ITS#9367 back-mdb: add encryption support

Enabled if MDB_ENCRYPT is defined, which is currently only in mdb.master3.
2025-12-20 22:59:34 -05:00 · 2024-09-25 20:08:10 +01:00 · 2024-09-25 20:08:10 +01:00 · b8f32ec2fc
commit b8f32ec2fc
parent d1ca167137
3 changed files with 110 additions and 6 deletions
--- a/servers/slapd/back-mdb/back-mdb.h
+++ b/servers/slapd/back-mdb/back-mdb.h
@ -72,6 +72,13 @@ struct mdb_info {
 	unsigned	mi_dbenv_flags;
 	int			mi_dbenv_mode;

+#ifdef MDB_ENCRYPT
+	char		*mi_dbenv_crypto;
+	char		*mi_dbenv_enckey;
+	void		*mi_dbenv_encmodule;
+	void		*mi_dbenv_encfuncs;
+#endif	/* MDB_ENCRYPT */
+
 	size_t		mi_mapsize;
 	ID			mi_nextid;
 	size_t		mi_maxentrysize;
--- a/servers/slapd/back-mdb/config.c
+++ b/servers/slapd/back-mdb/config.c
@ -29,7 +29,6 @@
 #include "lutil.h"
 #include "ldap_rq.h"

-
 static ConfigDriver mdb_cf_gen;
 static ConfigDriver mdb_bk_cfg;

@ -45,6 +44,10 @@ enum {
 	MDB_SSTACK,
 	MDB_MULTIVAL,
 	MDB_IDLEXP,
+#ifdef MDB_ENCRYPT
+	MDB_CRYPTO,
+	MDB_ENCKEY,
+#endif
 };

 static ConfigTable mdbcfg[] = {
@ -117,6 +120,18 @@ static ConfigTable mdbcfg[] = {
 		"DESC 'Depth of search stack in IDLs' "
 		"EQUALITY integerMatch "
 		"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
+#ifdef MDB_ENCRYPT
+	{ "crypto", "module", 2, 2, 0, ARG_STRING|ARG_MAGIC|MDB_CRYPTO,
+		mdb_cf_gen, "( OLcfgDbAt:12.7 NAME 'olcDbCryptoModule' "
+			"DESC 'Encryption module to load' "
+			"EQUALITY caseExactMatch "
+			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+	{ "passphrase", "pass", 2, 2, 0, ARG_STRING|ARG_MAGIC|MDB_ENCKEY,
+		mdb_cf_gen, "( OLcfgDbAt:12.8 NAME 'olcDbPassphrase' "
+			"DESC 'Encryption passphrase' "
+			"EQUALITY caseExactMatch "
+			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+#endif
 	{ NULL, NULL, 0, 0, 0, ARG_IGNORED,
 		NULL, NULL, NULL, NULL }
 };
@ -135,10 +150,14 @@ static ConfigOCs mdbocs[] = {
 		"DESC 'MDB database configuration' "
 		"SUP olcDatabaseConfig "
 		"MUST olcDbDirectory "
-		"MAY ( olcDbCheckpoint $ olcDbEnvFlags $ "
-		"olcDbNoSync $ olcDbIndex $ olcDbMaxReaders $ olcDbMaxSize $ "
-		"olcDbMode $ olcDbSearchStack $ olcDbMaxEntrySize $ olcDbRtxnSize $ "
-		"olcDbMultival ) )",
+		"MAY ( olcDbCheckpoint $ olcDbEnvFlags "
+		"$ olcDbNoSync $ olcDbIndex $ olcDbMaxReaders $ olcDbMaxSize "
+		"$ olcDbMode $ olcDbSearchStack $ olcDbMaxEntrySize $ olcDbRtxnSize "
+		"$ olcDbMultival "
+#ifdef MDB_ENCRYPT
+		"$ olcDbCryptoModule $ olcDbPassphrase "
+#endif
+		") )",
 			Cft_Database, mdbcfg+1 },
 	{ NULL, 0, NULL }
 };
@ -484,8 +503,10 @@ mdb_cf_cleanup( ConfigArgs *c )
 	}

 	if ( mdb->mi_flags & MDB_RE_OPEN ) {
+		void *key = mdb->mi_dbenv;
 		mdb->mi_flags ^= MDB_RE_OPEN;
 		rc = c->be->bd_info->bi_db_close( c->be, &c->reply );
+		ldap_pvt_thread_pool_purgekey( key );
 		if ( rc == 0 )
 			rc = c->be->bd_info->bi_db_open( c->be, &c->reply );
 		/* If this fails, we need to restart */
@ -555,6 +576,24 @@ mdb_cf_gen( ConfigArgs *c )
 			}
 			break;

+#ifdef MDB_ENCRYPT
+		case MDB_CRYPTO:
+			if ( mdb->mi_dbenv_crypto ) {
+				c->value_string = ch_strdup( mdb->mi_dbenv_crypto );
+			} else {
+				rc = 1;
+			}
+			break;
+
+		case MDB_ENCKEY:
+			if ( mdb->mi_dbenv_enckey ) {
+				c->value_string = ch_strdup( mdb->mi_dbenv_enckey );
+			} else {
+				rc = 1;
+			}
+			break;
+#endif /* MDB_ENCRYPT */
+
 		case MDB_DBNOSYNC:
 			if ( mdb->mi_dbenv_flags & MDB_NOSYNC )
 				c->value_int = 1;
@ -624,8 +663,22 @@ mdb_cf_gen( ConfigArgs *c )
 			ch_free( mdb->mi_dbenv_home );
 			mdb->mi_dbenv_home = NULL;
 			config_push_cleanup( c, mdb_cf_cleanup );
-			ldap_pvt_thread_pool_purgekey( mdb->mi_dbenv );
 			break;
+#ifdef MDB_ENCRYPT
+		case MDB_CRYPTO:
+			mdb->mi_flags |= MDB_RE_OPEN;
+			ch_free( mdb->mi_dbenv_crypto );
+			mdb->mi_dbenv_crypto = NULL;
+			config_push_cleanup( c, mdb_cf_cleanup );
+			break;
+		case MDB_ENCKEY:
+			mdb->mi_flags |= MDB_RE_OPEN;
+			ch_free( mdb->mi_dbenv_enckey );
+			mdb->mi_dbenv_enckey = NULL;
+			config_push_cleanup( c, mdb_cf_cleanup );
+			break;
+#endif /* MDB_ENCRYPT */
+
 		case MDB_DBNOSYNC:
 			mdb_env_set_flags( mdb->mi_dbenv, MDB_NOSYNC, 0 );
 			mdb->mi_dbenv_flags &= ~MDB_NOSYNC;
@ -893,6 +946,37 @@ mdb_cf_gen( ConfigArgs *c )
 		}
 		break;

+#ifdef MDB_ENCRYPT
+	case MDB_CRYPTO:
+		if ( mdb->mi_dbenv_crypto ) {
+			ch_free( mdb->mi_dbenv_crypto );
+			mdb->mi_dbenv_crypto = NULL;
+		}
+		if ( mdb->mi_dbenv_encmodule )
+			mdb_modunload( mdb->mi_dbenv_encmodule );
+		{
+			char *errmsg = NULL;
+			MDB_crypto_funcs *mcf = NULL;
+
+			mdb->mi_dbenv_encmodule = mdb_modload( c->value_string, NULL, &mcf, &errmsg );
+			if ( !mdb->mi_dbenv_encmodule ) {
+				snprintf( c->cr_msg, sizeof( c->cr_msg ), "%s: couldn't load crypto module: %s",
+					c->log, errmsg );
+				Debug( LDAP_DEBUG_ANY, "%s\n", c->cr_msg );
+				return -1;
+			}
+			mdb->mi_dbenv_encfuncs = mcf;
+		}
+		mdb->mi_dbenv_crypto = c->value_string;
+		break;
+
+	case MDB_ENCKEY:
+		if ( mdb->mi_dbenv_enckey )
+			ch_free( mdb->mi_dbenv_enckey );
+		mdb->mi_dbenv_enckey = c->value_string;
+		break;
+#endif /* MDB_ENCRYPT */
+
 	case MDB_DBNOSYNC:
 		if ( c->value_int )
 			mdb->mi_dbenv_flags |= MDB_NOSYNC;
--- a/servers/slapd/back-mdb/init.c
+++ b/servers/slapd/back-mdb/init.c
@ -126,6 +126,12 @@ mdb_db_open( BackendDB *be, ConfigReply *cr )
 		goto fail;
 	}

+#ifdef MDB_ENCRYPT
+	if ( mdb->mi_dbenv_encfuncs ) {
+		mdb_modsetup( mdb->mi_dbenv, mdb->mi_dbenv_encfuncs, mdb->mi_dbenv_enckey );
+	}
+#endif
+
 	if ( mdb->mi_readers ) {
 		rc = mdb_env_set_maxreaders( mdb->mi_dbenv, mdb->mi_readers );
 		if( rc != 0 ) {
@ -371,6 +377,13 @@ mdb_db_close( BackendDB *be, ConfigReply *cr )

 		mdb_env_close( mdb->mi_dbenv );
 		mdb->mi_dbenv = NULL;
+#ifdef MDB_ENCRYPT
+		if ( mdb->mi_dbenv_encmodule ) {
+			mdb_modunload( mdb->mi_dbenv_encmodule );
+			mdb->mi_dbenv_encmodule = NULL;
+			mdb->mi_dbenv_encfuncs = NULL;
+		}
+#endif
 	}

 	return 0;