enum {
BDB_CHKPT = 1,
BDB_CONFIG,
+ BDB_CRYPTFILE,
+ BDB_CRYPTKEY,
BDB_DIRECTORY,
BDB_NOSYNC,
BDB_DIRTYR,
bdb_cf_gen, "( OLcfgDbAt:1.2 NAME 'olcDbCheckpoint' "
"DESC 'Database checkpoint interval in kbytes and minutes' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )",NULL, NULL },
+ { "cryptfile", "file", 2, 2, 0, ARG_STRING|ARG_MAGIC|BDB_CRYPTFILE,
+ bdb_cf_gen, "( OLcfgDbAt:1.13 NAME 'olcDbCryptFile' "
+ "DESC 'Pathname of file containing the DB encryption key' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )",NULL, NULL },
+ { "cryptkey", "key", 2, 2, 0, ARG_BERVAL|ARG_MAGIC|BDB_CRYPTKEY,
+ bdb_cf_gen, "( OLcfgDbAt:1.14 NAME 'olcDbCryptKey' "
+ "DESC 'DB encryption key' "
+ "SYNTAX OMsOctetString SINGLE-VALUE )",NULL, NULL },
{ "dbconfig", "DB_CONFIG setting", 1, 0, 0, ARG_MAGIC|BDB_CONFIG,
bdb_cf_gen, "( OLcfgDbAt:1.3 NAME 'olcDbConfig' "
"DESC 'BerkeleyDB DB_CONFIG configuration directives' "
"SUP olcDatabaseConfig "
"MUST olcDbDirectory "
"MAY ( olcDbCacheSize $ olcDbCheckpoint $ olcDbConfig $ "
+ "olcDbCryptFile $ olcDbCryptKey $ "
"olcDbNoSync $ olcDbDirtyRead $ olcDbIDLcacheSize $ "
"olcDbIndex $ olcDbLinearIndex $ olcDbLockDetect $ "
"olcDbMode $ olcDbSearchStack $ olcDbShmKey $ "
}
break;
+ case BDB_CRYPTFILE:
+ if ( bdb->bi_db_crypt_file ) {
+ c->value_string = ch_strdup( bdb->bi_db_crypt_file );
+ } else {
+ rc = 1;
+ }
+ break;
+
+ /* If a crypt file has been set, its contents are copied here.
+ * But we don't want the key to be incorporated here.
+ */
+ case BDB_CRYPTKEY:
+ if ( !bdb->bi_db_crypt_file && !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+ value_add_one( &c->rvalue_vals, &bdb->bi_db_crypt_key );
+ } else {
+ rc = 1;
+ }
+ break;
+
case BDB_DIRECTORY:
if ( bdb->bi_dbenv_home ) {
c->value_string = ch_strdup( bdb->bi_dbenv_home );
bdb->bi_flags |= BDB_UPD_CONFIG;
c->cleanup = bdb_cf_cleanup;
break;
+ /* Doesn't really make sense to change these on the fly;
+ * the entire DB must be dumped and reloaded
+ */
+ case BDB_CRYPTFILE:
+ if ( bdb->bi_db_crypt_file ) {
+ ch_free( bdb->bi_db_crypt_file );
+ bdb->bi_db_crypt_file = NULL;
+ }
+ /* FALLTHRU */
+ case BDB_CRYPTKEY:
+ if ( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+ ch_free( bdb->bi_db_crypt_key.bv_val );
+ BER_BVZERO( &bdb->bi_db_crypt_key );
+ }
+ break;
case BDB_DIRECTORY:
bdb->bi_flags |= BDB_RE_OPEN;
bdb->bi_flags ^= BDB_HAS_CONFIG;
}
break;
+ case BDB_CRYPTFILE:
+ rc = lutil_get_filed_password( c->value_string, &bdb->bi_db_crypt_key );
+ if ( rc == 0 ) {
+ bdb->bi_db_crypt_file = c->value_string;
+ }
+ break;
+
+ /* Cannot set key if file was already set */
+ case BDB_CRYPTKEY:
+ if ( bdb->bi_db_crypt_file ) {
+ rc = 1;
+ } else {
+ bdb->bi_db_crypt_key = c->value_bv;
+ }
+ break;
+
case BDB_DIRECTORY: {
FILE *f;
char *ptr, *testpath;
"bdb_db_cache: db_create(%s) failed: %s (%d)\n",
bdb->bi_dbenv_home, db_strerror(rc), rc );
ldap_pvt_thread_mutex_unlock( &bdb->bi_database_mutex );
+ ch_free( db );
return rc;
}
+ if( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+ rc = db->bdi_db->set_flags( db->bdi_db, DB_ENCRYPT );
+ if ( rc ) {
+ Debug( LDAP_DEBUG_ANY,
+ "bdb_db_cache: db set_flags(DB_ENCRYPT)(%s) failed: %s (%d)\n",
+ bdb->bi_dbenv_home, db_strerror(rc), rc );
+ ldap_pvt_thread_mutex_unlock( &bdb->bi_database_mutex );
+ db->bdi_db->close( db->bdi_db, 0 );
+ ch_free( db );
+ return rc;
+ }
+ }
+
rc = db->bdi_db->set_pagesize( db->bdi_db, BDB_PAGESIZE );
#ifdef BDB_INDEX_USE_HASH
rc = db->bdi_db->set_h_hash( db->bdi_db, bdb_db_hash );
bdb->bi_dbenv->set_lk_detect( bdb->bi_dbenv, bdb->bi_lock_detect );
+ if ( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+ rc = bdb->bi_dbenv->set_encrypt( bdb->bi_dbenv, bdb->bi_db_crypt_key.bv_val,
+ DB_ENCRYPT_AES );
+ if ( rc ) {
+ Debug( LDAP_DEBUG_ANY,
+ LDAP_XSTRING(bdb_db_open) ": database \"%s\": "
+ "dbenv set_encrypt failed: %s (%d).\n",
+ be->be_suffix[0].bv_val, db_strerror(rc), rc );
+ goto fail;
+ }
+ }
+
/* One long-lived TXN per thread, two TXNs per write op */
bdb->bi_dbenv->set_tx_max( bdb->bi_dbenv, connection_pool_max * 3 );
goto fail;
}
+ if( !BER_BVISNULL( &bdb->bi_db_crypt_key )) {
+ rc = db->bdi_db->set_flags( db->bdi_db, DB_ENCRYPT );
+ if ( rc ) {
+ snprintf(cr->msg, sizeof(cr->msg),
+ "database \"%s\": db set_flags(DB_ENCRYPT)(%s) failed: %s (%d).",
+ be->be_suffix[0].bv_val,
+ bdb->bi_dbenv_home, db_strerror(rc), rc );
+ Debug( LDAP_DEBUG_ANY,
+ LDAP_XSTRING(bdb_db_open) ": %s\n",
+ cr->msg, 0, 0 );
+ goto fail;
+ }
+ }
+
if( i == BDB_ID2ENTRY ) {
if ( slapMode & SLAP_TOOL_MODE )
db->bdi_db->mpf->set_priority( db->bdi_db->mpf,
projects / openldap / commitdiff