contrib/ldapc++/src/TlsOptions.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

// $OpenLDAP$
/*
 * Copyright 2010-2022 The OpenLDAP Foundation, All Rights Reserved.
 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
 */
#ifndef TLS_OPTIONS_H
#define TLS_OPTIONS_H
#include <string>
#include <ldap.h>

/**
 * Class to access the global (and connection specific) TLS Settings
 * To access the global TLS Settings just instantiate a TlsOption object
 * using the default constructor.
 *
 * To access connection specific settings instantiate a TlsOption object
 * through the getTlsOptions() method from the corresponding
 * LDAPConnection/LDAPAsynConnection object.
 *
 */
class TlsOptions {
    public:

        /**
         * Available TLS Options
         */
        enum tls_option {
            CACERTFILE=0, 
            CACERTDIR,
            CERTFILE,
            KEYFILE,
            REQUIRE_CERT,
            PROTOCOL_MIN,
            CIPHER_SUITE,
            RANDOM_FILE,
            CRLCHECK,
            DHFILE,
            /// @cond
            LASTOPT /* dummy */
            /// @endcond
        };

        /**
         * Possible Values for the REQUIRE_CERT option
         */
        enum verifyMode {
            NEVER=0,
            HARD,
            DEMAND,
            ALLOW,
            TRY
        };

        /**
         * Possible Values for the CRLCHECK option
         */
        enum crlMode {
            CRL_NONE=0,
            CRL_PEER,
            CRL_ALL
        };


        /**
         * Default constructor. Gives access to the global TlsSettings
         */
        TlsOptions();

        /**
         * Set string valued options.
         * @param opt The following string valued options are available:
         *      - TlsOptions::CACERTFILE 
         *      - TlsOptions::CACERTDIR
         *      - TlsOptions::CERTFILE
         *      - TlsOptions::KEYFILE
         *      - TlsOptions::CIPHER_SUITE
         *      - TlsOptions::RANDOM_FILE
         *      - TlsOptions::DHFILE
         *  @param value The value to apply to that option, 
         *      - TlsOptions::CACERTFILE:
         *          The path to the file containing all recognized Certificate
         *          Authorities
         *      - TlsOptions::CACERTDIR:
         *          The path to a directory containing individual files of all
         *          recognized Certificate Authority certificates
         *      - TlsOptions::CERTFILE:
         *          The path to the client certificate
         *      - TlsOptions::KEYFILE:
         *          The path to the file containing the private key matching the 
         *          Certificate that as configured with TlsOptions::CERTFILE
         *      - TlsOptions::CIPHER_SUITE
         *          Specifies the cipher suite and preference order
         *      - TlsOptions::RANDOM_FILE
         *          Specifies the file to obtain random bits from when 
         *          /dev/[u]random is not available.
         *      - TlsOptions::DHFILE
         *          File containing DH parameters
         */
        void setOption(tls_option opt, const std::string& value) const;

        /** 
         * Set integer valued options.
         * @param opt The following string valued options are available:
         *      - TlsOptions::REQUIRE_CERT
         *      - TlsOptions::PROTOCOL_MIN
         *      - TlsOptions::CRLCHECK
         * @param value The value to apply to that option, 
         *      - TlsOptions::REQUIRE_CERT:
         *          Possible Values (For details see the ldap.conf(5) man-page):
         *              - TlsOptions::NEVER
         *              - TlsOptions::DEMAND
         *              - TlsOptions::ALLOW
         *              - TlsOptions::TRY
         *      - TlsOptions::PROTOCOL_MIN
         *      - TlsOptions::CRLCHECK
         *          Possible Values:
         *              - TlsOptions::CRL_NONE
         *              - TlsOptions::CRL_PEER
         *              - TlsOptions::CRL_ALL
         */
        void setOption(tls_option opt, int value) const;

        /**
         * Generic setOption variant. Generally you should prefer to use one 
         * of the other variants
         */
        void setOption(tls_option opt, void *value) const;

        /**
         * Read integer valued options
         * @return Option value
         * @throws LDAPException in case of error (invalid on non-integer 
         *      valued option is requested)
         */
        int getIntOption(tls_option opt) const;

        /**
         * Read string valued options
         * @return Option value
         * @throws LDAPException in case of error (invalid on non-string 
         *      valued option is requested)
         */
        std::string getStringOption(tls_option opt) const;

        /**
         * Read options value. Usually you should prefer to use either 
         * getIntOption() or getStringOption()
         * @param value points to a buffer containing the option value
         * @throws LDAPException in case of error (invalid on non-string 
         *      valued option is requested)
         */
        void getOption(tls_option opt, void *value ) const;
        
    private:
        TlsOptions( LDAP* ld );
        void newCtx() const;
        LDAP *m_ld;

    friend class LDAPAsynConnection;
};

#endif /* TLS_OPTIONS_H */