From 93cec8b6947816052b391d684f788c9e8c3fb452 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <ralf@openldap.org>
Date: Wed, 3 Nov 2004 12:02:38 +0000
Subject: [PATCH] - Added autoconf test for CRL capable OpenSSL Version -
 #ifdef'd CRL checking code.

---
 build/openldap.m4        | 15 +++++++++++++++
 configure.in             |  7 +++++++
 include/portable.h.in    |  3 +++
 libraries/libldap/init.c |  4 ++++
 libraries/libldap/tls.c  | 10 ++++++++++
 servers/slapd/config.c   |  6 +++++-
 6 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/build/openldap.m4 b/build/openldap.m4
index b025dd8db5..72c60e4e68 100644
--- a/build/openldap.m4
+++ b/build/openldap.m4
@@ -1327,3 +1327,18 @@ AC_DEFUN(OL_MSGHDR_MSG_ACCRIGHTS,
 		[define if struct msghdr has msg_accrights])
   fi
 ])dnl
+AC_DEFUN([OL_SSL_COMPAT],
+[AC_CACHE_CHECK([OpenSSL library version (CRL checking capability)], [ol_cv_ssl_crl_compat],[
+	AC_EGREP_CPP(__ssl_compat,[
+#ifdef HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#else
+#include <ssl.h>
+#endif
+
+/* Require 0.9.7d+ */
+#if OPENSSL_VERSION_NUMBER >= 0x0090704fL
+	char *__ssl_compat = "0.9.7d";
+#endif
+	],	[ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
+])
diff --git a/configure.in b/configure.in
index 6c233ee2bd..e9e9db0a42 100644
--- a/configure.in
+++ b/configure.in
@@ -1258,6 +1258,13 @@ if test $ol_with_tls != no ; then
 				TLS_LIBS="-lssl -lcrypto"
 			fi
 		fi
+		OL_SSL_COMPAT
+		if test $ol_cv_ssl_crl_compat = no ; then
+			ol_link_ssl=no
+                else 
+			AC_DEFINE(HAVE_OPENSSL_CRL, 1, 
+				[define if you have OpenSSL with CRL checking capability])
+		fi
 	fi
 
 else
diff --git a/include/portable.h.in b/include/portable.h.in
index 278fdbc68e..13c7122ae5 100644
--- a/include/portable.h.in
+++ b/include/portable.h.in
@@ -476,6 +476,9 @@
 /* Define if you have the <openssl/bn.h> header file.  */
 #undef HAVE_OPENSSL_BN_H
 
+/* Define if you have OpenSSL with CRL checking capability. */
+#undef HAVE_OPENSSL_CRL
+
 /* Define if you have the <openssl/crypto.h> header file.  */
 #undef HAVE_OPENSSL_CRYPTO_H
 
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index bd16e957cd..36797fe1ca 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -98,7 +98,11 @@ static const struct ol_attribute {
   	{0, ATTR_TLS,	"TLS_REQCERT",		NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT},
 	{0, ATTR_TLS,	"TLS_RANDFILE",		NULL,	LDAP_OPT_X_TLS_RANDOM_FILE},
 	{0, ATTR_TLS,	"TLS_CIPHER_SUITE",	NULL,	LDAP_OPT_X_TLS_CIPHER_SUITE},
+
+#ifdef HAVE_OPENSSL_CRL
 	{0, ATTR_TLS,	"TLS_CRLCHECK",		NULL,	LDAP_OPT_X_TLS_CRLCHECK},
+#endif
+        
 #endif
 
 	{0, ATTR_NONE,		NULL,		NULL,	0}
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 28d1ef1fac..3251a8b31c 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -53,7 +53,9 @@ static char *tls_opt_keyfile = NULL;
 static char *tls_opt_cacertfile = NULL;
 static char *tls_opt_cacertdir = NULL;
 static int  tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;
+#ifdef HAVE_OPENSSL_CRL
 static int  tls_opt_crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
+#endif
 static char *tls_opt_ciphersuite = NULL;
 static char *tls_opt_randfile = NULL;
 
@@ -332,6 +334,7 @@ ldap_pvt_tls_init_def_ctx( void )
 			tls_verify_ok : tls_verify_cb );
 		SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb );
 		/* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */
+#ifdef HAVE_OPENSSL_CRL
 		if ( tls_opt_crlcheck ) {
 			X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx );
 			if ( tls_opt_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
@@ -341,6 +344,7 @@ ldap_pvt_tls_init_def_ctx( void )
 						X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL  );
 			}
 		}
+#endif
 	}
 error_exit:
 	if ( rc == -1 && tls_def_ctx != NULL ) {
@@ -1105,6 +1109,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 			return ldap_pvt_tls_set_option( ld, option, &i );
 		}
 		return -1;
+#ifdef HAVE_OPENSSL_CRL
 	case LDAP_OPT_X_TLS_CRLCHECK:
 		i = -1;
 		if ( strcasecmp( arg, "none" ) == 0 ) {
@@ -1118,6 +1123,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 			return ldap_pvt_tls_set_option( ld, option, &i );
 		}
 		return -1;
+#endif
 	}
 	return -1;
 }
@@ -1174,9 +1180,11 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		*(int *)arg = tls_opt_require_cert;
 		break;
+#ifdef HAVE_OPENSSL_CRL
 	case LDAP_OPT_X_TLS_CRLCHECK:
 		*(int *)arg = tls_opt_crlcheck;
 		break;
+#endif
 	case LDAP_OPT_X_TLS_RANDOM_FILE:
 		*(char **)arg = tls_opt_randfile ?
 			LDAP_STRDUP( tls_opt_randfile ) : NULL;
@@ -1279,6 +1287,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 			return 0;
 		}
 		return -1;
+#ifdef HAVE_OPENSSL_CRL
 	case LDAP_OPT_X_TLS_CRLCHECK:
 		switch( *(int *) arg ) {
 		case LDAP_OPT_X_TLS_CRL_NONE:
@@ -1288,6 +1297,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 			return 0;
 		}
 		return -1;
+#endif
 	case LDAP_OPT_X_TLS_CIPHER_SUITE:
 		if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite );
 		tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index a30df1c7d3..29cb991224 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1936,13 +1936,17 @@ restrict_unknown:;
 
 			if ( rc )
 				return rc;
+#ifdef HAVE_OPENSSL_CRL
 		} else if ( !strcasecmp( cargv[0], "TLSCRLCheck" ) ) {
 			rc = ldap_int_tls_config( NULL,
 						LDAP_OPT_X_TLS_CRLCHECK,
 						cargv[1] );
-
+			if ( rc )
+				return rc;
 #endif
 
+#endif /* HAVE_TLS */
+
 		} else if ( !strcasecmp( cargv[0], "reverse-lookup" ) ) {
 #ifdef SLAPD_RLOOKUPS
 			if ( cargc < 2 ) {
-- 
2.39.5