You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@apr.apache.org by mi...@apache.org on 2005/01/07 13:58:16 UTC
svn commit: r124493 - /apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c
Author: minfrin
Date: Fri Jan 7 04:58:15 2005
New Revision: 124493
URL: http://svn.apache.org/viewcvs?view=rev&rev=124493
Log:
Remove the apr_ldap_ssl_add_client_cert() from APR v1.0 (new APIs are not
to be added between point releases. Clarify the behaviour of apr_ldap_ssl_init()
if it is called multiple times.
Modified:
apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c
Modified: apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c
Url: http://svn.apache.org/viewcvs/apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c?view=diff&rev=124493&p1=apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c&r1=124492&p2=apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c&r2=124493
==============================================================================
--- apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c (original)
+++ apr/apr-util/branches/1.0.x/ldap/apr_ldap_init.c Fri Jan 7 04:58:15 2005
@@ -32,9 +32,26 @@
/**
* APR LDAP SSL Initialise function
*
- * This function sets up any SSL certificate parameters as
- * required by the application. It should be called once on
- * system initialisation.
+ * This function initialises SSL on the underlying LDAP toolkit
+ * if this is necessary.
+ *
+ * Multiple CA certificates can be specified by calling this function
+ * more than once. If no CA certtificates are to be specified (for
+ * example on systems where certs are stored in a registry store)
+ * this function must be called at least once with a cert_auth_file
+ * of NULL.
+ *
+ * The best practice is to perform the NULL call exactly once, followed
+ * by the certificate specification as many times as is necessary.
+ *
+ * apr_ldap_ssl_init(p, NULL, 0, result)
+ * apr_ldap_ssl_init(p, cert1, cert1_type, result)
+ * apr_ldap_ssl_init(p, cert2, cert2_type, result)
+ *
+ * The legacy behaviour of specifying the certificate once is still
+ * supported:
+ *
+ * apr_ldap_ssl_init(p, cert, cert_type, result)
*
* If SSL support is not available on this platform, or a problem
* was encountered while trying to set the certificate, the function
@@ -46,75 +63,14 @@
int cert_file_type,
apr_ldap_err_t **result_err) {
- apr_ldap_err_t *result;
-
- if (cert_auth_file) {
- return apr_ldap_ssl_add_cert(pool,
- cert_auth_file,
- cert_file_type,
- result_err);
- }
- else {
- result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
- *result_err = result;
-#if APR_HAS_LDAP_SSL /* compiled with ssl support */
-
- /* Novell needs special initialisation */
-#if APR_HAS_NOVELL_LDAPSDK
-#if APR_HAS_LDAPSSL_CLIENT_INIT
- result->rc = ldapssl_client_init(NULL, NULL);
-
- if (LDAP_SUCCESS == result->rc) {
- return APR_SUCCESS;
- }
- else {
- result->msg = ldap_err2string(result-> rc);
- result->reason = apr_pstrdup (pool, "LDAP: Could not "
- "initialize SSL");
- return APR_EGENERAL;
- }
-#else
- result->reason = "LDAP: ldapssl_client_init() function not "
- "supported by this Novell SDK. SSL not "
- "initialised";
- result->rc = -1;
-#endif
-#endif
-
-#endif
- }
-
- /* if no cert_auth_file was passed, we assume SSL support
- * is possible, as we have not been specifically told otherwise.
- */
- return APR_SUCCESS;
-
-}
-
-
-/**
- * APR LDAP SSL add client certificate function.
- *
- * This function sets up an optional client certificate to be used
- * when connecting to the remote LDAP server.
- * If SSL support is not available on this platform, or a problem
- * was encountered while trying to set the certificate, the function
- * will return APR_EGENERAL. Further LDAP specific error information
- * can be found in result_err.
- */
-APU_DECLARE(int) apr_ldap_ssl_add_cert(apr_pool_t *pool,
- const char *cert_auth_file,
- int cert_file_type,
- apr_ldap_err_t **result_err) {
-
apr_ldap_err_t *result = (apr_ldap_err_t *)apr_pcalloc(pool, sizeof(apr_ldap_err_t));
*result_err = result;
- if (cert_auth_file) {
#if APR_HAS_LDAP_SSL /* compiled with ssl support */
- /* Netscape SDK */
+ /* Netscape SDK */
#if APR_HAS_NETSCAPE_LDAPSK
+ if (cert_auth_file) {
#if APR_HAS_LDAP_SSL_CLIENT_INIT
/* Netscape sdk only supports a cert7.db file
*/
@@ -132,34 +88,43 @@
"authority file not set";
result->rc = -1;
#endif
+ }
#endif
- /* Novell SDK */
+
+ /* Novell SDK */
#if APR_HAS_NOVELL_LDAPSDK
#if APR_HAS_LDAPSSL_CLIENT_INIT && APR_HAS_LDAPSSL_ADD_TRUSTED_CERT && APR_HAS_LDAPSSL_CLIENT_DEINIT
+ /* Novell's library needs to be inititalised first */
+ result->rc = ldapssl_client_init(NULL, NULL);
+ if (LDAP_SUCCESS != result->rc) {
+ result->msg = ldap_err2string(result-> rc);
+ result->reason = apr_pstrdup (pool, "LDAP: Could not "
+ "initialize SSL");
+ }
+
+ /* set one or more certificates */
+ else if (cert_auth_file) {
/* Novell SDK supports DER or BASE64 files
*/
if (cert_file_type == APR_LDAP_CA_TYPE_DER ||
cert_file_type == APR_LDAP_CA_TYPE_BASE64 ) {
- result->rc = ldapssl_client_init(NULL, NULL);
- if (LDAP_SUCCESS == result->rc) {
- if (cert_file_type == APR_LDAP_CA_TYPE_BASE64) {
- result->rc = ldapssl_add_trusted_cert((void*)cert_auth_file,
- LDAPSSL_CERT_FILETYPE_B64);
- }
- else {
- result->rc = ldapssl_add_trusted_cert((void*)cert_auth_file,
- LDAPSSL_CERT_FILETYPE_DER);
- }
-
- if (LDAP_SUCCESS != result->rc) {
- ldapssl_client_deinit();
- result->reason = apr_psprintf(pool,
- "LDAP: Invalid certificate "
- "or path: Could not add "
- "trusted cert %s",
- cert_auth_file);
- }
+ if (cert_file_type == APR_LDAP_CA_TYPE_BASE64) {
+ result->rc = ldapssl_add_trusted_cert((void*)cert_auth_file,
+ LDAPSSL_CERT_FILETYPE_B64);
+ }
+ else {
+ result->rc = ldapssl_add_trusted_cert((void*)cert_auth_file,
+ LDAPSSL_CERT_FILETYPE_DER);
+ }
+
+ if (LDAP_SUCCESS != result->rc) {
+ ldapssl_client_deinit();
+ result->reason = apr_psprintf(pool,
+ "LDAP: Invalid certificate "
+ "or path: Could not add "
+ "trusted cert %s",
+ cert_auth_file);
}
}
else {
@@ -167,18 +132,20 @@
"DER or BASE64 type required";
result->rc = -1;
}
+ }
#else
- result->reason = "LDAP: ldapssl_client_init(), "
- "ldapssl_add_trusted_cert() or "
- "ldapssl_client_deinit() functions not supported "
- "by this Novell SDK. Certificate authority file "
- "not set";
- result->rc = -1;
+ result->reason = "LDAP: ldapssl_client_init(), "
+ "ldapssl_add_trusted_cert() or "
+ "ldapssl_client_deinit() functions not supported "
+ "by this Novell SDK. Certificate authority file "
+ "not set";
+ result->rc = -1;
#endif
#endif
- /* openldap SDK */
+ /* openldap SDK */
#if APR_HAS_OPENLDAP_LDAPSDK
+ if (cert_auth_file) {
#ifdef LDAP_OPT_X_TLS_CACERTFILE
/* OpenLDAP SDK supports BASE64 files
*/
@@ -198,54 +165,54 @@
"authority file not set";
result->rc = -1;
#endif
+ }
#endif
- /* microsoft SDK */
+ /* microsoft SDK */
#if APR_HAS_MICROSOFT_LDAPSDK
- /* Microsoft SDK use the registry certificate store - always
- * assume support is always available
- */
- result->rc = LDAP_SUCCESS;
+ /* Microsoft SDK use the registry certificate store - always
+ * assume support is always available
+ */
+ result->rc = LDAP_SUCCESS;
#endif
- /* Sun SDK */
+ /* Sun SDK */
#if APR_HAS_SOLARIS_LDAPSDK
+ if (cert_auth_file) {
result->reason = "LDAP: Attempt to set certificate store failed. "
"APR does not yet know how to set a certificate "
"store on the Sun toolkit";
result->rc = -1;
+ }
#endif
- /* SDK not recognised */
+ /* SDK not recognised */
#if APR_HAS_OTHER_LDAPSDK
+ if (cert_auth_file) {
/* unknown toolkit type, assume no support available */
result->reason = "LDAP: Attempt to set certificate store failed. "
"Toolkit type not recognised by APR as supporting "
"SSL";
result->rc = -1;
+ }
#endif
#else /* not compiled with SSL Support */
+ if (cert_auth_file) {
result->reason = "LDAP: Attempt to set certificate store failed. "
"Not built with SSL support";
result->rc = -1;
+ }
#endif /* APR_HAS_LDAP_SSL */
- if (result->rc != -1) {
- result->msg = ldap_err2string(result-> rc);
- }
+ if (result->rc != -1) {
+ result->msg = ldap_err2string(result-> rc);
+ }
- if (LDAP_SUCCESS == result->rc) {
- return APR_SUCCESS;
- }
- else {
- return APR_EGENERAL;
- }
+ if (LDAP_SUCCESS != result->rc) {
+ return APR_EGENERAL;
}
- /* if no cert_auth_file was passed, we assume SSL support
- * is possible, as we have not been specifically told otherwise.
- */
return APR_SUCCESS;
}