1/*	$NetBSD$	*/
2
3// OpenLDAP: pkg/ldap/contrib/ldapc++/src/TlsOptions.h,v 1.6.2.2 2010/04/14 23:50:44 quanah Exp
4/*
5 * Copyright 2010, OpenLDAP Foundation, All Rights Reserved.
6 * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
7 */
8#ifndef TLS_OPTIONS_H
9#define TLS_OPTIONS_H
10#include <string>
11#include <ldap.h>
12
13/**
14 * Class to access the global (and connection specific) TLS Settings
15 * To access the global TLS Settings just instantiate a TlsOption object
16 * using the default constructor.
17 *
18 * To access connection specific settings instantiate a TlsOption object
19 * through the getTlsOptions() method from the corresponding
20 * LDAPConnection/LDAPAsynConnection object.
21 *
22 */
23class TlsOptions {
24    public:
25
26        /**
27         * Available TLS Options
28         */
29        enum tls_option {
30            CACERTFILE=0,
31            CACERTDIR,
32            CERTFILE,
33            KEYFILE,
34            REQUIRE_CERT,
35            PROTOCOL_MIN,
36            CIPHER_SUITE,
37            RANDOM_FILE,
38            CRLCHECK,
39            DHFILE,
40            /// @cond
41            LASTOPT /* dummy */
42            /// @endcond
43        };
44
45        /**
46         * Possible Values for the REQUIRE_CERT option
47         */
48        enum verifyMode {
49            NEVER=0,
50            HARD,
51            DEMAND,
52            ALLOW,
53            TRY
54        };
55
56        /**
57         * Possible Values for the CRLCHECK option
58         */
59        enum crlMode {
60            CRL_NONE=0,
61            CRL_PEER,
62            CRL_ALL
63        };
64
65
66        /**
67         * Default constructor. Gives access to the global TlsSettings
68         */
69        TlsOptions();
70
71        /**
72         * Set string valued options.
73         * @param opt The following string valued options are available:
74         *      - TlsOptions::CACERTFILE
75         *      - TlsOptions::CACERTDIR
76         *      - TlsOptions::CERTFILE
77         *      - TlsOptions::KEYFILE
78         *      - TlsOptions::CIPHER_SUITE
79         *      - TlsOptions::RANDOM_FILE
80         *      - TlsOptions::DHFILE
81         *  @param value The value to apply to that option,
82         *      - TlsOptions::CACERTFILE:
83         *          The path to the file containing all recognized Certificate
84         *          Authorities
85         *      - TlsOptions::CACERTDIR:
86         *          The path to a directory containing individual files of all
87         *          recognized Certificate Authority certificates
88         *      - TlsOptions::CERTFILE:
89         *          The path to the client certificate
90         *      - TlsOptions::KEYFILE:
91         *          The path to the file containing the private key matching the
92         *          Certificate that as configured with TlsOptions::CERTFILE
93         *      - TlsOptions::CIPHER_SUITE
94         *          Specifies the cipher suite and preference order
95         *      - TlsOptions::RANDOM_FILE
96         *          Specifies the file to obtain random bits from when
97         *          /dev/[u]random is not available.
98         *      - TlsOptions::DHFILE
99         *          File containing DH parameters
100         */
101        void setOption(tls_option opt, const std::string& value) const;
102
103        /**
104         * Set integer valued options.
105         * @param opt The following string valued options are available:
106         *      - TlsOptions::REQUIRE_CERT
107         *      - TlsOptions::PROTOCOL_MIN
108         *      - TlsOptions::CRLCHECK
109         * @param value The value to apply to that option,
110         *      - TlsOptions::REQUIRE_CERT:
111         *          Possible Values (For details see the ldap.conf(5) man-page):
112         *              - TlsOptions::NEVER
113         *              - TlsOptions::DEMAND
114         *              - TlsOptions::ALLOW
115         *              - TlsOptions::TRY
116         *      - TlsOptions::PROTOCOL_MIN
117         *      - TlsOptions::CRLCHECK
118         *          Possible Values:
119         *              - TlsOptions::CRL_NONE
120         *              - TlsOptions::CRL_PEER
121         *              - TlsOptions::CRL_ALL
122         */
123        void setOption(tls_option opt, int value) const;
124
125        /**
126         * Generic setOption variant. Generally you should prefer to use one
127         * of the other variants
128         */
129        void setOption(tls_option opt, void *value) const;
130
131        /**
132         * Read integer valued options
133         * @return Option value
134         * @throws LDAPException in case of error (invalid on non-integer
135         *      valued option is requested)
136         */
137        int getIntOption(tls_option opt) const;
138
139        /**
140         * Read string valued options
141         * @return Option value
142         * @throws LDAPException in case of error (invalid on non-string
143         *      valued option is requested)
144         */
145        std::string getStringOption(tls_option opt) const;
146
147        /**
148         * Read options value. Usually you should prefer to use either
149         * getIntOption() or getStringOption()
150         * @param value points to a buffer containing the option value
151         * @throws LDAPException in case of error (invalid on non-string
152         *      valued option is requested)
153         */
154        void getOption(tls_option opt, void *value ) const;
155
156    private:
157        TlsOptions( LDAP* ld );
158        void newCtx() const;
159        LDAP *m_ld;
160
161    friend class LDAPAsynConnection;
162};
163
164#endif /* TLS_OPTIONS_H */
165