TLS to be applied to this connection.
    173. 

  173.  * The options are:
    174. 

  174.  * APR_LDAP_NONE: no encryption
    175. 

  175.  * APR_LDAP_SSL: SSL encryption (ldaps://)
    176. 

  176.  * APR_LDAP_STARTTLS: STARTTLS encryption
    177. 

  177.  * APR_LDAP_STOPTLS: Stop existing TLS connecttion
    178. 

  178.  */
    179. 

  179. static void option_set_tls(apr_pool_t *pool, LDAP *ldap, const void *invalue,
    180. 

  180.                           apr_ldap_err_t *result)
    181. 

  181. {
    182. 

  182.     int tls = * (const int *)invalue;
    183. 

  183. 

  184. #if APR_HAS_LDAP_SSL /* compiled with ssl support */
    185. 

  185. 

  186.     /* Netscape/Mozilla/Solaris SDK */
    187. 

  187. #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSK
    188. 

  188. #if APR_HAS_LDAPSSL_INSTALL_ROUTINES
    189. 

  189.     if (tls == APR_LDAP_SSL) {
    190. 

  190.         result->rc = ldapssl_install_routines(ldap);
    191. 

  191. #ifdef LDAP_OPT_SSL
    192. 

  192.         /* apparently Netscape and Mozilla need this too, Solaris doesn't */
    193. 

  193.         if (result->rc == LDAP_SUCCESS) {
    194. 

  194.             result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
    195. 

  195.         }
    196. 

  196. #endif
    197. 

  197.         if (result->rc != LDAP_SUCCESS) {
    198. 

  198.             result->msg = ldap_err2string(result->rc);
    199. 

  199.             result->reason = "LDAP: Could not switch SSL on for this "
    200. 

  200.                              "connection.";
    201. 

  201.         }
    202. 

  202.     }
    203. 

  203.     else if (tls == APR_LDAP_STARTTLS) {
    204. 

  204.         result->reason = "LDAP: STARTTLS is not supported by the "
    205. 

  205.                          "Netscape/Mozilla/Solaris SDK";
    206. 

  206.         result->rc = -1;
    207. 

  207.     }
    208. 

  208.     else if (tls == APR_LDAP_STOPTLS) {
    209. 

  209.         result->reason = "LDAP: STOPTLS is not supported by the "
    210. 

  210.                          "Netscape/Mozilla/Solaris SDK";
    211. 

  211.         result->rc = -1;
    212. 

  212.     }
    213. 

  213. #else
    214. 

  214.     if (tls != APR_LDAP_NONE) {
    215. 

  215.         result->reason = "LDAP: SSL/TLS is not supported by this version "
    216. 

  216.                          "of the Netscape/Mozilla/Solaris SDK";
    217. 

  217.         result->rc = -1;
    218. 

  218.     }
    219. 

  219. #endif
    220. 

  220. #endif
    221. 

  221. 

  222.     /* Novell SDK */
    223. 

  223. #if APR_HAS_NOVELL_LDAPSDK
    224. 

  224.     /* ldapssl_install_routines(ldap)
    225. 

  225.      * Behavior is unpredictable when other LDAP functions are called
    226. 

  226.      * between the ldap_init function and the ldapssl_install_routines
    227. 

  227.      * function.
    228. 

  228.      * 
    229. 

  229.      * STARTTLS is supported by the ldap_start_tls_s() method
    230. 

  230.      */
    231. 

  231.     if (tls == APR_LDAP_SSL) {
    232. 

  232.         result->rc = ldapssl_install_routines(ldap);
    233. 

  233.         if (result->rc != LDAP_SUCCESS) {
    234. 

  234.             result->msg = ldap_err2string(result->rc);
    235. 

  235.             result->reason = "LDAP: Could not switch SSL on for this "
    236. 

  236.                              "connection.";
    237. 

  237.         }
    238. 

  238.     }
    239. 

  239.     if (tls == APR_LDAP_STARTTLS) {
    240. 

  240.         result->rc = ldapssl_start_tls(ldap);
    241. 

  241.         if (result->rc != LDAP_SUCCESS) {
    242. 

  242.             result->msg = ldap_err2string(result->rc);
    243. 

  243.             result->reason = "LDAP: Could not start TLS on this connection";
    244. 

  244.         }
    245. 

  245.     }
    246. 

  246.     else if (tls == APR_LDAP_STOPTLS) {
    247. 

  247.         result->rc = ldapssl_stop_tls(ldap);
    248. 

  248.         if (result->rc != LDAP_SUCCESS) {
    249. 

  249.             result->msg = ldap_err2string(result->rc);
    250. 

  250.             result->reason = "LDAP: Could not stop TLS on this connection";
    251. 

  251.         }
    252. 

  252.     }
    253. 

  253. #endif
    254. 

  254. 

  255.     /* OpenLDAP SDK */
    256. 

  256. #if APR_HAS_OPENLDAP_LDAPSDK
    257. 

  257. #ifdef LDAP_OPT_X_TLS
    258. 

  258.     if (tls == APR_LDAP_SSL) {
    259. 

  259.         int SSLmode = LDAP_OPT_X_TLS_HARD;
    260. 

  260.         result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS, &SSLmode);
    261. 

  261.         if (result->rc != LDAP_SUCCESS) {
    262. 

  262.             result->reason = "LDAP: ldap_set_option failed. "
    263. 

  263.                              "Could not set LDAP_OPT_X_TLS to "
    264. 

  264.                              "LDAP_OPT_X_TLS_HARD";
    265. 

  265.             result->msg = ldap_err2string(result->rc);
    266. 

  266.         }   
    267. 

  267.     }
    268. 

  268.     else if (tls == APR_LDAP_STARTTLS) {
    269. 

  269.         result->rc = ldap_start_tls_s(ldap, NULL, NULL);
    270. 

  270.         if (result->rc != LDAP_SUCCESS) {
    271. 

  271.             result->reason = "LDAP: ldap_start_tls_s() failed";
    272. 

  272.             result->msg = ldap_err2string(result->rc);
    273. 

  273.         }
    274. 

  274.     }
    275. 

  275.     else if (tls == APR_LDAP_STOPTLS) {
    276. 

  276.         result->reason = "LDAP: STOPTLS is not supported by the "
    277. 

  277.                          "OpenLDAP SDK";
    278. 

  278.         result->rc = -1;
    279. 

  279.     }
    280. 

  280. #else
    281. 

  281.     if (tls != APR_LDAP_NONE) {
    282. 

  282.         result->reason = "LDAP: SSL/TLS not yet supported by APR on this "
    283. 

  283.                          "version of the OpenLDAP toolkit";
    284. 

  284.         result->rc = -1;
    285. 

  285.     }
    286. 

  286. #endif
    287. 

  287. #endif
    288. 

  288. 

  289.     /* Microsoft SDK */
    290. 

  290. #if APR_HAS_MICROSOFT_LDAPSDK
    291. 

  291.     if (tls == APR_LDAP_NONE) {
    292. 

  292.         result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_OFF);
    293. 

  293.         if (result->rc != LDAP_SUCCESS) {
    294. 

  294.             result->reason = "LDAP: an attempt to set LDAP_OPT_SSL off "
    295. 

  295.                              "failed.";
    296. 

  296.             result->msg = ldap_err2string(result->rc);
    297. 

  297.         }
    298. 

  298.     }
    299. 

  299.     else if (tls == APR_LDAP_SSL) {
    300. 

  300.         result->rc = ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);
    301. 

  301.         if (result->rc != LDAP_SUCCESS) {
    302. 

  302.             result->reason = "LDAP: an attempt to set LDAP_OPT_SSL on "
    303. 

  303.                              "failed.";
    304. 

  304.             result->msg = ldap_err2string(result->rc);
    305. 

  305.         }
    306. 

  306.     }
    307. 

  307. #if APR_HAS_LDAP_START_TLS_S
    308. 

  308.     else if (tls == APR_LDAP_STARTTLS) {
    309. 

  309.         result->rc = ldap_start_tls_s(ldap, NULL, NULL, NULL, NULL);
    310. 

  310.         if (result->rc != LDAP_SUCCESS) {
    311. 

  311.             result->reason = "LDAP: ldap_start_tls_s() failed";
    312. 

  312.             result->msg = ldap_err2string(result->rc);
    313. 

  313.         }
    314. 

  314.     }
    315. 

  315.     else if (tls == APR_LDAP_STOPTLS) {
    316. 

  316.         result->rc = ldap_stop_tls_s(ldap);
    317. 

  317.         if (result->rc != LDAP_SUCCESS) {
    318. 

  318.             result->reason = "LDAP: ldap_stop_tls_s() failed";
    319. 

  319.             result->msg = ldap_err2string(result->rc);
    320. 

  320.         }
    321. 

  321.     }
    322. 

  322. #endif
    323. 

  323. #endif
    324. 

  324. 

  325. #if APR_HAS_OTHER_LDAPSDK
    326. 

  326.     if (tls != APR_LDAP_NONE) {
    327. 

  327.         result->reason = "LDAP: SSL/TLS is currently not supported by "
    328. 

  328.                          "APR on this LDAP SDK";
    329. 

  329.         result->rc = -1;
    330. 

  330.     }
    331. 

  331. #endif
    332. 

  332. 

  333. #endif /* APR_HAS_LDAP_SSL */
    334. 

  334. 

  335. }
    336. 

  336. 

  337. /**
    338. 

  338.  * Handle APR_LDAP_OPT_TLS_CACERTFILE
    339. 

  339.  *
    340. 

  340.  * This function sets the CA certificate for further SSL/TLS connections.
    341. 

  341.  *
    342. 

  342.  * The file provided are in different formats depending on the toolkit used:
    343. 

  343.  *
    344. 

  344.  * Netscape: cert7.db file
    345. 

  345.  * Novell: PEM or DER
    346. 

  346.  * OpenLDAP: PEM (others supported?)
    347. 

  347.  * Microsoft: unknown
    348. 

  348.  * Solaris: unknown
    349. 

  349.  */
    350. 

  350. static void option_set_cert(apr_pool_t *pool, LDAP *ldap,
    351. 

  351.                            const void *invalue, apr_ldap_err_t *result)
    352. 

  352. {
    353. 

  353.     apr_array_header_t *certs = (apr_array_header_t *)invalue;
    354. 

  354.     struct apr_ldap_opt_tls_cert_t *ents = (struct apr_ldap_opt_tls_cert_t *)certs->elts;
    355. 

  355.     int i = 0;
    356. 

  356. 

  357. #if APR_HAS_LDAP_SSL
    358. 

  358. 

  359.     /* Netscape/Mozilla/Solaris SDK */
    360. 

  360. #if APR_HAS_NETSCAPE_LDAPSDK || APR_HAS_SOLARIS_LDAPSDK || APR_HAS_MOZILLA_LDAPSDK
    361. 

  361. #if APR_HAS_LDAPSSL_CLIENT_INIT
    362. 

  362.     const char *nickname = NULL;
    363. 

  363.     const char *secmod = NULL;
    364. 

  364.     const char *key3db = NULL;
    365. 

  365.     const char *cert7db = NULL;
    366. 

  366.     const char *password = NULL;
    367. 

  367. 

  368.     /* set up cert7.db, key3.db and secmod parameters */
    369. 

  369.     for (i = 0; i < certs->nelts; i++) {
    370. 

  370.         switch (ents[i].type) {
    371. 

  371.         case APR_LDAP_CA_TYPE_CERT7_DB:
    372. 

  372.             cert7db = ents[i].path;
    373. 

  373.             break;
    374. 

  374.         case APR_LDAP_CA_TYPE_SECMOD:
    375. 

  375.             secmod = ents[i].path;
    376. 

  376.             break;
    377. 

  377.         case APR_LDAP_CERT_TYPE_KEY3_DB:
    378. 

  378.             key3db = ents[i].path;
    379. 

  379.             break;
    380. 

  380.         case APR_LDAP_CERT_TYPE_NICKNAME:
    381. 

  381.             nickname = ents[i].path;
    382. 

  382.             password = ents[i].password;
    383. 

  383.             break;
    384. 

  384.         default:
    385. 

  385.             result->rc = -1;
    386. 

  386.             result->reason = "LDAP: The Netscape/Mozilla LDAP SDK only "
    387. 

  387.                 "understands the CERT7, KEY3 and SECMOD "
    388. 

  388.                 "file types.";
    389. 

  389.             break;
    390. 

  390.         }
    391. 

  391.         if (result->rc != LDAP_SUCCESS) {
    392. 

  392.             break;
    393. 

  393.         }
    394. 

  394.     }
    395. 

  395. 

  396.     /* actually set the certificate parameters */
    397. 

  397.     if (result->rc == LDAP_SUCCESS) {
    398. 

  398.         if (nickname) {
    399. 

  399.             result->rc = ldapssl_enable_clientauth(ldap, "",
    400. 

  400.                                                    (char *)password,
    401. 

  401.                                                    (char *)nickname);
    402. 

  402.             if (result->rc != LDAP_SUCCESS) {
    403. 

  403.                 result->reason = "LDAP: could not set client certificate: "
    404. 

  404.                                  "ldapssl_enable_clientauth() failed.";
    405. 

  405.                 result->msg = ldap_err2string(result->rc);
    406. 

  406.             }
    407. 

  407.         }
    408. 

  408.         else if (secmod) {
    409. 

  409.             result->rc = ldapssl_advclientauth_init(cert7db, NULL,
    410. 

  410.                                                     key3db ? 1 : 0, key3db, NULL,
    411. 

  411.                                                     1, secmod, LDAPSSL_AUTH_CNCHECK);
    412. 

  412.             if (result->rc != LDAP_SUCCESS) {
    413. 

  413.                 result->reason = "LDAP: ldapssl_advclientauth_init() failed.";
    414. 

  414.                 result->msg = ldap_err2string(result->rc);
    415. 

  415.             }
    416. 

  416.         }
    417. 

  417.         else if (key3db) {
    418. 

  418.             result->rc = ldapssl_clientauth_init(cert7db, NULL,
    419. 

  419.                                                     1, key3db, NULL);
    420. 

  420.             if (result->rc != LDAP_SUCCESS) {
    421. 

  421.                 result->reason = "LDAP: ldapssl_clientauth_init() failed.";
    422. 

  422.                 result->msg = ldap_err2string(result->rc);
    423. 

  423.             }
    424. 

  424.         }
    425. 

  425.         else {
    426. 

  426.             result->rc = ldapssl_client_init(cert7db, NULL);
    427. 

  427.             if (result->rc != LDAP_SUCCESS) {
    428. 

  428.                 result->reason = "LDAP: ldapssl_client_init() failed.";
    429. 

  429.                 result->msg = ldap_err2string(result->rc);
    430. 

  430.             }
    431. 

  431.         }
    432. 

  432.     }
    433. 

  433. #else
    434. 

  434.     result->reason = "LDAP: SSL/TLS ldapssl_client_init() function not "
    435. 

  435.                      "supported by this Netscape/Mozilla/Solaris SDK. "
    436. 

  436.                      "Certificate authority file not set";
    437. 

  437.     result->rc = -1;
    438. 

  438. #endif
    439. 

  439. #endif
    440. 

  440. 

  441.     /* Novell SDK */
    442. 

  442. #if APR_HAS_NOVELL_LDAPSDK
    443. 

  443. #if APR_HAS_LDAPSSL_CLIENT_INIT && APR_HAS_LDAPSSL_ADD_TRUSTED_CERT && APR_HAS_LDAPSSL_CLIENT_DEINIT
    444. 

  444.     /* The Novell library cannot support per connection certificates. Error
    445. 

  445.      * out if the ldap handle is provided.
    446. 

  446.      */
    447. 

  447.     if (ldap) {
    448. 

  448.         result->rc = -1;
    449. 

  449.         result->reason = "LDAP: The Novell LDAP SDK cannot support the setting "
    450. 

  450.                          "of certificates or keys on a per connection basis.";
    451. 

  451.     }
    452. 

  452.     /* Novell's library needs to be initialised first */
    453. 

  453.     else {
    454. 

  454.         result->rc = ldapssl_client_init(NULL, NULL);
    455. 

  455.         if (result->rc != LDAP_SUCCESS) {
    456. 

  456.             result->msg = ldap_err2string(result-> rc);
    457. 

  457.             result->reason = apr_pstrdup(pool, "LDAP: Could not "
    458. 

  458.                                          "initialize SSL");
    459. 

  459.         }
    460. 

  460.     }
    461. 

  461.     /* set one or more certificates */
    462. 

  462.     for (i = 0; LDAP_SUCCESS == result->rc && i < certs->nelts; i++) {
    463. 

  463.         /* Novell SDK supports DER or BASE64 files. */
    464. 

  464.         switch (ents[i].type) {
    465. 

  465.         case APR_LDAP_CA_TYPE_DER:
    466. 

  466.             result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
    467. 

  467.                                                   LDAPSSL_CERT_FILETYPE_DER);
    468. 

  468.             result->msg = ldap_err2string(result->rc);
    469. 

  469.             break;
    470. 

  470.         case APR_LDAP_CA_TYPE_BASE64:
    471. 

  471.             result->rc = ldapssl_add_trusted_cert((void *)ents[i].path,
    472. 

  472.                                                   LDAPSSL_CERT_FILETYPE_B64);
    473. 

  473.             result->msg = ldap_err2string(result->rc);
    474. 

  474.             break;
    475. 

  475.         case APR_LDAP_CERT_TYPE_DER:
    476. 

  476.             result->rc = ldapssl_set_client_cert((void *)ents[i].path,
    477. 

  477.                                                  LDAPSSL_CERT_FILETYPE_DER,
    478. 

  478.                                                  (void*)ents[i].password);
    479. 

  479.             result->msg = ldap_err2string(result->rc);
    480. 

  480.             break;
    481. 

  481.         case APR_LDAP_CERT_TYPE_BASE64: 
    482. 

  482.             result->rc = ldapssl_set_client_cert((void *)ents[i].path,
    483. 

  483.                                                  LDAPSSL_CERT_FILETYPE_B64,
    484. 

  484.                                                  (void*)ents[i].password);
    485. 

  485.             result->msg = ldap_err2string(result->rc);
    486. 

  486.             break;
    487. 

  487.         case APR_LDAP_CERT_TYPE_PFX: 
    488. 

  488.             result->rc = ldapssl_set_client_cert((void *)ents[i].path,
    489. 

  489.                                                  LDAPSSL_FILETYPE_P12,
    490. 

  490.                                                  (void*)ents[i].password);
    491. 

  491.             result->msg = ldap_err2string(result->rc);
    492. 

  492.             break;
    493. 

  493.         case APR_LDAP_KEY_TYPE_DER:
    494. 

  494.             result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
    495. 

  495.                                                         LDAPSSL_CERT_FILETYPE_DER,
    496. 

  496.                                                         (void*)ents[i].password);
    497. 

  497.             result->msg = ldap_err2string(result->rc);
    498. 

  498.             break;
    499. 

  499.         case APR_LDAP_KEY_TYPE_BASE64:
    500. 

  500.             result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
    501. 

  501.                                                         LDAPSSL_CERT_FILETYPE_B64,
    502. 

  502.                                                         (void*)ents[i].password);
    503. 

  503.             result->msg = ldap_err2string(result->rc);
    504. 

  504.             break;
    505. 

  505.         case APR_LDAP_KEY_TYPE_PFX:
    506. 

  506.             result->rc = ldapssl_set_client_private_key((void *)ents[i].path,
    507. 

  507.                                                         LDAPSSL_FILETYPE_P12,
    508. 

  508.                                                         (void*)ents[i].password);
    509. 

  509.             result->msg = ldap_err2string(result->rc);
    510. 

  510.             break;
    511. 

  511.         default:
    512. 

  512.             result->rc = -1;
    513. 

  513.             result->reason = "LDAP: The Novell LDAP SDK only understands the "
    514. 

  514.                 "DER and PEM (BASE64) file types.";
    515. 

  515.             break;
    516. 

  516.         }
    517. 

  517.         if (result->rc != LDAP_SUCCESS) {
    518. 

  518.             break;
    519. 

  519.         }
    520. 

  520.     }
    521. 

  521. #else
    522. 

  522.     result->reason = "LDAP: ldapssl_client_init(), "
    523. 

  523.                      "ldapssl_add_trusted_cert() or "
    524. 

  524.                      "ldapssl_client_deinit() functions not supported "
    525. 

  525.                      "by this Novell SDK. Certificate authority file "
    526. 

  526.                      "not set";
    527. 

  527.     result->rc = -1;
    528. 

  528. #endif
    529. 

  529. #endif
    530. 

  530. 

  531.     /* OpenLDAP SDK */
    532. 

  532. #if APR_HAS_OPENLDAP_LDAPSDK
    533. 

  533. #ifdef LDAP_OPT_X_TLS_CACERTFILE
    534. 

  534.     /* set one or more certificates */
    535. 

  535.     /* FIXME: make it support setting directories as well as files */
    536. 

  536.     for (i = 0; i < certs->nelts; i++) {
    537. 

  537.         /* OpenLDAP SDK supports BASE64 files. */
    538. 

  538.         switch (ents[i].type) {
    539. 

  539.         case APR_LDAP_CA_TYPE_BASE64:
    540. 

  540.             result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CACERTFILE,
    541. 

  541.                                          (void *)ents[i].path);
    542. 

  542.             result->msg = ldap_err2string(result->rc);
    543. 

  543.             break;
    544. 

  544.         case APR_LDAP_CERT_TYPE_BASE64:
    545. 

  545.             result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_CERTFILE,
    546. 

  546.                                          (void *)ents[i].path);
    547. 

  547.             result->msg = ldap_err2string(result->rc);
    548. 

  548.             break;
    549. 

  549.         case APR_LDAP_KEY_TYPE_BASE64:
    550. 

  550.             result->rc = ldap_set_option(ldap, LDAP_OPT_X_TLS_KEYFILE,
    551. 

  551.                                          (void *)ents[i].path);
    552. 

  552.             result->msg = ldap_err2string(result->rc);
    553. 

  553.             break;
    554. 

  554.         default:
    555. 

  555.             result->rc = -1;
    556. 

  556.             result->reason = "LDAP: The OpenLDAP SDK only understands the "
    557. 

  557.                 "PEM (BASE64) file type.";
    558. 

  558.             break;
    559. 

  559.         }
    560. 

  560.         if (result->rc != LDAP_SUCCESS) {
    561. 

  561.             break;
    562. 

  562.         }
    563. 

  563.     }
    564. 

  564. #else
    565. 

  565.     result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
    566. 

  566.                      "defined by this OpenLDAP SDK. Certificate "
    567. 

  567.                      "authority file not set";
    568. 

  568.     result->rc = -1;
    569. 

  569. #endif
    570. 

  570. #endif
    571. 

  571. 

  572.     /* Microsoft SDK */
    573. 

  573. #if APR_HAS_MICROSOFT_LDAPSDK
    574. 

  574.     /* Microsoft SDK use the registry certificate store - error out
    575. 

  575.      * here with a message explaining this. */
    576. 

  576.     result->reason = "LDAP: CA certificates cannot be set using this method, "
    577. 

  577.                      "as they are stored in the registry instead.";
    578. 

  578.     result->rc = -1;
    579. 

  579. #endif
    580. 

  580. 

  581.     /* SDK not recognised */
    582. 

  582. #if APR_HAS_OTHER_LDAPSDK
    583. 

  583.     result->reason = "LDAP: LDAP_OPT_X_TLS_CACERTFILE not "
    584. 

  584.                      "defined by this LDAP SDK. Certificate "
    585. 

  585.                      "authority file not set";
    586. 

  586.     result->rc = -1;
    587. 

  587. #endif
    588. 

  588. 

  589. #else  /* not compiled with SSL Support */
    590. 

  590.     result->reason = "LDAP: Attempt to set certificate(s) failed. "
    591. 

  591.                      "Not built with SSL support";
    592. 

  592.     result->rc = -1;
    593. 

  593. #endif /* APR_HAS_LDAP_SSL */
    594. 

  594. 

  595. }
    596. 

  596. 

  597. #endif /* APR_HAS_LDAP */
    598. 

  598.