From 650b1404c2db8aec7faeb6e30c8b6407c9078d99 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 21 Aug 2020 20:06:56 +0100
Subject: [PATCH] ITS#9054, #9318 add new TLS options to slapd bindconf

For use with back-ldap/back-meta/syncrepl/etc
---
 servers/slapd/config.c | 27 ++++++++++++++++++++++++++-
 servers/slapd/slap.h   |  2 ++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index cab979a294..2248a9a3e1 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1488,8 +1488,10 @@ static slap_cf_aux_table bindkey[] = {
 	{ BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
 	{ BER_BVC("tls_cacertdir="), offsetof(slap_bindconf, sb_tls_cacertdir), 's', 1, NULL },
 	{ BER_BVC("tls_reqcert="), offsetof(slap_bindconf, sb_tls_reqcert), 's', 0, NULL },
+	{ BER_BVC("tls_reqsan="), offsetof(slap_bindconf, sb_tls_reqsan), 's', 0, NULL },
 	{ BER_BVC("tls_cipher_suite="), offsetof(slap_bindconf, sb_tls_cipher_suite), 's', 0, NULL },
 	{ BER_BVC("tls_protocol_min="), offsetof(slap_bindconf, sb_tls_protocol_min), 's', 0, NULL },
+	{ BER_BVC("tls_ecname="), offsetof(slap_bindconf, sb_tls_ecname), 's', 0, NULL },
 #ifdef HAVE_OPENSSL_CRL
 	{ BER_BVC("tls_crlcheck="), offsetof(slap_bindconf, sb_tls_crlcheck), 's', 0, NULL },
 #endif
@@ -1855,6 +1857,10 @@ void bindconf_free( slap_bindconf *bc ) {
 		ch_free( bc->sb_tls_reqcert );
 		bc->sb_tls_reqcert = NULL;
 	}
+	if ( bc->sb_tls_reqsan ) {
+		ch_free( bc->sb_tls_reqsan );
+		bc->sb_tls_reqsan = NULL;
+	}
 	if ( bc->sb_tls_cipher_suite ) {
 		ch_free( bc->sb_tls_cipher_suite );
 		bc->sb_tls_cipher_suite = NULL;
@@ -1863,6 +1869,10 @@ void bindconf_free( slap_bindconf *bc ) {
 		ch_free( bc->sb_tls_protocol_min );
 		bc->sb_tls_protocol_min = NULL;
 	}
+	if ( bc->sb_tls_ecname ) {
+		ch_free( bc->sb_tls_ecname );
+		bc->sb_tls_ecname = NULL;
+	}
 #ifdef HAVE_OPENSSL_CRL
 	if ( bc->sb_tls_crlcheck ) {
 		ch_free( bc->sb_tls_crlcheck );
@@ -1898,6 +1908,11 @@ bindconf_tls_defaults( slap_bindconf *bc )
 				&bc->sb_tls_cipher_suite );
 		if ( !bc->sb_tls_reqcert )
 			bc->sb_tls_reqcert = ch_strdup("demand");
+		if ( !bc->sb_tls_reqsan )
+			bc->sb_tls_reqsan = ch_strdup("allow");
+		if ( !bc->sb_tls_ecname )
+			slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_ECNAME,
+				&bc->sb_tls_ecname );
 #ifdef HAVE_OPENSSL_CRL
 		if ( !bc->sb_tls_crlcheck )
 			slap_tls_get_config( slap_tls_ld, LDAP_OPT_X_TLS_CRLCHECK,
@@ -1918,7 +1933,7 @@ static struct {
 	{ "tls_cacert", offsetof(slap_bindconf, sb_tls_cacert), LDAP_OPT_X_TLS_CACERTFILE },
 	{ "tls_cacertdir", offsetof(slap_bindconf, sb_tls_cacertdir), LDAP_OPT_X_TLS_CACERTDIR },
 	{ "tls_cipher_suite", offsetof(slap_bindconf, sb_tls_cipher_suite), LDAP_OPT_X_TLS_CIPHER_SUITE },
-	{ "tls_protocol_min", offsetof(slap_bindconf, sb_tls_protocol_min), LDAP_OPT_X_TLS_PROTOCOL_MIN },
+	{ "tls_ecname", offsetof(slap_bindconf, sb_tls_ecname), LDAP_OPT_X_TLS_ECNAME },
 	{0, 0}
 };
 
@@ -1951,6 +1966,16 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 			res = -1;
 		}
 	}
+	if ( bc->sb_tls_reqsan ) {
+		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_REQUIRE_SAN,
+			bc->sb_tls_reqsan );
+		if ( rc ) {
+			Debug( LDAP_DEBUG_ANY,
+				"bindconf_tls_set: failed to set tls_reqsan to %s\n",
+					bc->sb_tls_reqsan );
+			res = -1;
+		}
+	}
 	if ( bc->sb_tls_protocol_min ) {
 		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
 			bc->sb_tls_protocol_min );
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index e762a19bec..3f5180b301 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1651,8 +1651,10 @@ typedef struct slap_bindconf {
 	char *sb_tls_cacert;
 	char *sb_tls_cacertdir;
 	char *sb_tls_reqcert;
+	char *sb_tls_reqsan;
 	char *sb_tls_cipher_suite;
 	char *sb_tls_protocol_min;
+	char *sb_tls_ecname;
 #ifdef HAVE_OPENSSL_CRL
 	char *sb_tls_crlcheck;
 #endif