[SR-Dev] git:janakj/ldap: tls encryption support added

Jan Janak jan at iptel.org
Fri Feb 13 00:57:04 CET 2009 

Module: sip-router
Branch: janakj/ldap
Commit: 110dd250960f81d1aa3238255234f228604db7ff
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=110dd250960f81d1aa3238255234f228604db7ff

Author: Gergely Kovacs <gergo at iptel.org>
Committer: Gergely Kovacs <gergo at iptel.org>
Date:   Fri Jul 18 10:02:49 2008 +0000

tls encryption support added

---

 modules/db_ldap/Makefile |    2 ++
 modules/db_ldap/ld_cfg.c |   18 +++++++++++++-----
 modules/db_ldap/ld_cfg.h |    3 +++
 modules/db_ldap/ld_con.c |   33 ++++++++++++++++++++++++++++++++-
 modules/db_ldap/ld_uri.c |   23 +++++++++++++++++++++++
 modules/db_ldap/ld_uri.h |    3 +++
 modules/db_ldap/ldap.cfg |   12 ++++++++++++
 7 files changed, 88 insertions(+), 6 deletions(-)

diff --git a/modules/db_ldap/Makefile b/modules/db_ldap/Makefile
index f7b0507..e9309e2 100644
--- a/modules/db_ldap/Makefile
+++ b/modules/db_ldap/Makefile
@@ -8,6 +8,8 @@ NAME=ldap.so
 
 #DEFS += -DLD_TEST
 
+DEFS += -Wall -DOPENLDAP23
+
 # Uncomment this if you have a recent version of libldap with
 # LD_SCOPE_CHILDREN defined
 #DEFS += -DHAVE_SCOPE_CHILDREN
diff --git a/modules/db_ldap/ld_cfg.c b/modules/db_ldap/ld_cfg.c
index 642c0b3..d3758ab 100644
--- a/modules/db_ldap/ld_cfg.c
+++ b/modules/db_ldap/ld_cfg.c
@@ -268,11 +268,14 @@ static cfg_option_t auth_values[] = {
 
 
 static cfg_option_t ldap_con_options[] = {
-	{"host",     .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
-	{"port",     .f = cfg_parse_int_opt},
-	{"username", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
-	{"password", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
-	{"authtype", .param = auth_values, .f = cfg_parse_enum_opt},
+	{"host",     		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"port",     		.f = cfg_parse_int_opt},
+	{"username", 		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"password", 		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"authtype", 		.param = auth_values, .f = cfg_parse_enum_opt},
+	{"tls",			.param = cfg_bool_values, .f = cfg_parse_enum_opt},
+	{"ca_list",  		.f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
+	{"require_certificate", .f = cfg_parse_str_opt, .flags = CFG_STR_PKGMEM},
 	{0}
 };
 
@@ -342,6 +345,11 @@ static int parse_section(void* param, cfg_parser_t* st, unsigned int flags)
 		for(i = 0; auth_values[i].name; i++) {
 			auth_values[i].param = &con->authmech;
 		}
+		for(i = 0; cfg_bool_values[i].name; i++) {
+			cfg_bool_values[i].param = &con->tls;
+		}
+		ldap_con_options[6].param = &con->ca_list;
+		ldap_con_options[7].param = &con->req_cert;
 	} else {
 		BUG("%s:%d:%d: Unsupported section type %c\n",
 			st->file, t.start.line, t.start.col, t.type);
diff --git a/modules/db_ldap/ld_cfg.h b/modules/db_ldap/ld_cfg.h
index 1a36ee4..43abca0 100644
--- a/modules/db_ldap/ld_cfg.h
+++ b/modules/db_ldap/ld_cfg.h
@@ -49,6 +49,9 @@ struct ld_con_info {
 	str username;
 	str password;
 	int authmech;
+	int tls;  /**<  TLS encryption enabled */
+	str ca_list;  /**< Path of the file that contains certificates of the CAs */
+	str req_cert;  /**< LDAP level of certificate request behaviour */
 	struct ld_con_info* next;
 };
 
diff --git a/modules/db_ldap/ld_con.c b/modules/db_ldap/ld_con.c
index 103f1bb..b08a62b 100644
--- a/modules/db_ldap/ld_con.c
+++ b/modules/db_ldap/ld_con.c
@@ -42,7 +42,6 @@
 #include <ldap.h>
 #include <stdlib.h>
 #include <string.h>
-
 #include <sasl/sasl.h>
 
 /** Free all memory allocated for a ld_con structure.
@@ -176,6 +175,7 @@ int ld_con_connect(db_con_t* con)
 	struct ld_con* lcon;
 	struct ld_uri* luri;
 	int ret, version = 3;
+	char* err_str = NULL;
 
 	lcon = DB_GET_PAYLOAD(con);
 	luri = DB_GET_PAYLOAD(con->uri);
@@ -193,6 +193,19 @@ int ld_con_connect(db_con_t* con)
 		}
 	}
 
+	/* we pass the TLS_REQCERT and TLS_REQCERT attributes over environment
+	   variables to ldap library */
+	if (luri->tls) {
+		if (setenv("LDAPTLS_CACERT", luri->ca_list, 1)) {
+			ERR("ldap: Can't set environment variable 'LDAPTLS_CACERT'\n");
+			goto error;
+		}
+		if (setenv("LDAPTLS_REQCERT", luri->req_cert, 1)) {
+			ERR("ldap: Can't set environment variable 'LDAPTLS_REQCERT'\n");
+			goto error;
+		}
+	}
+
 	ret = ldap_initialize(&lcon->con, luri->uri);
 	if (lcon->con == NULL) {
 		ERR("ldap: Error while initializing new LDAP connection to %s\n",
@@ -207,6 +220,24 @@ int ld_con_connect(db_con_t* con)
 		goto error;
 	}
 
+	if (luri->tls) {
+		ret = ldap_start_tls_s(lcon->con, NULL, NULL);
+		if (ret != LDAP_SUCCESS) {
+			/* get addition info of this error */
+#ifdef OPENLDAP23
+			ldap_get_option(lcon->con, LDAP_OPT_ERROR_STRING, &err_str);
+#elif OPENLDAP24
+			ldap_get_option(lcon->con, LDAP_OPT_DIAGNOSTIC_MESSAGE, &err_str);
+#endif
+			ERR("ldap: Error while starting TLS: %s\n", ldap_err2string(ret));
+			if (err_str) {
+				ERR("ldap: %s\n", err_str);
+				ldap_memfree(err_str);
+			}
+			goto error;
+		}
+	}
+
 	switch (luri->authmech) {
 		case LDAP_AUTHMECH_NONE:
 			ret = ldap_simple_bind_s(lcon->con, NULL, NULL);
diff --git a/modules/db_ldap/ld_uri.c b/modules/db_ldap/ld_uri.c
index 5476e51..1b18879 100644
--- a/modules/db_ldap/ld_uri.c
+++ b/modules/db_ldap/ld_uri.c
@@ -285,6 +285,19 @@ int parse_ldap_uri(struct ld_uri* res, str* scheme, str* uri)
 		}
 
 		res->authmech = cfg_conn_info->authmech;
+		res->tls = cfg_conn_info->tls;
+		if (cfg_conn_info->ca_list.s) {
+			if (!(res->ca_list = pkgstrdup(&cfg_conn_info->ca_list))) {
+					ERR("ldap: No memory left\n");
+					goto err;
+			}
+		}
+		if (cfg_conn_info->req_cert.s) {
+			if (!(res->req_cert = pkgstrdup(&cfg_conn_info->req_cert))) {
+					ERR("ldap: No memory left\n");
+					goto err;
+			}
+		}
 
 		break;
 	default:
@@ -304,6 +317,14 @@ int parse_ldap_uri(struct ld_uri* res, str* scheme, str* uri)
 		pkg_free(res->password);
 		res->password = NULL;
 	}
+	if (res->ca_list) {
+		pkg_free(res->ca_list);
+		res->ca_list = NULL;
+	}
+	if (res->req_cert) {
+		pkg_free(res->req_cert);
+		res->req_cert = NULL;
+	}
 	return -1;
 }
 
@@ -314,6 +335,8 @@ static void ld_uri_free(db_uri_t* uri, struct ld_uri* payload)
 	if (payload->uri) pkg_free(payload->uri);
     if (payload->username) pkg_free(payload->username);
     if (payload->password) pkg_free(payload->password);
+    if (payload->ca_list) pkg_free(payload->ca_list);
+    if (payload->req_cert) pkg_free(payload->req_cert);
 	db_drv_free(&payload->drv);
 	pkg_free(payload);
 }
diff --git a/modules/db_ldap/ld_uri.h b/modules/db_ldap/ld_uri.h
index 27bfa15..43155f3 100644
--- a/modules/db_ldap/ld_uri.h
+++ b/modules/db_ldap/ld_uri.h
@@ -61,6 +61,9 @@ struct ld_uri {
 	char* password;
 	char* uri;             /**< The whole URI, including scheme */
 	int authmech;
+	int tls;  /**<  TLS encryption enabled */
+	char* ca_list;  /**< Path of the file that contains certificates of the CAs */
+	char* req_cert;  /**< LDAP level of certificate request behaviour */
 	LDAPURLDesc* ldap_url; /**< URI parsed by the ldap client library */
 };
 
diff --git a/modules/db_ldap/ldap.cfg b/modules/db_ldap/ldap.cfg
index c21da52..d113bfb 100644
--- a/modules/db_ldap/ldap.cfg
+++ b/modules/db_ldap/ldap.cfg
@@ -24,6 +24,18 @@ password=heslo
 # Allowed values: none (default), simple, digest-md5, external
 authtype=simple
 
+# tls encryption
+tls=off
+
+# Specifies the file that contains certificates for all of the Certificate
+# Authorities the ldap module will recognize.
+ca_list=/home/kg/work/openssl/demoCA/cacert.pem
+
+# Specifies what checks to perform on server certificates in a TLS session
+# allowed values are never/allow/try/demand
+# see the TLS_REQCERT tls option part of ldap.conf(8) man page for more details
+require_certificate=demand
+
 #
 # Table credentials contains SIP digest authentication credentials.
 #

More information about the sr-dev mailing list