mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-18 11:05:48 +08:00
- Added autoconf test for CRL capable OpenSSL Version
- #ifdef'd CRL checking code.
This commit is contained in:
Ralf Haferkamp
parent
ab12babf06
commit
93cec8b694
@ -1327,3 +1327,18 @@ AC_DEFUN(OL_MSGHDR_MSG_ACCRIGHTS,
|
||||
[define if struct msghdr has msg_accrights])
|
||||
fi
|
||||
])dnl
|
||||
AC_DEFUN([OL_SSL_COMPAT],
|
||||
[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)], [ol_cv_ssl_crl_compat],[
|
||||
AC_EGREP_CPP(__ssl_compat,[
|
||||
#ifdef HAVE_OPENSSL_SSL_H
|
||||
#include <openssl/ssl.h>
|
||||
#else
|
||||
#include <ssl.h>
|
||||
#endif
|
||||
|
||||
/* Require 0.9.7d+ */
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x0090704fL
|
||||
char *__ssl_compat = "0.9.7d";
|
||||
#endif
|
||||
], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
|
||||
])
|
||||
|
||||
@ -1258,6 +1258,13 @@ if test $ol_with_tls != no ; then
|
||||
TLS_LIBS="-lssl -lcrypto"
|
||||
fi
|
||||
fi
|
||||
OL_SSL_COMPAT
|
||||
if test $ol_cv_ssl_crl_compat = no ; then
|
||||
ol_link_ssl=no
|
||||
else
|
||||
AC_DEFINE(HAVE_OPENSSL_CRL, 1,
|
||||
[define if you have OpenSSL with CRL checking capability])
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
|
||||
@ -476,6 +476,9 @@
|
||||
/* Define if you have the <openssl/bn.h> header file. */
|
||||
#undef HAVE_OPENSSL_BN_H
|
||||
|
||||
/* Define if you have OpenSSL with CRL checking capability. */
|
||||
#undef HAVE_OPENSSL_CRL
|
||||
|
||||
/* Define if you have the <openssl/crypto.h> header file. */
|
||||
#undef HAVE_OPENSSL_CRYPTO_H
|
||||
|
||||
|
||||
@ -98,7 +98,11 @@ static const struct ol_attribute {
|
||||
{0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
|
||||
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
|
||||
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
|
||||
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
{0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK},
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
||||
{0, ATTR_NONE, NULL, NULL, 0}
|
||||
|
||||
@ -53,7 +53,9 @@ static char *tls_opt_keyfile = NULL;
|
||||
static char *tls_opt_cacertfile = NULL;
|
||||
static char *tls_opt_cacertdir = NULL;
|
||||
static int tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
static int tls_opt_crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
|
||||
#endif
|
||||
static char *tls_opt_ciphersuite = NULL;
|
||||
static char *tls_opt_randfile = NULL;
|
||||
|
||||
@ -332,6 +334,7 @@ ldap_pvt_tls_init_def_ctx( void )
|
||||
tls_verify_ok : tls_verify_cb );
|
||||
SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb );
|
||||
/* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
if ( tls_opt_crlcheck ) {
|
||||
X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx );
|
||||
if ( tls_opt_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
|
||||
@ -341,6 +344,7 @@ ldap_pvt_tls_init_def_ctx( void )
|
||||
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL );
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
error_exit:
|
||||
if ( rc == -1 && tls_def_ctx != NULL ) {
|
||||
@ -1105,6 +1109,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
|
||||
return ldap_pvt_tls_set_option( ld, option, &i );
|
||||
}
|
||||
return -1;
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
case LDAP_OPT_X_TLS_CRLCHECK:
|
||||
i = -1;
|
||||
if ( strcasecmp( arg, "none" ) == 0 ) {
|
||||
@ -1118,6 +1123,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
|
||||
return ldap_pvt_tls_set_option( ld, option, &i );
|
||||
}
|
||||
return -1;
|
||||
#endif
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
@ -1174,9 +1180,11 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
|
||||
case LDAP_OPT_X_TLS_REQUIRE_CERT:
|
||||
*(int *)arg = tls_opt_require_cert;
|
||||
break;
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
case LDAP_OPT_X_TLS_CRLCHECK:
|
||||
*(int *)arg = tls_opt_crlcheck;
|
||||
break;
|
||||
#endif
|
||||
case LDAP_OPT_X_TLS_RANDOM_FILE:
|
||||
*(char **)arg = tls_opt_randfile ?
|
||||
LDAP_STRDUP( tls_opt_randfile ) : NULL;
|
||||
@ -1279,6 +1287,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
|
||||
return 0;
|
||||
}
|
||||
return -1;
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
case LDAP_OPT_X_TLS_CRLCHECK:
|
||||
switch( *(int *) arg ) {
|
||||
case LDAP_OPT_X_TLS_CRL_NONE:
|
||||
@ -1288,6 +1297,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
|
||||
return 0;
|
||||
}
|
||||
return -1;
|
||||
#endif
|
||||
case LDAP_OPT_X_TLS_CIPHER_SUITE:
|
||||
if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite );
|
||||
tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
|
||||
|
||||
@ -1936,13 +1936,17 @@ restrict_unknown:;
|
||||
|
||||
if ( rc )
|
||||
return rc;
|
||||
#ifdef HAVE_OPENSSL_CRL
|
||||
} else if ( !strcasecmp( cargv[0], "TLSCRLCheck" ) ) {
|
||||
rc = ldap_int_tls_config( NULL,
|
||||
LDAP_OPT_X_TLS_CRLCHECK,
|
||||
cargv[1] );
|
||||
|
||||
if ( rc )
|
||||
return rc;
|
||||
#endif
|
||||
|
||||
#endif /* HAVE_TLS */
|
||||
|
||||
} else if ( !strcasecmp( cargv[0], "reverse-lookup" ) ) {
|
||||
#ifdef SLAPD_RLOOKUPS
|
||||
if ( cargc < 2 ) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user