From 56729b9a637c774c3fe905ea8e8af93133a81c63 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 19 Dec 2007 19:28:57 +0000
Subject: [PATCH] Use ldapssl_init() for ldaps support instead of trying to do
 it manually with ldap_init() + ldapssl_install_routines(). Use tls_cert and
 tls_key for cert7.db and key3.db respectively. Don't print debugging info for
 options that are not set. Add warning if start_tls specified when not
 supported.

---
 config.h.in  |   4 +-
 configure    |   2 +-
 configure.in |   2 +-
 ldap.c       | 102 ++++++++++++++++++++++++++++++---------------------
 4 files changed, 64 insertions(+), 46 deletions(-)

diff --git a/config.h.in b/config.h.in
index 7f4f187e1..96102c44b 100644
--- a/config.h.in
+++ b/config.h.in
@@ -224,8 +224,8 @@
 /* Define to 1 if you have the `ldap_start_tls_s' function. */
 #undef HAVE_LDAP_START_TLS_S
 
-/* Define to 1 if you have the `ldapssl_client_init' function. */
-#undef HAVE_LDAPSSL_CLIENT_INIT
+/* Define to 1 if you have the `ldapssl_init' function. */
+#undef HAVE_LDAPSSL_INIT
 
 /* Define to 1 if you have the `lockf' function. */
 #undef HAVE_LOCKF
diff --git a/configure b/configure
index 5f737903f..c9cb39d8a 100755
--- a/configure
+++ b/configure
@@ -21829,7 +21829,7 @@ rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
 
 
 
-for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_client_init
+for ac_func in ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init
 do
 as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
 { echo "$as_me:$LINENO: checking for $ac_func" >&5
diff --git a/configure.in b/configure.in
index 908155eae..925dc72a2 100644
--- a/configure.in
+++ b/configure.in
@@ -2287,7 +2287,7 @@ if test ${with_ldap-'no'} != "no"; then
     AC_MSG_RESULT([yes])
     AC_DEFINE(HAVE_LBER_H)])
 
-    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_client_init)
+    AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldap_sasl_interactive_bind_s ldapssl_init)
     AC_CHECK_HEADERS([sasl/sasl.h])
 
     AC_CHECK_LIB(gssapi, gss_krb5_ccache_name,
diff --git a/ldap.c b/ldap.c
index cfa3ab196..1e49af797 100644
--- a/ldap.c
+++ b/ldap.c
@@ -132,7 +132,6 @@ struct ldap_config {
     char *rootbinddn;
     char *base;
     char *ssl;
-    char *sslpath;
     char *tls_cacertfile;
     char *tls_cacertdir;
     char *tls_random_file;
@@ -150,7 +149,7 @@ struct ldap_config_table ldap_conf_table[] = {
     { "host", CONF_STR, FALSE, -1, &ldap_conf.host },
     { "port", CONF_INT, FALSE, -1, &ldap_conf.port },
     { "ssl", CONF_STR, FALSE, -1, &ldap_conf.ssl },
-    { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.sslpath },
+    { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
     { "uri", CONF_STR, FALSE, -1, &ldap_conf.uri },
 #ifdef LDAP_OPT_DEBUG_LEVEL
     { "debug", CONF_INT, FALSE, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
@@ -182,10 +181,14 @@ struct ldap_config_table ldap_conf_table[] = {
 #ifdef LDAP_OPT_X_TLS_CERTFILE
     { "tls_cert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CERTFILE,
 	&ldap_conf.tls_certfile },
+#else
+    { "tls_cert", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
 #endif
 #ifdef LDAP_OPT_X_TLS_KEYFILE
     { "tls_key", CONF_STR, FALSE, LDAP_OPT_X_TLS_KEYFILE,
 	&ldap_conf.tls_keyfile },
+#else
+    { "tls_key", CONF_STR, FALSE, -1, &ldap_conf.tls_keyfile },
 #endif
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
     { "bind_timelimit", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
@@ -736,23 +739,41 @@ sudo_ldap_read_config()
 	    ldap_conf.binddn : "(anonymous)");
 	fprintf(stderr, "bindpw           %s\n", ldap_conf.bindpw ?
 	    ldap_conf.bindpw : "(anonymous)");
-	fprintf(stderr, "bind_timelimit   %d\n", ldap_conf.bind_timelimit);
-	fprintf(stderr, "timelimit        %d\n", ldap_conf.timelimit);
+	if (ldap_conf.bind_timelimit > 0)
+	    fprintf(stderr, "bind_timelimit   %d\n", ldap_conf.bind_timelimit);
+	if (ldap_conf.timelimit > 0)
+	    fprintf(stderr, "timelimit        %d\n", ldap_conf.timelimit);
 	fprintf(stderr, "ssl              %s\n", ldap_conf.ssl ?
 	    ldap_conf.ssl : "(no)");
-	fprintf(stderr, "sslpath          %s\n", ldap_conf.sslpath ?
-	    ldap_conf.sslpath : "(NONE)");
+	if (ldap_conf.tls_checkpeer != -1)
+	    fprintf(stderr, "tls_checkpeer    %s\n", ldap_conf.tls_checkpeer ?
+		"(yes)" : "(no)");
+	if (ldap_conf.tls_cacertfile != NULL)
+	    fprintf(stderr, "tls_cacertfile   %s\n", ldap_conf.tls_cacertfile);
+	if (ldap_conf.tls_cacertdir != NULL)
+	    fprintf(stderr, "tls_cacertdir    %s\n", ldap_conf.tls_cacertdir);
+	if (ldap_conf.tls_random_file != NULL)
+	    fprintf(stderr, "tls_random_file  %s\n", ldap_conf.tls_random_file);
+	if (ldap_conf.tls_cipher_suite != NULL)
+	    fprintf(stderr, "tls_cipher_suite %s\n", ldap_conf.tls_cipher_suite);
+	if (ldap_conf.tls_certfile != NULL)
+	    fprintf(stderr, "tls_certfile     %s\n", ldap_conf.tls_certfile);
+	if (ldap_conf.tls_keyfile != NULL)
+	    fprintf(stderr, "tls_keyfile      %s\n", ldap_conf.tls_keyfile);
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
-	fprintf(stderr, "use_sasl         %d\n", ldap_conf.use_sasl);
-	fprintf(stderr, "sasl_auth_id     %s\n", ldap_conf.sasl_auth_id ?
-	    ldap_conf.sasl_auth_id : "(NONE)");
-	fprintf(stderr, "rootuse_sasl     %d\n", ldap_conf.rootuse_sasl);
-	fprintf(stderr, "rootsasl_auth_id %s\n", ldap_conf.rootsasl_auth_id ?
-	    ldap_conf.rootsasl_auth_id : "(NONE)");
-	fprintf(stderr, "sasl_secprops    %s\n", ldap_conf.sasl_secprops ?
-	    ldap_conf.sasl_secprops : "(NONE)");
-	fprintf(stderr, "krb5_ccname      %s\n", ldap_conf.krb5_ccname ?
-	    ldap_conf.krb5_ccname : "(NONE)");
+	if (ldap_conf.use_sasl != -1) {
+	    fprintf(stderr, "use_sasl         %s\n",
+		ldap_conf.use_sasl ? "yes" : "no");
+	    fprintf(stderr, "sasl_auth_id     %s\n", ldap_conf.sasl_auth_id ?
+		ldap_conf.sasl_auth_id : "(NONE)");
+	    fprintf(stderr, "rootuse_sasl     %d\n", ldap_conf.rootuse_sasl);
+	    fprintf(stderr, "rootsasl_auth_id %s\n", ldap_conf.rootsasl_auth_id ?
+		ldap_conf.rootsasl_auth_id : "(NONE)");
+	    fprintf(stderr, "sasl_secprops    %s\n", ldap_conf.sasl_secprops ?
+		ldap_conf.sasl_secprops : "(NONE)");
+	    fprintf(stderr, "krb5_ccname      %s\n", ldap_conf.krb5_ccname ?
+		ldap_conf.krb5_ccname : "(NONE)");
+	}
 #endif
 	fprintf(stderr, "===================\n");
     }
@@ -1107,7 +1128,7 @@ sudo_ldap_set_options(ld)
     }
 #endif
 
-#ifdef LDAP_OPT_X_TLS
+#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
 	int val = LDAP_OPT_X_TLS_HARD;
 	rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
@@ -1138,16 +1159,20 @@ sudo_ldap_open()
     if (!sudo_ldap_read_config())
 	return(NULL);
 
-#if defined(HAVE_LDAPSSL_CLIENT_INIT)  && !defined(LDAP_OPT_X_TLS)
+#ifdef HAVE_LDAPSSL_INIT
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
-	DPRINTF(("ldapssl_client_init(%s, NULL)", ldap_conf.sslpath), 2);
-	if (ldapssl_client_init(ldap_conf.sslpath, NULL) != LDAP_SUCCESS) {
-	    warningx("unable to initialize SSL cert db: %s",
+	DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+	    ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+	    ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
+	rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+	    ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
+	if (rc != LDAP_SUCCESS) {
+	    warningx("unable to initialize SSL cert and key db: %s",
 		ldapssl_err2string(rc));
 	    return(NULL);
 	}
     }
-#endif
+#endif /* HAVE_LDAPSSL_INIT */
 
     /* Connect to LDAP server */
 #ifdef HAVE_LDAP_INITIALIZE
@@ -1161,8 +1186,16 @@ sudo_ldap_open()
     } else
 #endif /* HAVE_LDAP_INITIALIZE */
     {
+#ifdef HAVE_LDAPSSL_INIT
+	DPRINTF(("ldapssl_init(%s, %d, %d)", ldap_conf.host, ldap_conf.port,
+	    ldap_conf.ssl_mode == SUDO_LDAP_SSL), 2);
+	ld = ldapssl_init(ldap_conf.host, ldap_conf.port,
+	    ldap_conf.ssl_mode == SUDO_LDAP_SSL);
+#else
 	DPRINTF(("ldap_init(%s, %d)", ldap_conf.host, ldap_conf.port), 2);
-	if ((ld = ldap_init(ldap_conf.host, ldap_conf.port)) == NULL) {
+	ld = ldap_init(ldap_conf.host, ldap_conf.port);
+#endif
+	if (ld == NULL) {
 	    warning("unable to initialize LDAP");
 	    return(NULL);
 	}
@@ -1172,33 +1205,18 @@ sudo_ldap_open()
     if (sudo_ldap_set_options(ld) < 0)
 	return(NULL);
 
-#if defined(HAVE_LDAPSSL_CLIENT_INIT)  && !defined(LDAP_OPT_X_TLS)
-    if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
-	DPRINTF(("ldapssl_install_routines()"), 2);
-	rc = ldapssl_install_routines(ld);
-	if (rc != LDAP_SUCCESS) {
-	    warningx("ldapssl_install_routines(): %s", ldapssl_err2string(rc));
-	    return(NULL);
-	}
-# ifdef LDAP_OPT_SSL
-	rc = ldap_set_option(ld, LDAP_OPT_SSL, LDAP_OPT_ON);
-	if (rc != LDAP_SUCCESS) {
-	    warningx("unable to enable SSL: %s", ldapssl_err2string(rc));
-	    return(NULL);
-	}
-# endif
-    }
-#endif
-#ifdef HAVE_LDAP_START_TLS_S
     if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
+#ifdef HAVE_LDAP_START_TLS_S
 	rc = ldap_start_tls_s(ld, NULL, NULL);
 	if (rc != LDAP_SUCCESS) {
 	    warningx("ldap_start_tls_s(): %s", ldap_err2string(rc));
 	    return(NULL);
 	}
 	DPRINTF(("ldap_start_tls_s() ok"), 1);
-    }
+#else
+	warningx("start_tls specified but LDAP libs do not support ldap_start_tls_s()");
 #endif /* HAVE_LDAP_START_TLS_S */
+    }
 
 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
     if (ldap_conf.rootuse_sasl == TRUE ||
-- 
2.40.0