From: Aaron Spangler <aaron777@gmail.com>
Date: Sat, 28 Feb 2004 23:54:20 +0000 (+0000)
Subject: Added start_tls support
X-Git-Tag: SUDO_1_6_8~156
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=42cfd561275983634f91b24e4068c1cb99692277;p=sudo

Added start_tls support
---

diff --git a/CHANGES b/CHANGES
index 33cf9a781..7fe6528c7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1675,3 +1675,6 @@ Sudo 1.6.7p6 released.
 
 525) Added the --with-pc-insults configure to replace politically
      incorrect insults with other ones.
+
+526) Added start_tls support from Gudleik Rasch <gudleik@rastamatra.org>.
+
diff --git a/config.h.in b/config.h.in
index 66628c04b..266fd7d01 100644
--- a/config.h.in
+++ b/config.h.in
@@ -171,6 +171,9 @@
 /* Define if your LDAP Supports URLs. (OpenLDAP does) */
 #define HAVE_LDAP_INITIALIZE
 
+/* Define if your LDAP Supports start_tls_s. (OpenLDAP does) */
+#define HAVE_LDAP_START_TLS_S
+
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF
 
diff --git a/ldap.c b/ldap.c
index db7d5020b..0055602e1 100644
--- a/ldap.c
+++ b/ldap.c
@@ -81,6 +81,7 @@ struct ldap_config {
   char *binddn;
   char *bindpw;
   char *base;
+  char *ssl;
   int debug;
 } ldap_conf;
 
@@ -493,6 +494,7 @@ sudo_ldap_read_config()
      * if else if else if else if else ... */
          MATCH_S("host",    ldap_conf.host)
     else MATCH_I("port",    ldap_conf.port)
+    else MATCH_S("ssl",     ldap_conf.ssl)
     else MATCH_I("ldap_version", ldap_conf.version)
     else MATCH_S("uri",     ldap_conf.uri)
     else MATCH_S("binddn",  ldap_conf.binddn)
@@ -533,6 +535,10 @@ sudo_ldap_read_config()
                  ldap_conf.binddn : "(anonymous)");
     printf("bindpw       %s\n", ldap_conf.bindpw ?
                  ldap_conf.bindpw : "(anonymous)");
+#ifdef HAVE_LDAP_START_TLS_S
+    printf("ssl			%s\n", ldap_conf.ssl ?
+                 ldap_conf.ssl    : "(no)");
+#endif
     printf("===================\n");
   }
 
@@ -698,6 +704,20 @@ int pwflag;
 
 #endif /* LDAP_OPT_PROTOCOL_VERSION */
 
+#ifdef HAVE_LDAP_START_TLS_S
+  /* Turn on TLS */
+  if (ldap_conf.ssl && !strcasecmp(ldap_conf.ssl, "start_tls")){
+    rc = ldap_start_tls_s(ld, NULL, NULL);
+    if (rc != LDAP_SUCCESS) {
+      fprintf(stderr, "ldap_start_tls_s(): %d: %s\n", rc, ldap_err2string(rc));
+      ldap_unbind(ld);
+      return VALIDATE_ERROR;
+    }
+
+    if (ldap_conf.debug) printf("ldap_start_tls_s() ok\n");
+  }
+#endif /* HAVE_LDAP_START_TLS_S */
+
   /* Actually connect */
 
   rc=ldap_simple_bind_s(ld,ldap_conf.binddn,ldap_conf.bindpw);