- #ifdef'd CRL checking code.
[define if struct msghdr has msg_accrights])
fi
])dnl
+AC_DEFUN([OL_SSL_COMPAT],
+[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)], [ol_cv_ssl_crl_compat],[
+ AC_EGREP_CPP(__ssl_compat,[
+#ifdef HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#else
+#include <ssl.h>
+#endif
+
+/* Require 0.9.7d+ */
+#if OPENSSL_VERSION_NUMBER >= 0x0090704fL
+ char *__ssl_compat = "0.9.7d";
+#endif
+ ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
+])
TLS_LIBS="-lssl -lcrypto"
fi
fi
+ OL_SSL_COMPAT
+ if test $ol_cv_ssl_crl_compat = no ; then
+ ol_link_ssl=no
+ else
+ AC_DEFINE(HAVE_OPENSSL_CRL, 1,
+ [define if you have OpenSSL with CRL checking capability])
+ fi
fi
else
/* Define if you have the <openssl/bn.h> header file. */
#undef HAVE_OPENSSL_BN_H
+/* Define if you have OpenSSL with CRL checking capability. */
+#undef HAVE_OPENSSL_CRL
+
/* Define if you have the <openssl/crypto.h> header file. */
#undef HAVE_OPENSSL_CRYPTO_H
{0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
+
+#ifdef HAVE_OPENSSL_CRL
{0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK},
+#endif
+
#endif
{0, ATTR_NONE, NULL, NULL, 0}
static char *tls_opt_cacertfile = NULL;
static char *tls_opt_cacertdir = NULL;
static int tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;
+#ifdef HAVE_OPENSSL_CRL
static int tls_opt_crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
+#endif
static char *tls_opt_ciphersuite = NULL;
static char *tls_opt_randfile = NULL;
tls_verify_ok : tls_verify_cb );
SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb );
/* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */
+#ifdef HAVE_OPENSSL_CRL
if ( tls_opt_crlcheck ) {
X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx );
if ( tls_opt_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL );
}
}
+#endif
}
error_exit:
if ( rc == -1 && tls_def_ctx != NULL ) {
return ldap_pvt_tls_set_option( ld, option, &i );
}
return -1;
+#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK:
i = -1;
if ( strcasecmp( arg, "none" ) == 0 ) {
return ldap_pvt_tls_set_option( ld, option, &i );
}
return -1;
+#endif
}
return -1;
}
case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = tls_opt_require_cert;
break;
+#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK:
*(int *)arg = tls_opt_crlcheck;
break;
+#endif
case LDAP_OPT_X_TLS_RANDOM_FILE:
*(char **)arg = tls_opt_randfile ?
LDAP_STRDUP( tls_opt_randfile ) : NULL;
return 0;
}
return -1;
+#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK:
switch( *(int *) arg ) {
case LDAP_OPT_X_TLS_CRL_NONE:
return 0;
}
return -1;
+#endif
case LDAP_OPT_X_TLS_CIPHER_SUITE:
if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite );
tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
if ( rc )
return rc;
+#ifdef HAVE_OPENSSL_CRL
} else if ( !strcasecmp( cargv[0], "TLSCRLCheck" ) ) {
rc = ldap_int_tls_config( NULL,
LDAP_OPT_X_TLS_CRLCHECK,
cargv[1] );
-
+ if ( rc )
+ return rc;
#endif
+#endif /* HAVE_TLS */
+
} else if ( !strcasecmp( cargv[0], "reverse-lookup" ) ) {
#ifdef SLAPD_RLOOKUPS
if ( cargc < 2 ) {
projects / openldap / commitdiff