1 /* $NetBSD: TlsOptions.h,v 1.3 2021/08/14 16:14:49 christos Exp $ */ 2 3 // $OpenLDAP$ 4 /* 5 * Copyright 2010-2021 The OpenLDAP Foundation, All Rights Reserved. 6 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file 7 */ 8 #ifndef TLS_OPTIONS_H 9 #define TLS_OPTIONS_H 10 #include <string> 11 #include <ldap.h> 12 13 /** 14 * Class to access the global (and connection specific) TLS Settings 15 * To access the global TLS Settings just instantiate a TlsOption object 16 * using the default constructor. 17 * 18 * To access connection specific settings instantiate a TlsOption object 19 * through the getTlsOptions() method from the corresponding 20 * LDAPConnection/LDAPAsynConnection object. 21 * 22 */ 23 class TlsOptions { 24 public: 25 26 /** 27 * Available TLS Options 28 */ 29 enum tls_option { 30 CACERTFILE=0, 31 CACERTDIR, 32 CERTFILE, 33 KEYFILE, 34 REQUIRE_CERT, 35 PROTOCOL_MIN, 36 CIPHER_SUITE, 37 RANDOM_FILE, 38 CRLCHECK, 39 DHFILE, 40 /// @cond 41 LASTOPT /* dummy */ 42 /// @endcond 43 }; 44 45 /** 46 * Possible Values for the REQUIRE_CERT option 47 */ 48 enum verifyMode { 49 NEVER=0, 50 HARD, 51 DEMAND, 52 ALLOW, 53 TRY 54 }; 55 56 /** 57 * Possible Values for the CRLCHECK option 58 */ 59 enum crlMode { 60 CRL_NONE=0, 61 CRL_PEER, 62 CRL_ALL 63 }; 64 65 66 /** 67 * Default constructor. Gives access to the global TlsSettings 68 */ 69 TlsOptions(); 70 71 /** 72 * Set string valued options. 73 * @param opt The following string valued options are available: 74 * - TlsOptions::CACERTFILE 75 * - TlsOptions::CACERTDIR 76 * - TlsOptions::CERTFILE 77 * - TlsOptions::KEYFILE 78 * - TlsOptions::CIPHER_SUITE 79 * - TlsOptions::RANDOM_FILE 80 * - TlsOptions::DHFILE 81 * @param value The value to apply to that option, 82 * - TlsOptions::CACERTFILE: 83 * The path to the file containing all recognized Certificate 84 * Authorities 85 * - TlsOptions::CACERTDIR: 86 * The path to a directory containing individual files of all 87 * recognized Certificate Authority certificates 88 * - TlsOptions::CERTFILE: 89 * The path to the client certificate 90 * - TlsOptions::KEYFILE: 91 * The path to the file containing the private key matching the 92 * Certificate that as configured with TlsOptions::CERTFILE 93 * - TlsOptions::CIPHER_SUITE 94 * Specifies the cipher suite and preference order 95 * - TlsOptions::RANDOM_FILE 96 * Specifies the file to obtain random bits from when 97 * /dev/[u]random is not available. 98 * - TlsOptions::DHFILE 99 * File containing DH parameters 100 */ 101 void setOption(tls_option opt, const std::string& value) const; 102 103 /** 104 * Set integer valued options. 105 * @param opt The following string valued options are available: 106 * - TlsOptions::REQUIRE_CERT 107 * - TlsOptions::PROTOCOL_MIN 108 * - TlsOptions::CRLCHECK 109 * @param value The value to apply to that option, 110 * - TlsOptions::REQUIRE_CERT: 111 * Possible Values (For details see the ldap.conf(5) man-page): 112 * - TlsOptions::NEVER 113 * - TlsOptions::DEMAND 114 * - TlsOptions::ALLOW 115 * - TlsOptions::TRY 116 * - TlsOptions::PROTOCOL_MIN 117 * - TlsOptions::CRLCHECK 118 * Possible Values: 119 * - TlsOptions::CRL_NONE 120 * - TlsOptions::CRL_PEER 121 * - TlsOptions::CRL_ALL 122 */ 123 void setOption(tls_option opt, int value) const; 124 125 /** 126 * Generic setOption variant. Generally you should prefer to use one 127 * of the other variants 128 */ 129 void setOption(tls_option opt, void *value) const; 130 131 /** 132 * Read integer valued options 133 * @return Option value 134 * @throws LDAPException in case of error (invalid on non-integer 135 * valued option is requested) 136 */ 137 int getIntOption(tls_option opt) const; 138 139 /** 140 * Read string valued options 141 * @return Option value 142 * @throws LDAPException in case of error (invalid on non-string 143 * valued option is requested) 144 */ 145 std::string getStringOption(tls_option opt) const; 146 147 /** 148 * Read options value. Usually you should prefer to use either 149 * getIntOption() or getStringOption() 150 * @param value points to a buffer containing the option value 151 * @throws LDAPException in case of error (invalid on non-string 152 * valued option is requested) 153 */ 154 void getOption(tls_option opt, void *value ) const; 155 156 private: 157 TlsOptions( LDAP* ld ); 158 void newCtx() const; 159 LDAP *m_ld; 160 161 friend class LDAPAsynConnection; 162 }; 163 164 #endif /* TLS_OPTIONS_H */ 165