From c0e8bde10497b5525de453e9d2d272825c23ca90 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 27 Sep 2018 09:58:10 -0600 Subject: [PATCH] Add support for OpenLDAP's TLS_REQCERT setting in ldap.conf. --- doc/sudoers.ldap.cat | 28 +++++++++++++++++++++- doc/sudoers.ldap.man.in | 41 +++++++++++++++++++++++++++++++- doc/sudoers.ldap.mdoc.in | 34 +++++++++++++++++++++++++- plugins/sudoers/ldap_conf.c | 26 ++++++++++++++++++++ plugins/sudoers/sudo_ldap_conf.h | 12 ++++++---- 5 files changed, 133 insertions(+), 8 deletions(-) diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index cf55e628a..a0f862253 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -660,6 +660,32 @@ DDEESSCCRRIIPPTTIIOONN key database and create a _s_t_a_s_h _f_i_l_e. This option is only supported by the Tivoli LDAP libraries. + TTLLSS__RREEQQCCEERRTT _l_e_v_e_l + The TTLLSS__RREEQQCCEERRTT parameter controls how the LDAP server's TLS + certificated will be verified (if at all). If the server's TLS + certificate cannot be verified (usually because it is signed by an + unknown certificate authority), ssuuddoo will be unable to connect to + it. The following _l_e_v_e_l values are supported: + + never The server certificate will not be requested or + checked. + + allow The server certificate will be requested. A missing + or invalid certificate is ignored and not considered + an error. + + try The server certificate will be requested. A missing + certificate is ignored but an invalid certificate + will result in a connection error. + + demand | _h_a_r_d + The server certificate will be requested. A missing + or invalid certificate will result in a connection + error. This is the default behavior. + + This option is only supported by the OpenLDAP libraries. Other + LDAP libraries only support the TTLLSS__CCHHEECCKKPPEEEERR parameter. + TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source for systems that lack a random device. It is generally used in @@ -985,4 +1011,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.25 June 25, 2018 Sudo 1.8.25 +Sudo 1.8.26 September 27, 2018 Sudo 1.8.26 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 979e83d75..cba93b918 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -15,7 +15,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "5" "June 25, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "5" "September 27, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -1165,6 +1165,45 @@ utility can be used to manage the key database and create a This option is only supported by the Tivoli LDAP libraries. .RE .TP 6n +\fBTLS_REQCERT\fR \fIlevel\fR +The +\fBTLS_REQCERT\fR +parameter controls how the LDAP server's TLS certificated will be +verified (if at all). +If the server's TLS certificate cannot be verified (usually because it +is signed by an unknown certificate authority), +\fBsudo\fR +will be unable to connect to it. +The following +\fIlevel\fR +values are supported: +.RS 10n +.TP 10n +never +The server certificate will not be requested or checked. +.TP 10n +allow +The server certificate will be requested. +A missing or invalid certificate is ignored and not considered an error. +.TP 10n +try +The server certificate will be requested. +A missing certificate is ignored but an invalid certificate will +result in a connection error. +.TP 10n +demand | \fIhard\fR +The server certificate will be requested. +A missing or invalid certificate will result in a connection error. +This is the default behavior. +.RE +.RS 6n +.sp +This option is only supported by the OpenLDAP libraries. +Other LDAP libraries only support the +\fBTLS_CHECKPEER\fR +parameter. +.RE +.TP 6n \fBTLS_RANDFILE\fR \fIfile name\fR The \fBTLS_RANDFILE\fR diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 982b80fb4..06dd833f5 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 25, 2018 +.Dd September 27, 2018 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1063,6 +1063,38 @@ The utility can be used to manage the key database and create a .Em stash file . This option is only supported by the Tivoli LDAP libraries. +.It Sy TLS_REQCERT Ar level +The +.Sy TLS_REQCERT +parameter controls how the LDAP server's TLS certificated will be +verified (if at all). +If the server's TLS certificate cannot be verified (usually because it +is signed by an unknown certificate authority), +.Nm sudo +will be unable to connect to it. +The following +.Ar level +values are supported: +.Bl -tag -width 8n -offset 4n +.It never +The server certificate will not be requested or checked. +.It allow +The server certificate will be requested. +A missing or invalid certificate is ignored and not considered an error. +.It try +The server certificate will be requested. +A missing certificate is ignored but an invalid certificate will +result in a connection error. +.It demand No | Ar hard +The server certificate will be requested. +A missing or invalid certificate will result in a connection error. +This is the default behavior. +.El +.Pp +This option is only supported by the OpenLDAP libraries. +Other LDAP libraries only support the +.Sy TLS_CHECKPEER +parameter. .It Sy TLS_RANDFILE Ar file name The .Sy TLS_RANDFILE diff --git a/plugins/sudoers/ldap_conf.c b/plugins/sudoers/ldap_conf.c index 31c8babe5..9d18f6d8a 100644 --- a/plugins/sudoers/ldap_conf.c +++ b/plugins/sudoers/ldap_conf.c @@ -87,6 +87,8 @@ static struct ldap_config_table ldap_conf_global[] = { #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT { "tls_checkpeer", CONF_BOOL, LDAP_OPT_X_TLS_REQUIRE_CERT, &ldap_conf.tls_checkpeer }, + { "tls_reqcert", CONF_REQCERT_VAL, LDAP_OPT_X_TLS_REQUIRE_CERT, + &ldap_conf.tls_reqcert }, #else { "tls_checkpeer", CONF_BOOL, -1, &ldap_conf.tls_checkpeer }, #endif @@ -403,6 +405,20 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value, else *(int *)(cur->valp) = LDAP_DEREF_NEVER; break; + case CONF_REQCERT_VAL: +#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + if (strcasecmp(value, "never") == 0) + *(int *)(cur->valp) = LDAP_OPT_X_TLS_NEVER; + else if (strcasecmp(value, "allow") == 0) + *(int *)(cur->valp) = LDAP_OPT_X_TLS_ALLOW; + else if (strcasecmp(value, "try") == 0) + *(int *)(cur->valp) = LDAP_OPT_X_TLS_TRY; + else if (strcasecmp(value, "hard") == 0) + *(int *)(cur->valp) = LDAP_OPT_X_TLS_HARD; + else if (strcasecmp(value, "demand") == 0) + *(int *)(cur->valp) = LDAP_OPT_X_TLS_DEMAND; +#endif + break; case CONF_BOOL: *(int *)(cur->valp) = sudo_strtobool(value) == true; break; @@ -517,6 +533,7 @@ sudo_ldap_read_config(void) ldap_conf.version = 3; ldap_conf.port = -1; ldap_conf.tls_checkpeer = -1; + ldap_conf.tls_reqcert = -1; ldap_conf.timelimit = -1; ldap_conf.timeout = -1; ldap_conf.bind_timelimit = -1; @@ -619,6 +636,15 @@ sudo_ldap_read_config(void) DPRINTF1("tls_checkpeer %s", ldap_conf.tls_checkpeer ? "(yes)" : "(no)"); } + if (ldap_conf.tls_reqcert != -1) { + DPRINTF1("tls_reqcert %s", + ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_NEVER ? "hard" : + ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_ALLOW ? "allow" : + ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_TRY ? "try" : + ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_HARD ? "hard" : + ldap_conf.tls_reqcert == LDAP_OPT_X_TLS_DEMAND ? "demand" : + "unknown"); + } if (ldap_conf.tls_cacertfile != NULL) { DPRINTF1("tls_cacertfile %s", ldap_conf.tls_cacertfile); } diff --git a/plugins/sudoers/sudo_ldap_conf.h b/plugins/sudoers/sudo_ldap_conf.h index 49c7f1eef..363ab43cb 100644 --- a/plugins/sudoers/sudo_ldap_conf.h +++ b/plugins/sudoers/sudo_ldap_conf.h @@ -55,11 +55,12 @@ } while (0) #endif -#define CONF_BOOL 0 -#define CONF_INT 1 -#define CONF_STR 2 -#define CONF_LIST_STR 4 -#define CONF_DEREF_VAL 5 +#define CONF_BOOL 0 +#define CONF_INT 1 +#define CONF_STR 2 +#define CONF_LIST_STR 4 +#define CONF_DEREF_VAL 5 +#define CONF_REQCERT_VAL 6 #define SUDO_LDAP_CLEAR 0 #define SUDO_LDAP_SSL 1 @@ -85,6 +86,7 @@ struct ldap_config { int debug; int ldap_debug; int tls_checkpeer; + int tls_reqcert; int timelimit; int timeout; int bind_timelimit; -- 2.40.0