From 5704a2ef6e3139459bc90a96b0e3b8cdfbfecca5 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 28 Oct 2004 18:50:38 +0000 Subject: [PATCH] CRL checking options for ldap.conf and slapd.conf --- doc/man/man5/ldap.conf.5 | 20 ++++++++++++++++++++ doc/man/man5/slapd.conf.5 | 20 ++++++++++++++++++++ include/ldap.h | 5 +++++ libraries/libldap/init.c | 1 + libraries/libldap/tls.c | 36 +++++++++++++++++++++++++++++++++++- servers/slapd/config.c | 4 ++++ 6 files changed, 85 insertions(+), 1 deletion(-) diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index e235f5e403..07148ae31c 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -257,6 +257,26 @@ These keywords are equivalent. The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the default setting. .RE +.TP +.B TLS_CRLCHECK +Specifies if the Certificate Revocation List (CRL) of the CA should be +used to verify if the server certicates have not been revoked. This +requires +.B TLS_CACERTDIR +parameter to be set. +.B +can be specified as one of the following keywords: +.RS +.TP +.B none +No CRL checks are performed +.TP +.B peer +Check the CRL of the peer certificate +.TP +.B all +Check the CRL for a whole certificate chain +.RE .SH "ENVIRONMENT VARIABLES" .TP LDAPNOINIT diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index c1a5aa2597..41992bd822 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -943,6 +943,26 @@ a non-default .B TLSVerifyClient setting must be chosen to enable SASL EXTERNAL authentication. .RE +.TP +.B TLSCRLCheck +Specifies if the Certificate Revocation List (CRL) of the CA should be +used to verify if the client certicates have not been revoked. This +requires +.B TLSCACertificatePath +parameter to be set. +.B +can be specified as one of the following keywords: +.RS +.TP +.B none +No CRL checks are performed +.TP +.B peer +Check the CRL of the peer certificate +.TP +.B all +Check the CRL for a whole certificate chain +.RE .SH GENERAL BACKEND OPTIONS Options in this section only apply to the configuration file section for the specified backend. They are supported by every diff --git a/include/ldap.h b/include/ldap.h index b7cb33777d..8209fc6d29 100644 --- a/include/ldap.h +++ b/include/ldap.h @@ -133,6 +133,7 @@ LDAP_BEGIN_DECL #define LDAP_OPT_X_TLS_CIPHER_SUITE 0x6008 #define LDAP_OPT_X_TLS_RANDOM_FILE 0x6009 #define LDAP_OPT_X_TLS_SSL_CTX 0x600a +#define LDAP_OPT_X_TLS_CRLCHECK 0x600b #define LDAP_OPT_X_TLS_NEVER 0 #define LDAP_OPT_X_TLS_HARD 1 @@ -140,6 +141,10 @@ LDAP_BEGIN_DECL #define LDAP_OPT_X_TLS_ALLOW 3 #define LDAP_OPT_X_TLS_TRY 4 +#define LDAP_OPT_X_TLS_CRL_NONE 0 +#define LDAP_OPT_X_TLS_CRL_PEER 1 +#define LDAP_OPT_X_TLS_CRL_ALL 2 + /* OpenLDAP SASL options */ #define LDAP_OPT_X_SASL_MECH 0x6100 #define LDAP_OPT_X_SASL_REALM 0x6101 diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c index 81938ec9ad..bd16e957cd 100644 --- a/libraries/libldap/init.c +++ b/libraries/libldap/init.c @@ -98,6 +98,7 @@ static const struct ol_attribute { {0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, {0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, {0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE}, + {0, ATTR_TLS, "TLS_CRLCHECK", NULL, LDAP_OPT_X_TLS_CRLCHECK}, #endif {0, ATTR_NONE, NULL, NULL, 0} diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 080989081f..28d1ef1fac 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -53,6 +53,7 @@ static char *tls_opt_keyfile = NULL; static char *tls_opt_cacertfile = NULL; static char *tls_opt_cacertdir = NULL; static int tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND; +static int tls_opt_crlcheck = LDAP_OPT_X_TLS_CRL_NONE; static char *tls_opt_ciphersuite = NULL; static char *tls_opt_randfile = NULL; @@ -331,6 +332,15 @@ ldap_pvt_tls_init_def_ctx( void ) tls_verify_ok : tls_verify_cb ); SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb ); /* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */ + if ( tls_opt_crlcheck ) { + X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx ); + if ( tls_opt_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) { + X509_STORE_set_flags( x509_s, X509_V_FLAG_CRL_CHECK ); + } else if ( tls_opt_crlcheck == LDAP_OPT_X_TLS_CRL_ALL ) { + X509_STORE_set_flags( x509_s, + X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); + } + } } error_exit: if ( rc == -1 && tls_def_ctx != NULL ) { @@ -1091,12 +1101,24 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg ) i = LDAP_OPT_X_TLS_HARD ; } + if (i >= 0) { + return ldap_pvt_tls_set_option( ld, option, &i ); + } + return -1; + case LDAP_OPT_X_TLS_CRLCHECK: + i = -1; + if ( strcasecmp( arg, "none" ) == 0 ) { + i = LDAP_OPT_X_TLS_CRL_NONE ; + } else if ( strcasecmp( arg, "peer" ) == 0 ) { + i = LDAP_OPT_X_TLS_CRL_PEER ; + } else if ( strcasecmp( arg, "all" ) == 0 ) { + i = LDAP_OPT_X_TLS_CRL_ALL ; + } if (i >= 0) { return ldap_pvt_tls_set_option( ld, option, &i ); } return -1; } - return -1; } @@ -1152,6 +1174,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) case LDAP_OPT_X_TLS_REQUIRE_CERT: *(int *)arg = tls_opt_require_cert; break; + case LDAP_OPT_X_TLS_CRLCHECK: + *(int *)arg = tls_opt_crlcheck; + break; case LDAP_OPT_X_TLS_RANDOM_FILE: *(char **)arg = tls_opt_randfile ? LDAP_STRDUP( tls_opt_randfile ) : NULL; @@ -1254,6 +1279,15 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) return 0; } return -1; + case LDAP_OPT_X_TLS_CRLCHECK: + switch( *(int *) arg ) { + case LDAP_OPT_X_TLS_CRL_NONE: + case LDAP_OPT_X_TLS_CRL_PEER: + case LDAP_OPT_X_TLS_CRL_ALL: + tls_opt_crlcheck = * (int *) arg; + return 0; + } + return -1; case LDAP_OPT_X_TLS_CIPHER_SUITE: if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite ); tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; diff --git a/servers/slapd/config.c b/servers/slapd/config.c index c1f05a635e..a30df1c7d3 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1936,6 +1936,10 @@ restrict_unknown:; if ( rc ) return rc; + } else if ( !strcasecmp( cargv[0], "TLSCRLCheck" ) ) { + rc = ldap_int_tls_config( NULL, + LDAP_OPT_X_TLS_CRLCHECK, + cargv[1] ); #endif -- 2.39.2