From: Howard Chu Date: Wed, 25 Sep 2024 19:08:10 +0000 (+0100) Subject: ITS#9367 back-mdb: add encryption support X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b8f32ec2fcb642275deb7e09dfc95fa4255a37a0;p=thirdparty%2Fopenldap.git ITS#9367 back-mdb: add encryption support Enabled if MDB_ENCRYPT is defined, which is currently only in mdb.master3. --- diff --git a/servers/slapd/back-mdb/back-mdb.h b/servers/slapd/back-mdb/back-mdb.h index e2d73516f5..1f9c6f811b 100644 --- a/servers/slapd/back-mdb/back-mdb.h +++ b/servers/slapd/back-mdb/back-mdb.h @@ -72,6 +72,13 @@ struct mdb_info { unsigned mi_dbenv_flags; int mi_dbenv_mode; +#ifdef MDB_ENCRYPT + char *mi_dbenv_crypto; + char *mi_dbenv_enckey; + void *mi_dbenv_encmodule; + void *mi_dbenv_encfuncs; +#endif /* MDB_ENCRYPT */ + size_t mi_mapsize; ID mi_nextid; size_t mi_maxentrysize; diff --git a/servers/slapd/back-mdb/config.c b/servers/slapd/back-mdb/config.c index 05fc23a341..d8f430ed02 100644 --- a/servers/slapd/back-mdb/config.c +++ b/servers/slapd/back-mdb/config.c @@ -29,7 +29,6 @@ #include "lutil.h" #include "ldap_rq.h" - static ConfigDriver mdb_cf_gen; static ConfigDriver mdb_bk_cfg; @@ -45,6 +44,10 @@ enum { MDB_SSTACK, MDB_MULTIVAL, MDB_IDLEXP, +#ifdef MDB_ENCRYPT + MDB_CRYPTO, + MDB_ENCKEY, +#endif }; static ConfigTable mdbcfg[] = { @@ -117,6 +120,18 @@ static ConfigTable mdbcfg[] = { "DESC 'Depth of search stack in IDLs' " "EQUALITY integerMatch " "SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL }, +#ifdef MDB_ENCRYPT + { "crypto", "module", 2, 2, 0, ARG_STRING|ARG_MAGIC|MDB_CRYPTO, + mdb_cf_gen, "( OLcfgDbAt:12.7 NAME 'olcDbCryptoModule' " + "DESC 'Encryption module to load' " + "EQUALITY caseExactMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "passphrase", "pass", 2, 2, 0, ARG_STRING|ARG_MAGIC|MDB_ENCKEY, + mdb_cf_gen, "( OLcfgDbAt:12.8 NAME 'olcDbPassphrase' " + "DESC 'Encryption passphrase' " + "EQUALITY caseExactMatch " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, +#endif { NULL, NULL, 0, 0, 0, ARG_IGNORED, NULL, NULL, NULL, NULL } }; @@ -135,10 +150,14 @@ static ConfigOCs mdbocs[] = { "DESC 'MDB database configuration' " "SUP olcDatabaseConfig " "MUST olcDbDirectory " - "MAY ( olcDbCheckpoint $ olcDbEnvFlags $ " - "olcDbNoSync $ olcDbIndex $ olcDbMaxReaders $ olcDbMaxSize $ " - "olcDbMode $ olcDbSearchStack $ olcDbMaxEntrySize $ olcDbRtxnSize $ " - "olcDbMultival ) )", + "MAY ( olcDbCheckpoint $ olcDbEnvFlags " + "$ olcDbNoSync $ olcDbIndex $ olcDbMaxReaders $ olcDbMaxSize " + "$ olcDbMode $ olcDbSearchStack $ olcDbMaxEntrySize $ olcDbRtxnSize " + "$ olcDbMultival " +#ifdef MDB_ENCRYPT + "$ olcDbCryptoModule $ olcDbPassphrase " +#endif + ") )", Cft_Database, mdbcfg+1 }, { NULL, 0, NULL } }; @@ -484,8 +503,10 @@ mdb_cf_cleanup( ConfigArgs *c ) } if ( mdb->mi_flags & MDB_RE_OPEN ) { + void *key = mdb->mi_dbenv; mdb->mi_flags ^= MDB_RE_OPEN; rc = c->be->bd_info->bi_db_close( c->be, &c->reply ); + ldap_pvt_thread_pool_purgekey( key ); if ( rc == 0 ) rc = c->be->bd_info->bi_db_open( c->be, &c->reply ); /* If this fails, we need to restart */ @@ -555,6 +576,24 @@ mdb_cf_gen( ConfigArgs *c ) } break; +#ifdef MDB_ENCRYPT + case MDB_CRYPTO: + if ( mdb->mi_dbenv_crypto ) { + c->value_string = ch_strdup( mdb->mi_dbenv_crypto ); + } else { + rc = 1; + } + break; + + case MDB_ENCKEY: + if ( mdb->mi_dbenv_enckey ) { + c->value_string = ch_strdup( mdb->mi_dbenv_enckey ); + } else { + rc = 1; + } + break; +#endif /* MDB_ENCRYPT */ + case MDB_DBNOSYNC: if ( mdb->mi_dbenv_flags & MDB_NOSYNC ) c->value_int = 1; @@ -624,8 +663,22 @@ mdb_cf_gen( ConfigArgs *c ) ch_free( mdb->mi_dbenv_home ); mdb->mi_dbenv_home = NULL; config_push_cleanup( c, mdb_cf_cleanup ); - ldap_pvt_thread_pool_purgekey( mdb->mi_dbenv ); break; +#ifdef MDB_ENCRYPT + case MDB_CRYPTO: + mdb->mi_flags |= MDB_RE_OPEN; + ch_free( mdb->mi_dbenv_crypto ); + mdb->mi_dbenv_crypto = NULL; + config_push_cleanup( c, mdb_cf_cleanup ); + break; + case MDB_ENCKEY: + mdb->mi_flags |= MDB_RE_OPEN; + ch_free( mdb->mi_dbenv_enckey ); + mdb->mi_dbenv_enckey = NULL; + config_push_cleanup( c, mdb_cf_cleanup ); + break; +#endif /* MDB_ENCRYPT */ + case MDB_DBNOSYNC: mdb_env_set_flags( mdb->mi_dbenv, MDB_NOSYNC, 0 ); mdb->mi_dbenv_flags &= ~MDB_NOSYNC; @@ -893,6 +946,37 @@ mdb_cf_gen( ConfigArgs *c ) } break; +#ifdef MDB_ENCRYPT + case MDB_CRYPTO: + if ( mdb->mi_dbenv_crypto ) { + ch_free( mdb->mi_dbenv_crypto ); + mdb->mi_dbenv_crypto = NULL; + } + if ( mdb->mi_dbenv_encmodule ) + mdb_modunload( mdb->mi_dbenv_encmodule ); + { + char *errmsg = NULL; + MDB_crypto_funcs *mcf = NULL; + + mdb->mi_dbenv_encmodule = mdb_modload( c->value_string, NULL, &mcf, &errmsg ); + if ( !mdb->mi_dbenv_encmodule ) { + snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s: couldn't load crypto module: %s", + c->log, errmsg ); + Debug( LDAP_DEBUG_ANY, "%s\n", c->cr_msg ); + return -1; + } + mdb->mi_dbenv_encfuncs = mcf; + } + mdb->mi_dbenv_crypto = c->value_string; + break; + + case MDB_ENCKEY: + if ( mdb->mi_dbenv_enckey ) + ch_free( mdb->mi_dbenv_enckey ); + mdb->mi_dbenv_enckey = c->value_string; + break; +#endif /* MDB_ENCRYPT */ + case MDB_DBNOSYNC: if ( c->value_int ) mdb->mi_dbenv_flags |= MDB_NOSYNC; diff --git a/servers/slapd/back-mdb/init.c b/servers/slapd/back-mdb/init.c index 1092faf6c5..2cbf1168a2 100644 --- a/servers/slapd/back-mdb/init.c +++ b/servers/slapd/back-mdb/init.c @@ -126,6 +126,12 @@ mdb_db_open( BackendDB *be, ConfigReply *cr ) goto fail; } +#ifdef MDB_ENCRYPT + if ( mdb->mi_dbenv_encfuncs ) { + mdb_modsetup( mdb->mi_dbenv, mdb->mi_dbenv_encfuncs, mdb->mi_dbenv_enckey ); + } +#endif + if ( mdb->mi_readers ) { rc = mdb_env_set_maxreaders( mdb->mi_dbenv, mdb->mi_readers ); if( rc != 0 ) { @@ -371,6 +377,13 @@ mdb_db_close( BackendDB *be, ConfigReply *cr ) mdb_env_close( mdb->mi_dbenv ); mdb->mi_dbenv = NULL; +#ifdef MDB_ENCRYPT + if ( mdb->mi_dbenv_encmodule ) { + mdb_modunload( mdb->mi_dbenv_encmodule ); + mdb->mi_dbenv_encmodule = NULL; + mdb->mi_dbenv_encfuncs = NULL; + } +#endif } return 0;