git:janakj/ldap: tls encryption support added - sr-dev

12 Feb 2009

Module: sip-router
Branch: janakj/ldap
Commit: 110dd250960f81d1aa3238255234f228604db7ff
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=110dd250...
Author: Gergely Kovacs gergo@iptel.org
Committer: Gergely Kovacs gergo@iptel.org
Date:   Fri Jul 18 10:02:49 2008 +0000
tls encryption support added
---
modules/db_ldap/Makefile |    2 ++
 modules/db_ldap/ld_cfg.c |   18 +++++++++++++-----
 modules/db_ldap/ld_cfg.h |    3 +++
 modules/db_ldap/ld_con.c |   33 ++++++++++++++++++++++++++++++++-
 modules/db_ldap/ld_uri.c |   23 +++++++++++++++++++++++
 modules/db_ldap/ld_uri.h |    3 +++
 modules/db_ldap/ldap.cfg |   12 ++++++++++++
 7 files changed, 88 insertions(+), 6 deletions(-)

diff --git a/modules/db_ldap/Makefile b/modules/db_ldap/Makefile
index f7b0507..e9309e2 100644
--- a/modules/db_ldap/Makefile
+++ b/modules/db_ldap/Makefile
@@ -8,6 +8,8 @@ NAME=ldap.so
#DEFS += -DLD_TEST
+DEFS += -Wall -DOPENLDAP23
+
 # Uncomment this if you have a recent version of libldap with
 # LD_SCOPE_CHILDREN defined
 #DEFS += -DHAVE_SCOPE_CHILDREN
diff --git a/modules/db_ldap/ld_cfg.c b/modules/db_ldap/ld_cfg.c
index 642c0b3..d3758ab 100644
--- a/modules/db_ldap/ld_cfg.c
+++ b/modules/db_ldap/ld_cfg.c
@@ -268,11 +268,14 @@ static cfg_option_t auth_values[] = {
static cfg_option_t ldap_con_options[] = {
-	{"host",     .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
-	{"port",     .f = cfg_parse_int_opt},
-	{"username", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
-	{"password", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
-	{"authtype", .param = auth_values, .f = cfg_parse_enum_opt},
+	{"host",     		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"port",     		.f = cfg_parse_int_opt},
+	{"username", 		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"password", 		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"authtype", 		.param = auth_values, .f = cfg_parse_enum_opt},
+	{"tls",			.param = cfg_bool_values, .f = cfg_parse_enum_opt},
+	{"ca_list",  		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"require_certificate", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
    {0}
 };
@@ -342,6 +345,11 @@ static int parse_section(void* param, cfg_parser_t* st, unsigned int flags)
    	for(i = 0; auth_values[i].name; i++) {
    		auth_values[i].param = &con->authmech;
    	}
+		for(i = 0; cfg_bool_values[i].name; i++) {
+			cfg_bool_values[i].param = &con->tls;
+		}
+		ldap_con_options[6].param = &con->ca_list;
+		ldap_con_options[7].param = &con->req_cert;
    } else {
    	BUG("%s:%d:%d: Unsupported section type %c\n",
    		st->file, t.start.line, t.start.col, t.type);
diff --git a/modules/db_ldap/ld_cfg.h b/modules/db_ldap/ld_cfg.h
index 1a36ee4..43abca0 100644
--- a/modules/db_ldap/ld_cfg.h
+++ b/modules/db_ldap/ld_cfg.h
@@ -49,6 +49,9 @@ struct ld_con_info {
    str username;
    str password;
    int authmech;
+	int tls;  /**<  TLS encryption enabled */
+	str ca_list;  /**< Path of the file that contains certificates of the CAs */
+	str req_cert;  /**< LDAP level of certificate request behaviour */
    struct ld_con_info* next;
 };
diff --git a/modules/db_ldap/ld_con.c b/modules/db_ldap/ld_con.c
index 103f1bb..b08a62b 100644
--- a/modules/db_ldap/ld_con.c
+++ b/modules/db_ldap/ld_con.c
@@ -42,7 +42,6 @@
 #include <ldap.h>
 #include <stdlib.h>
 #include <string.h>
-
 #include <sasl/sasl.h>
/** Free all memory allocated for a ld_con structure.
@@ -176,6 +175,7 @@ int ld_con_connect(db_con_t* con)
    struct ld_con* lcon;
    struct ld_uri* luri;
    int ret, version = 3;
+	char* err_str = NULL;
lcon = DB_GET_PAYLOAD(con);
    luri = DB_GET_PAYLOAD(con->uri);
@@ -193,6 +193,19 @@ int ld_con_connect(db_con_t* con)
    	}
    }
+	/* we pass the TLS_REQCERT and TLS_REQCERT attributes over environment
+	   variables to ldap library */
+	if (luri->tls) {
+		if (setenv("LDAPTLS_CACERT", luri->ca_list, 1)) {
+			ERR("ldap: Can't set environment variable 'LDAPTLS_CACERT'\n");
+			goto error;
+		}
+		if (setenv("LDAPTLS_REQCERT", luri->req_cert, 1)) {
+			ERR("ldap: Can't set environment variable 'LDAPTLS_REQCERT'\n");
+			goto error;
+		}
+	}
+
    ret = ldap_initialize(&lcon->con, luri->uri);
    if (lcon->con == NULL) {
    	ERR("ldap: Error while initializing new LDAP connection to %s\n",
@@ -207,6 +220,24 @@ int ld_con_connect(db_con_t* con)
    	goto error;
    }
+	if (luri->tls) {
+		ret = ldap_start_tls_s(lcon->con, NULL, NULL);
+		if (ret != LDAP_SUCCESS) {
+			/* get addition info of this error */
+#ifdef OPENLDAP23
+			ldap_get_option(lcon->con, LDAP_OPT_ERROR_STRING, &err_str);
+#elif OPENLDAP24
+			ldap_get_option(lcon->con, LDAP_OPT_DIAGNOSTIC_MESSAGE, &err_str);
+#endif
+			ERR("ldap: Error while starting TLS: %s\n", ldap_err2string(ret));
+			if (err_str) {
+				ERR("ldap: %s\n", err_str);
+				ldap_memfree(err_str);
+			}
+			goto error;
+		}
+	}
+
    switch (luri->authmech) {
    	case LDAP_AUTHMECH_NONE:
    		ret = ldap_simple_bind_s(lcon->con, NULL, NULL);
diff --git a/modules/db_ldap/ld_uri.c b/modules/db_ldap/ld_uri.c
index 5476e51..1b18879 100644
--- a/modules/db_ldap/ld_uri.c
+++ b/modules/db_ldap/ld_uri.c
@@ -285,6 +285,19 @@ int parse_ldap_uri(struct ld_uri* res, str* scheme, str* uri)
    	}
res->authmech = cfg_conn_info->authmech;
+		res->tls = cfg_conn_info->tls;
+		if (cfg_conn_info->ca_list.s) {
+			if (!(res->ca_list = pkgstrdup(&cfg_conn_info->ca_list))) {
+					ERR("ldap: No memory left\n");
+					goto err;
+			}
+		}
+		if (cfg_conn_info->req_cert.s) {
+			if (!(res->req_cert = pkgstrdup(&cfg_conn_info->req_cert))) {
+					ERR("ldap: No memory left\n");
+					goto err;
+			}
+		}
break;
    default:
@@ -304,6 +317,14 @@ int parse_ldap_uri(struct ld_uri* res, str* scheme, str* uri)
    	pkg_free(res->password);
    	res->password = NULL;
    }
+	if (res->ca_list) {
+		pkg_free(res->ca_list);
+		res->ca_list = NULL;
+	}
+	if (res->req_cert) {
+		pkg_free(res->req_cert);
+		res->req_cert = NULL;
+	}
    return -1;
 }
@@ -314,6 +335,8 @@ static void ld_uri_free(db_uri_t* uri, struct ld_uri* payload)
    if (payload->uri) pkg_free(payload->uri);
     if (payload->username) pkg_free(payload->username);
     if (payload->password) pkg_free(payload->password);
+    if (payload->ca_list) pkg_free(payload->ca_list);
+    if (payload->req_cert) pkg_free(payload->req_cert);
    db_drv_free(&payload->drv);
    pkg_free(payload);
 }
diff --git a/modules/db_ldap/ld_uri.h b/modules/db_ldap/ld_uri.h
index 27bfa15..43155f3 100644
--- a/modules/db_ldap/ld_uri.h
+++ b/modules/db_ldap/ld_uri.h
@@ -61,6 +61,9 @@ struct ld_uri {
    char* password;
    char* uri;             /**< The whole URI, including scheme */
    int authmech;
+	int tls;  /**<  TLS encryption enabled */
+	char* ca_list;  /**< Path of the file that contains certificates of the CAs */
+	char* req_cert;  /**< LDAP level of certificate request behaviour */
    LDAPURLDesc* ldap_url; /**< URI parsed by the ldap client library */
 };
diff --git a/modules/db_ldap/ldap.cfg b/modules/db_ldap/ldap.cfg
index c21da52..d113bfb 100644
--- a/modules/db_ldap/ldap.cfg
+++ b/modules/db_ldap/ldap.cfg
@@ -24,6 +24,18 @@ password=heslo
 # Allowed values: none (default), simple, digest-md5, external
 authtype=simple
+# tls encryption
+tls=off
+
+# Specifies the file that contains certificates for all of the Certificate
+# Authorities the ldap module will recognize.
+ca_list=/home/kg/work/openssl/demoCA/cacert.pem
+
+# Specifies what checks to perform on server certificates in a TLS session
+# allowed values are never/allow/try/demand
+# see the TLS_REQCERT tls option part of ldap.conf(8) man page for more details
+require_certificate=demand
+
 #
 # Table credentials contains SIP digest authentication credentials.
 #

    