From c0e8bde10497b5525de453e9d2d272825c23ca90 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 27 Sep 2018 09:58:10 -0600
Subject: [PATCH] Add support for OpenLDAP's TLS_REQCERT setting in ldap.conf.

---
 doc/sudoers.ldap.cat             | 28 +++++++++++++++++++++-
 doc/sudoers.ldap.man.in          | 41 +++++++++++++++++++++++++++++++-
 doc/sudoers.ldap.mdoc.in         | 34 +++++++++++++++++++++++++-
 plugins/sudoers/ldap_conf.c      | 26 ++++++++++++++++++++
 plugins/sudoers/sudo_ldap_conf.h | 12 ++++++----
 5 files changed, 133 insertions(+), 8 deletions(-)

diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
index cf55e628a..a0f862253 100644
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -660,6 +660,32 @@ DDEESSCCRRIIPPTTIIOONN
            key database and create a _s_t_a_s_h _f_i_l_e.  This option is only
            supported by the Tivoli LDAP libraries.
 
+     TTLLSS__RREEQQCCEERRTT _l_e_v_e_l
+           The TTLLSS__RREEQQCCEERRTT parameter controls how the LDAP server's TLS
+           certificated will be verified (if at all).  If the server's TLS
+           certificate cannot be verified (usually because it is signed by an
+           unknown certificate authority), ssuuddoo will be unable to connect to
+           it.  The following _l_e_v_e_l values are supported:
+
+               never     The server certificate will not be requested or
+                         checked.
+
+               allow     The server certificate will be requested.  A missing
+                         or invalid certificate is ignored and not considered
+                         an error.
+
+               try       The server certificate will be requested.  A missing
+                         certificate is ignored but an invalid certificate
+                         will result in a connection error.
+
+               demand | _h_a_r_d
+                         The server certificate will be requested.  A missing
+                         or invalid certificate will result in a connection
+                         error.  This is the default behavior.
+
+           This option is only supported by the OpenLDAP libraries.  Other
+           LDAP libraries only support the TTLLSS__CCHHEECCKKPPEEEERR parameter.
+
      TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
            The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
            for systems that lack a random device.  It is generally used in
@@ -985,4 +1011,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.25                      June 25, 2018                     Sudo 1.8.25
+Sudo 1.8.26                   September 27, 2018                   Sudo 1.8.26
diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index 979e83d75..cba93b918 100644
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -15,7 +15,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "5" "June 25, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "September 27, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1165,6 +1165,45 @@ utility can be used to manage the key database and create a
 This option is only supported by the Tivoli LDAP libraries.
 .RE
 .TP 6n
+\fBTLS_REQCERT\fR \fIlevel\fR
+The
+\fBTLS_REQCERT\fR
+parameter controls how the LDAP server's TLS certificated will be
+verified (if at all).
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+\fBsudo\fR
+will be unable to connect to it.
+The following
+\fIlevel\fR
+values are supported:
+.RS 10n
+.TP 10n
+never
+The server certificate will not be requested or checked.
+.TP 10n
+allow
+The server certificate will be requested.
+A missing or invalid certificate is ignored and not considered an error.
+.TP 10n
+try
+The server certificate will be requested.
+A missing certificate is ignored but an invalid certificate will
+result in a connection error.
+.TP 10n
+demand | \fIhard\fR
+The server certificate will be requested.
+A missing or invalid certificate will result in a connection error.
+This is the default behavior.
+.RE
+.RS 6n
+.sp
+This option is only supported by the OpenLDAP libraries.
+Other LDAP libraries only support the
+\fBTLS_CHECKPEER\fR
+parameter.
+.RE
+.TP 6n
 \fBTLS_RANDFILE\fR \fIfile name\fR
 The
 \fBTLS_RANDFILE\fR
diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in
index 982b80fb4..06dd833f5 100644
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 25, 2018
+.Dd September 27, 2018
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1063,6 +1063,38 @@ The
 utility can be used to manage the key database and create a
 .Em stash file .
 This option is only supported by the Tivoli LDAP libraries.
+.It Sy TLS_REQCERT Ar level
+The
+.Sy TLS_REQCERT
+parameter controls how the LDAP server's TLS certificated will be
+verified (if at all).
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+.Nm sudo
+will be unable to connect to it.
+The following
+.Ar level
+values are supported:
+.Bl -tag -width 8n -offset 4n
+.It never
+The server certificate will not be requested or checked.
+.It allow
+The server certificate will be requested.
+A missing or invalid certificate is ignored and not considered an error.
+.It try
+The server certificate will be requested.
+A missing certificate is ignored but an invalid certificate will
+result in a connection error.
+.It demand No | Ar hard
+The server certificate will be requested.
+A missing or invalid certificate will result in a connection error.
+This is the default behavior.
+.El
+.Pp
+This option is only supported by the OpenLDAP libraries.
+Other LDAP libraries only support the
+.Sy TLS_CHECKPEER
+parameter.
 .It Sy TLS_RANDFILE Ar file name
 The
 .Sy TLS_RANDFILE
diff --git a/plugins/sudoers/ldap_conf.c b/plugins/sudoers/ldap_conf.c
index 31c8babe5..9d18f6d8a 100644
--- a/plugins/sudoers/ldap_conf.c
+++ b/plugins/sudoers/ldap_conf.c
@@ -87,6 +87,8 @@ static struct ldap_config_table ldap_conf_global[] = {
 #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
     { "tls_checkpeer", CONF_BOOL, LDAP_OPT_X_TLS_REQUIRE_CERT,
 	&ldap_conf.tls_checkpeer },
+    { "tls_reqcert", CONF_REQCERT_VAL, LDAP_OPT_X_TLS_REQUIRE_CERT,
+	&ldap_conf.tls_reqcert },
 #else
     { "tls_checkpeer", CONF_BOOL, -1, &ldap_conf.tls_checkpeer },
 #endif
@@ -403,6 +405,20 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
 		else
 		    *(int *)(cur->valp) = LDAP_DEREF_NEVER;
 		break;
+	    case CONF_REQCERT_VAL:
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+		if (strcasecmp(value, "never") == 0)
+		    *(int *)(cur->valp) = LDAP_OPT_X_TLS_NEVER;
+		else if (strcasecmp(value, "allow") == 0)
+		    *(int *)(cur->valp) = LDAP_OPT_X_TLS_ALLOW;
+		else if (strcasecmp(value, "try") == 0)
+		    *(int *)(cur->valp) = LDAP_OPT_X_TLS_TRY;
+		else if (strcasecmp(value, "hard") == 0)
+		    *(int *)(cur->valp) = LDAP_OPT_X_TLS_HARD;
+		else if (strcasecmp(value, "demand") == 0)
+		    *(int *)(cur->valp) = LDAP_OPT_X_TLS_DEMAND;
+#endif
+		break;
 	    case CONF_BOOL:
 		*(int *)(cur->valp) = sudo_strtobool(value) == true;
 		break;
@@ -517,6 +533,7 @@ sudo_ldap_read_config(void)
     ldap_conf.version = 3;
     ldap_conf.port = -1;
     ldap_conf.tls_checkpeer = -1;
+    ldap_conf.tls_reqcert = -1;
     ldap_conf.timelimit = -1;
     ldap_conf.timeout = -1;
     ldap_conf.bind_timelimit = -1;
@@ -619,6 +636,15 @@ sudo_ldap_read_config(void)
 	DPRINTF1("tls_checkpeer    %s",
 	    ldap_conf.tls_checkpeer ? "(yes)" : "(no)");
     }
+    if (ldap_conf.tls_reqcert != -1) {
+	DPRINTF1("tls_reqcert    %s",
+	    ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_NEVER ? "hard" :
+	    ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_ALLOW ? "allow" :
+	    ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_TRY ? "try" :
+	    ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_HARD ? "hard" :
+	    ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_DEMAND ? "demand" :
+	    "unknown");
+    }
     if (ldap_conf.tls_cacertfile != NULL) {
 	DPRINTF1("tls_cacertfile   %s", ldap_conf.tls_cacertfile);
     }
diff --git a/plugins/sudoers/sudo_ldap_conf.h b/plugins/sudoers/sudo_ldap_conf.h
index 49c7f1eef..363ab43cb 100644
--- a/plugins/sudoers/sudo_ldap_conf.h
+++ b/plugins/sudoers/sudo_ldap_conf.h
@@ -55,11 +55,12 @@
 } while (0)
 #endif
 
-#define CONF_BOOL	0
-#define CONF_INT	1
-#define CONF_STR	2
-#define CONF_LIST_STR	4
-#define CONF_DEREF_VAL	5
+#define CONF_BOOL		0
+#define CONF_INT		1
+#define CONF_STR		2
+#define CONF_LIST_STR		4
+#define CONF_DEREF_VAL		5
+#define CONF_REQCERT_VAL	6
 
 #define SUDO_LDAP_CLEAR		0
 #define SUDO_LDAP_SSL		1
@@ -85,6 +86,7 @@ struct ldap_config {
     int debug;
     int ldap_debug;
     int tls_checkpeer;
+    int tls_reqcert;
     int timelimit;
     int timeout;
     int bind_timelimit;
-- 
2.40.0