From ba9650667693089f0969c57f14bdfe851ae801ae Mon Sep 17 00:00:00 2001
From: Edwin Hoksberg <edwin@edwinhoksberg.nl>
Date: Tue, 16 Feb 2016 09:39:58 +0100
Subject: [PATCH] LDAP - Added support to change the certificates verification

---
 ext/ldap/ldap.c                               | 16 +++++++++
 ext/ldap/tests/ldap_option_reqcert_basic.phpt | 21 +++++++++++
 ext/ldap/tests/ldap_option_reqcert_error.phpt | 21 +++++++++++
 .../tests/ldap_set_option_reqcert_basic.phpt  | 36 +++++++++++++++++++
 .../tests/ldap_set_option_reqcert_error.phpt  | 17 +++++++++
 5 files changed, 111 insertions(+)
 create mode 100644 ext/ldap/tests/ldap_option_reqcert_basic.phpt
 create mode 100644 ext/ldap/tests/ldap_option_reqcert_error.phpt
 create mode 100644 ext/ldap/tests/ldap_set_option_reqcert_basic.phpt
 create mode 100644 ext/ldap/tests/ldap_set_option_reqcert_error.phpt

diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
index 68e8c95abd..c439c7358d 100644
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -227,6 +227,16 @@ PHP_MINIT_FUNCTION(ldap)
 	REGISTER_LONG_CONSTANT("GSLC_SSL_TWOWAY_AUTH", GSLC_SSL_TWOWAY_AUTH, CONST_PERSISTENT | CONST_CS);
 #endif
 
+#if (LDAP_API_VERSION > 2000)
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_REQUIRE_CERT", LDAP_OPT_X_TLS_REQUIRE_CERT, CONST_PERSISTENT | CONST_CS);
+
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_NEVER", LDAP_OPT_X_TLS_NEVER, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_HARD", LDAP_OPT_X_TLS_HARD, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_DEMAND", LDAP_OPT_X_TLS_DEMAND, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_ALLOW", LDAP_OPT_X_TLS_ALLOW, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_TRY", LDAP_OPT_X_TLS_TRY, CONST_PERSISTENT | CONST_CS);
+#endif
+
 	REGISTER_LONG_CONSTANT("LDAP_ESCAPE_FILTER", PHP_LDAP_ESCAPE_FILTER, CONST_PERSISTENT | CONST_CS);
 	REGISTER_LONG_CONSTANT("LDAP_ESCAPE_DN", PHP_LDAP_ESCAPE_DN, CONST_PERSISTENT | CONST_CS);
 
@@ -2082,6 +2092,9 @@ PHP_FUNCTION(ldap_get_option)
 	case LDAP_OPT_REFERRALS:
 #ifdef LDAP_OPT_RESTART
 	case LDAP_OPT_RESTART:
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 #endif
 		{
 			int val;
@@ -2212,6 +2225,9 @@ PHP_FUNCTION(ldap_set_option)
 	case LDAP_OPT_ERROR_NUMBER:
 #ifdef LDAP_OPT_DEBUG_LEVEL
 	case LDAP_OPT_DEBUG_LEVEL:
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 #endif
 		{
 			int val;
diff --git a/ext/ldap/tests/ldap_option_reqcert_basic.phpt b/ext/ldap/tests/ldap_option_reqcert_basic.phpt
new file mode 100644
index 0000000000..009ef83b69
--- /dev/null
+++ b/ext/ldap/tests/ldap_option_reqcert_basic.phpt
@@ -0,0 +1,21 @@
+--TEST--
+ldap_option_reqcert_basic() - Basic test to check if PHP can connect to a LDAP server with an invalid certificate with certificate checking disabled
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--SKIPIF--
+<?php require_once dirname(__FILE__) .'/skipif.inc'; ?>
+--FILE--
+<?php
+require "connect.inc";
+
+ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+
+$link = ldap_connect($host, $port);
+ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
+
+var_dump(@ldap_bind($link, $user, $passwd));
+?>
+===DONE===
+--EXPECT--
+bool(true)
+===DONE===
diff --git a/ext/ldap/tests/ldap_option_reqcert_error.phpt b/ext/ldap/tests/ldap_option_reqcert_error.phpt
new file mode 100644
index 0000000000..1f5ac42431
--- /dev/null
+++ b/ext/ldap/tests/ldap_option_reqcert_error.phpt
@@ -0,0 +1,21 @@
+--TEST--
+ldap_option_reqcert_error() - A test to check if ldap cant connect to a LDAP server with a invalid certificate with certificate checking enabled
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--SKIPIF--
+<?php require_once dirname(__FILE__) .'/skipif.inc'; ?>
+--FILE--
+<?php
+require "connect.inc";
+
+ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
+
+$link = ldap_connect($host, $port);
+ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
+
+var_dump(@ldap_bind($link, $user, $passwd));
+?>
+===DONE===
+--EXPECT--
+bool(true)
+===DONE===
diff --git a/ext/ldap/tests/ldap_set_option_reqcert_basic.phpt b/ext/ldap/tests/ldap_set_option_reqcert_basic.phpt
new file mode 100644
index 0000000000..e31bf350ad
--- /dev/null
+++ b/ext/ldap/tests/ldap_set_option_reqcert_basic.phpt
@@ -0,0 +1,36 @@
+--TEST--
+ldap_option_reqcert_basic() - Error test for TLS require cert ldap option
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--FILE--
+<?php
+require "connect.inc";
+$link = ldap_connect($host, $port);
+
+foreach([
+	LDAP_OPT_X_TLS_NEVER,
+	LDAP_OPT_X_TLS_HARD,
+	LDAP_OPT_X_TLS_DEMAND,
+	LDAP_OPT_X_TLS_ALLOW,
+	LDAP_OPT_X_TLS_TRY,
+] as $option) {
+	$result = ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, $option);
+	var_dump($result);
+
+	ldap_get_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, $optionval);
+	var_dump($optionval);
+}
+?>
+===DONE===
+--EXPECT--
+bool(true)
+int(0)
+bool(true)
+int(1)
+bool(true)
+int(2)
+bool(true)
+int(3)
+bool(true)
+int(4)
+===DONE===
diff --git a/ext/ldap/tests/ldap_set_option_reqcert_error.phpt b/ext/ldap/tests/ldap_set_option_reqcert_error.phpt
new file mode 100644
index 0000000000..1a7796b760
--- /dev/null
+++ b/ext/ldap/tests/ldap_set_option_reqcert_error.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ldap_option_reqcert_basic() - Error test for TLS require cert ldap option
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--SKIPIF--
+<?php require_once dirname(__FILE__) .'/skipif.inc'; ?>
+--FILE--
+<?php
+require "connect.inc";
+$link = ldap_connect($host, $port);
+$result = ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, 9001);
+var_dump($result);
+?>
+===DONE===
+--EXPECT--
+bool(false)
+===DONE===
-- 
2.50.1