1 files changed, 254 insertions, 0 deletions
diff --git a/include/apr_ldap_option.h b/include/apr_ldap_option.h
new file mode 100644
index 0000000..0ff8a86
--- /dev/null
+++ b/include/apr_ldap_option.h
@@ -0,0 +1,254 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @file apr_ldap_option.h
+ * @brief  APR-UTIL LDAP ldap_*_option() functions
+ */
+#ifndef APR_LDAP_OPTION_H
+#define APR_LDAP_OPTION_H
+
+/**
+ * @addtogroup APR_Util_LDAP
+ * @{
+ */
+
+#include "apr_ldap.h"
+
+#if APR_HAS_LDAP
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/*
+ * The following defines handle the different TLS certificate
+ * options available. If these options are missing, APR will try and
+ * emulate support for this using the deprecated ldap_start_tls_s()
+ * function.
+ */
+/**
+ * Set SSL mode to one of APR_LDAP_NONE, APR_LDAP_SSL, APR_LDAP_STARTTLS
+ * or APR_LDAP_STOPTLS.
+ */
+#define APR_LDAP_OPT_TLS 0x6fff
+/**
+ * Set zero or more CA certificates, client certificates or private
+ * keys globally, or per connection (where supported).
+ */
+#define APR_LDAP_OPT_TLS_CERT 0x6ffe
+/**
+ * Set the LDAP library to no verify the server certificate.  This means
+ * all servers are considered trusted.
+ */
+#define APR_LDAP_OPT_VERIFY_CERT 0x6ffd
+/**
+ * Set the LDAP library to indicate if referrals should be chased during
+ * LDAP searches.
+ */
+#define APR_LDAP_OPT_REFERRALS 0x6ffc
+/**
+ * Set the LDAP library to indicate a maximum number of referral hops to
+ * chase before giving up on the search.
+ */
+#define APR_LDAP_OPT_REFHOPLIMIT 0x6ffb
+
+/**
+ * Structures for the apr_set_option() cases
+ */
+
+/**
+ * APR_LDAP_OPT_TLS_CERT
+ *
+ * This structure includes possible options to set certificates on
+ * system initialisation. Different SDKs have different certificate
+ * requirements, and to achieve this multiple certificates must be
+ * specified at once passed as an (apr_array_header_t *).
+ *
+ * Netscape:
+ * Needs the CA cert database (cert7.db), the client cert database (key3.db)
+ * and the security module file (secmod.db) set at the system initialisation
+ * time. Three types are supported: APR_LDAP_CERT7_DB, APR_LDAP_KEY3_DB and
+ * APR_LDAP_SECMOD.
+ *
+ * To specify a client cert connection, a certificate nickname needs to be
+ * provided with a type of APR_LDAP_CERT.
+ * int ldapssl_enable_clientauth( LDAP *ld, char *keynickname,
+ * char *keypasswd, char *certnickname );
+ * keynickname is currently not used, and should be set to ""
+ *
+ * Novell:
+ * Needs CA certificates and client certificates set at system initialisation
+ * time. Three types are supported: APR_LDAP_CA*, APR_LDAP_CERT* and
+ * APR_LDAP_KEY*.
+ *
+ * Certificates cannot be specified per connection.
+ *
+ * The functions used are:
+ * ldapssl_add_trusted_cert(serverTrustedRoot, serverTrustedRootEncoding);
+ * Clients certs and keys are set at system initialisation time with
+ * int ldapssl_set_client_cert (
+ *  void   *cert,
+ *  int     type
+ *  void   *password); 
+ * type can be LDAPSSL_CERT_FILETYPE_B64 or LDAPSSL_CERT_FILETYPE_DER
+ *  ldapssl_set_client_private_key(clientPrivateKey,
+ *                                 clientPrivateKeyEncoding,
+ *                                 clientPrivateKeyPassword);
+ *
+ * OpenSSL:
+ * Needs one or more CA certificates to be set at system initialisation time
+ * with a type of APR_LDAP_CA*.
+ *
+ * May have one or more client certificates set per connection with a type of
+ * APR_LDAP_CERT*, and keys with APR_LDAP_KEY*.
+ */
+/** CA certificate type unknown */
+#define APR_LDAP_CA_TYPE_UNKNOWN    0
+/** binary DER encoded CA certificate */
+#define APR_LDAP_CA_TYPE_DER        1
+/** PEM encoded CA certificate */
+#define APR_LDAP_CA_TYPE_BASE64     2
+/** Netscape/Mozilla cert7.db CA certificate database */
+#define APR_LDAP_CA_TYPE_CERT7_DB   3
+/** Netscape/Mozilla secmod file */
+#define APR_LDAP_CA_TYPE_SECMOD     4
+/** Client certificate type unknown */
+#define APR_LDAP_CERT_TYPE_UNKNOWN  5
+/** binary DER encoded client certificate */
+#define APR_LDAP_CERT_TYPE_DER      6
+/** PEM encoded client certificate */
+#define APR_LDAP_CERT_TYPE_BASE64   7
+/** Netscape/Mozilla key3.db client certificate database */
+#define APR_LDAP_CERT_TYPE_KEY3_DB  8
+/** Netscape/Mozilla client certificate nickname */
+#define APR_LDAP_CERT_TYPE_NICKNAME 9
+/** Private key type unknown */
+#define APR_LDAP_KEY_TYPE_UNKNOWN   10
+/** binary DER encoded private key */
+#define APR_LDAP_KEY_TYPE_DER       11
+/** PEM encoded private key */
+#define APR_LDAP_KEY_TYPE_BASE64    12
+/** PKCS#12 encoded client certificate */
+#define APR_LDAP_CERT_TYPE_PFX      13
+/** PKCS#12 encoded private key */
+#define APR_LDAP_KEY_TYPE_PFX       14
+/** Openldap directory full of base64-encoded cert 
+ * authorities with hashes in corresponding .0 directory
+ */
+#define APR_LDAP_CA_TYPE_CACERTDIR_BASE64 15
+
+
+/**
+ * Certificate structure.
+ *
+ * This structure is used to store certificate details. An array of
+ * these structures is passed to apr_ldap_set_option() to set CA
+ * and client certificates.
+ * @param type Type of certificate APR_LDAP_*_TYPE_*
+ * @param path Path, file or nickname of the certificate
+ * @param password Optional password, can be NULL
+ */
+typedef struct apr_ldap_opt_tls_cert_t apr_ldap_opt_tls_cert_t;
+struct apr_ldap_opt_tls_cert_t {
+    int type;
+    const char *path;
+    const char *password;
+};
+
+/**
+ * APR_LDAP_OPT_TLS
+ *
+ * This sets the SSL level on the LDAP handle.
+ *
+ * Netscape/Mozilla:
+ * Supports SSL, but not STARTTLS
+ * SSL is enabled by calling ldapssl_install_routines().
+ *
+ * Novell:
+ * Supports SSL and STARTTLS.
+ * SSL is enabled by calling ldapssl_install_routines(). Note that calling
+ * other ldap functions before ldapssl_install_routines() may cause this
+ * function to fail.
+ * STARTTLS is enabled by calling ldapssl_start_tls_s() after calling
+ * ldapssl_install_routines() (check this).
+ *
+ * OpenLDAP:
+ * Supports SSL and supports STARTTLS, but none of this is documented:
+ * http://www.openldap.org/lists/openldap-software/200409/msg00618.html
+ * Documentation for both SSL support and STARTTLS has been deleted from
+ * the OpenLDAP documentation and website.
+ */
+
+/** No encryption */
+#define APR_LDAP_NONE 0
+/** SSL encryption (ldaps://) */
+#define APR_LDAP_SSL 1
+/** TLS encryption (STARTTLS) */
+#define APR_LDAP_STARTTLS 2
+/** end TLS encryption (STOPTLS) */
+#define APR_LDAP_STOPTLS 3
+
+/**
+ * APR LDAP get option function
+ *
+ * This function gets option values from a given LDAP session if
+ * one was specified. It maps to the native ldap_get_option() function.
+ * @param pool The pool to use
+ * @param ldap The LDAP handle
+ * @param option The LDAP_OPT_* option to return
+ * @param outvalue The value returned (if any)
+ * @param result_err The apr_ldap_err_t structure contained detailed results
+ *        of the operation.
+ */
+APU_DECLARE_LDAP(int) apr_ldap_get_option(apr_pool_t *pool,
+                                          LDAP *ldap,
+                                          int option,
+                                          void *outvalue,
+                                          apr_ldap_err_t **result_err);
+
+/**
+ * APR LDAP set option function
+ * 
+ * This function sets option values to a given LDAP session if
+ * one was specified. It maps to the native ldap_set_option() function.
+ * 
+ * Where an option is not supported by an LDAP toolkit, this function
+ * will try and apply legacy functions to achieve the same effect,
+ * depending on the platform.
+ * @param pool The pool to use
+ * @param ldap The LDAP handle
+ * @param option The LDAP_OPT_* option to set
+ * @param invalue The value to set
+ * @param result_err The apr_ldap_err_t structure contained detailed results
+ *        of the operation.
+ */
+APU_DECLARE_LDAP(int) apr_ldap_set_option(apr_pool_t *pool,
+                                          LDAP *ldap,
+                                          int option,
+                                          const void *invalue,
+                                          apr_ldap_err_t **result_err);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* APR_HAS_LDAP */
+
+/** @} */
+
+#endif /* APR_LDAP_OPTION_H */
+