[mod_authn_ldap, mod_vhostdb_ldap] default cafile

set default cafile at startup if cafile configured in global scope
author: Glenn Strauss <gstrauss@gluelogic.com> 2020-12-15 19:49:29 -0500
committer: Glenn Strauss <gstrauss@gluelogic.com> 2020-12-16 02:00:17 -0500
commit: 20b54fa918e1ce98938cac78a6e3b26c1e605f55 (patch)
tree: d2c3e3e63b143c6475dce0a75ad523902d4d81a9
parent: 2565ad1b861db9872f3162248a81fe03178f3528 (diff)
download: lighttpd-git-20b54fa918e1ce98938cac78a6e3b26c1e605f55.tar.gz
2 files changed, 39 insertions, 4 deletions
diff --git a/src/mod_authn_ldap.c b/src/mod_authn_ldap.c
index 2dd41ef0..5da14e25 100644
--- a/src/mod_authn_ldap.c
+++ b/src/mod_authn_ldap.c
@@ -49,6 +49,8 @@ typedef struct {
     buffer ldap_filter;
 } plugin_data;
 
+static const char *default_cafile;
+
 static handler_t mod_authn_ldap_basic(request_st * const r, void *p_d, const http_auth_require_t *require, const buffer *username, const char *pw);
 
 INIT_FUNC(mod_authn_ldap_init) {
@@ -85,6 +87,7 @@ FREE_FUNC(mod_authn_ldap_free) {
     }
 
     free(p->ldap_filter.ptr);
+    default_cafile = NULL;
 }
 
 static void mod_authn_ldap_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) {
@@ -176,6 +179,9 @@ static void mod_authn_add_scheme (server *srv, buffer *host)
     }
 }
 
+__attribute_cold__
+static void mod_authn_ldap_err(log_error_st *errh, const char *file, unsigned long line, const char *fn, int err);
+
 SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
     static const config_plugin_keys_t cpk[] = {
       { CONST_STR_LEN("auth.backend.ldap.hostname"),
@@ -325,6 +331,17 @@ SETDEFAULTS_FUNC(mod_authn_ldap_set_defaults) {
             mod_authn_ldap_merge_config(&p->defaults, cpv);
     }
 
+    if (p->defaults.auth_ldap_starttls && p->defaults.auth_ldap_cafile) {
+        const int ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
+                                        p->defaults.auth_ldap_cafile);
+        if (LDAP_OPT_SUCCESS != ret) {
+            mod_authn_ldap_err(srv->errh, __FILE__, __LINE__,
+              "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret);
+            return HANDLER_ERROR;
+        }
+        default_cafile = p->defaults.auth_ldap_cafile;
+    }
+
     return HANDLER_GO_ON;
 }
 
@@ -506,8 +523,10 @@ static LDAP * mod_authn_ldap_host_init(log_error_st *errh, plugin_config_ldap *s
     if (s->auth_ldap_starttls) {
         /* if no CA file is given, it is ok, as we will use encryption
          * if the server requires a CAfile it will tell us */
-        if (s->auth_ldap_cafile) {
-            ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE,
+        if (s->auth_ldap_cafile
+            && (!default_cafile
+                || 0 != strcmp(s->auth_ldap_cafile, default_cafile))) {
+            ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE,
                                   s->auth_ldap_cafile);
             if (LDAP_OPT_SUCCESS != ret) {
                 mod_authn_ldap_err(errh, __FILE__, __LINE__,
diff --git a/src/mod_vhostdb_ldap.c b/src/mod_vhostdb_ldap.c
index dada0ffc..a8fd2299 100644
--- a/src/mod_vhostdb_ldap.c
+++ b/src/mod_vhostdb_ldap.c
@@ -45,6 +45,8 @@ typedef struct {
     plugin_config conf;
 } plugin_data;
 
+static const char *default_cafile;
+
 static void mod_vhostdb_dbconf_free (void *vdata)
 {
     vhostdb_config *dbconf = (vhostdb_config *)vdata;
@@ -281,8 +283,9 @@ static LDAP * mod_authn_ldap_host_init(log_error_st *errh, vhostdb_config *s) {
     if (s->starttls) {
         /* if no CA file is given, it is ok, as we will use encryption
          * if the server requires a CAfile it will tell us */
-        if (s->cafile) {
-            ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, s->cafile);
+        if (s->cafile
+            && (!default_cafile || 0 != strcmp(s->cafile, default_cafile))) {
+            ret = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, s->cafile);
             if (LDAP_OPT_SUCCESS != ret) {
                 mod_authn_ldap_err(errh, __FILE__, __LINE__,
                   "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret);
@@ -495,6 +498,7 @@ FREE_FUNC(mod_vhostdb_cleanup) {
             }
         }
     }
+    default_cafile = NULL;
 }
 
 static void mod_vhostdb_merge_config_cpv(plugin_config * const pconf, const config_plugin_value_t * const cpv) {
@@ -564,6 +568,18 @@ SETDEFAULTS_FUNC(mod_vhostdb_set_defaults) {
             mod_vhostdb_merge_config(&p->defaults, cpv);
     }
 
+    vhostdb_config * const dbconf = (vhostdb_config *)p->defaults.vdata;
+    if (dbconf && dbconf->starttls && dbconf->cafile) {
+        const int ret =
+          ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, dbconf->cafile);
+        if (LDAP_OPT_SUCCESS != ret) {
+            mod_authn_ldap_err(srv->errh, __FILE__, __LINE__,
+              "ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE)", ret);
+            return HANDLER_ERROR;
+        }
+        default_cafile = dbconf->cafile;
+    }
+
     return HANDLER_GO_ON;
 }
author	Glenn Strauss <gstrauss@gluelogic.com>	2020-12-15 19:49:29 -0500
committer	Glenn Strauss <gstrauss@gluelogic.com>	2020-12-16 02:00:17 -0500
commit	20b54fa918e1ce98938cac78a6e3b26c1e605f55 (patch)
tree	d2c3e3e63b143c6475dce0a75ad523902d4d81a9
parent	2565ad1b861db9872f3162248a81fe03178f3528 (diff)
download	lighttpd-git-20b54fa918e1ce98938cac78a6e3b26c1e605f55.tar.gz