LDAP - Added support to change the certificates verification

author: Edwin Hoksberg <edwin@edwinhoksberg.nl> 2016-02-16 09:39:58 +0100
committer: Côme Bernigaud <mcmic@php.net> 2016-03-01 04:59:30 +0100
commit: ba9650667693089f0969c57f14bdfe851ae801ae (patch)
tree: f9d99b3aff7c1b8864c6724d18ba7b397361fbed
parent: 9fc0517328a248825703bef90d631ec687fb0d58 (diff)
download: php-git-ba9650667693089f0969c57f14bdfe851ae801ae.tar.gz
5 files changed, 111 insertions, 0 deletions
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
index 68e8c95abd..c439c7358d 100644
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -227,6 +227,16 @@ PHP_MINIT_FUNCTION(ldap)
 	REGISTER_LONG_CONSTANT("GSLC_SSL_TWOWAY_AUTH", GSLC_SSL_TWOWAY_AUTH, CONST_PERSISTENT | CONST_CS);
 #endif
 
+#if (LDAP_API_VERSION > 2000)
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_REQUIRE_CERT", LDAP_OPT_X_TLS_REQUIRE_CERT, CONST_PERSISTENT | CONST_CS);
+
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_NEVER", LDAP_OPT_X_TLS_NEVER, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_HARD", LDAP_OPT_X_TLS_HARD, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_DEMAND", LDAP_OPT_X_TLS_DEMAND, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_ALLOW", LDAP_OPT_X_TLS_ALLOW, CONST_PERSISTENT | CONST_CS);
+	REGISTER_LONG_CONSTANT("LDAP_OPT_X_TLS_TRY", LDAP_OPT_X_TLS_TRY, CONST_PERSISTENT | CONST_CS);
+#endif
+
 	REGISTER_LONG_CONSTANT("LDAP_ESCAPE_FILTER", PHP_LDAP_ESCAPE_FILTER, CONST_PERSISTENT | CONST_CS);
 	REGISTER_LONG_CONSTANT("LDAP_ESCAPE_DN", PHP_LDAP_ESCAPE_DN, CONST_PERSISTENT | CONST_CS);
 
@@ -2083,6 +2093,9 @@ PHP_FUNCTION(ldap_get_option)
 #ifdef LDAP_OPT_RESTART
 	case LDAP_OPT_RESTART:
 #endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+	case LDAP_OPT_X_TLS_REQUIRE_CERT:
+#endif
 		{
 			int val;
 
@@ -2213,6 +2226,9 @@ PHP_FUNCTION(ldap_set_option)
 #ifdef LDAP_OPT_DEBUG_LEVEL
 	case LDAP_OPT_DEBUG_LEVEL:
 #endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+	case LDAP_OPT_X_TLS_REQUIRE_CERT:
+#endif
 		{
 			int val;
 
diff --git a/ext/ldap/tests/ldap_option_reqcert_basic.phpt b/ext/ldap/tests/ldap_option_reqcert_basic.phpt
new file mode 100644
index 0000000000..009ef83b69
--- /dev/null
+++ b/ext/ldap/tests/ldap_option_reqcert_basic.phpt
@@ -0,0 +1,21 @@
+--TEST--
+ldap_option_reqcert_basic() - Basic test to check if PHP can connect to a LDAP server with an invalid certificate with certificate checking disabled
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--SKIPIF--
+<?php require_once dirname(__FILE__) .'/skipif.inc'; ?>
+--FILE--
+<?php
+require "connect.inc";
+
+ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
+
+$link = ldap_connect($host, $port);
+ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
+
+var_dump(@ldap_bind($link, $user, $passwd));
+?>
+===DONE===
+--EXPECT--
+bool(true)
+===DONE===
diff --git a/ext/ldap/tests/ldap_option_reqcert_error.phpt b/ext/ldap/tests/ldap_option_reqcert_error.phpt
new file mode 100644
index 0000000000..1f5ac42431
--- /dev/null
+++ b/ext/ldap/tests/ldap_option_reqcert_error.phpt
@@ -0,0 +1,21 @@
+--TEST--
+ldap_option_reqcert_error() - A test to check if ldap cant connect to a LDAP server with a invalid certificate with certificate checking enabled
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--SKIPIF--
+<?php require_once dirname(__FILE__) .'/skipif.inc'; ?>
+--FILE--
+<?php
+require "connect.inc";
+
+ldap_set_option(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_HARD);
+
+$link = ldap_connect($host, $port);
+ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, $protocol_version);
+
+var_dump(@ldap_bind($link, $user, $passwd));
+?>
+===DONE===
+--EXPECT--
+bool(true)
+===DONE===
diff --git a/ext/ldap/tests/ldap_set_option_reqcert_basic.phpt b/ext/ldap/tests/ldap_set_option_reqcert_basic.phpt
new file mode 100644
index 0000000000..e31bf350ad
--- /dev/null
+++ b/ext/ldap/tests/ldap_set_option_reqcert_basic.phpt
@@ -0,0 +1,36 @@
+--TEST--
+ldap_option_reqcert_basic() - Error test for TLS require cert ldap option
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--FILE--
+<?php
+require "connect.inc";
+$link = ldap_connect($host, $port);
+
+foreach([
+	LDAP_OPT_X_TLS_NEVER,
+	LDAP_OPT_X_TLS_HARD,
+	LDAP_OPT_X_TLS_DEMAND,
+	LDAP_OPT_X_TLS_ALLOW,
+	LDAP_OPT_X_TLS_TRY,
+] as $option) {
+	$result = ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, $option);
+	var_dump($result);
+
+	ldap_get_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, $optionval);
+	var_dump($optionval);
+}
+?>
+===DONE===
+--EXPECT--
+bool(true)
+int(0)
+bool(true)
+int(1)
+bool(true)
+int(2)
+bool(true)
+int(3)
+bool(true)
+int(4)
+===DONE===
diff --git a/ext/ldap/tests/ldap_set_option_reqcert_error.phpt b/ext/ldap/tests/ldap_set_option_reqcert_error.phpt
new file mode 100644
index 0000000000..1a7796b760
--- /dev/null
+++ b/ext/ldap/tests/ldap_set_option_reqcert_error.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ldap_option_reqcert_basic() - Error test for TLS require cert ldap option
+--CREDITS--
+Edwin Hoksberg <edwin@edwinhoksberg.nl>
+--SKIPIF--
+<?php require_once dirname(__FILE__) .'/skipif.inc'; ?>
+--FILE--
+<?php
+require "connect.inc";
+$link = ldap_connect($host, $port);
+$result = ldap_set_option($link, LDAP_OPT_X_TLS_REQUIRE_CERT, 9001);
+var_dump($result);
+?>
+===DONE===
+--EXPECT--
+bool(false)
+===DONE===
author	Edwin Hoksberg <edwin@edwinhoksberg.nl>	2016-02-16 09:39:58 +0100
committer	Côme Bernigaud <mcmic@php.net>	2016-03-01 04:59:30 +0100
commit	ba9650667693089f0969c57f14bdfe851ae801ae (patch)
tree	f9d99b3aff7c1b8864c6724d18ba7b397361fbed
parent	9fc0517328a248825703bef90d631ec687fb0d58 (diff)
download	php-git-ba9650667693089f0969c57f14bdfe851ae801ae.tar.gz