CRL checking options for ldap.conf and slapd.conf

doc/man/man5/ldap.conf.5

@@ -257,6 +257,26 @@ These keywords are equivalent. The server certificate is requested. If no
 certificate is provided, or a bad certificate is provided, the session
 is immediately terminated. This is the default setting.
 .RE
+.TP
+.B TLS_CRLCHECK <level>
+Specifies if the Certificate Revocation List (CRL) of the CA should be 
+used to verify if the server certicates have not been revoked. This
+requires
+.B TLS_CACERTDIR
+parameter to be set.
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B none
+No CRL checks are performed
+.TP
+.B peer
+Check the CRL of the peer certificate
+.TP
+.B all
+Check the CRL for a whole certificate chain
+.RE
 .SH "ENVIRONMENT VARIABLES"
 .TP
 LDAPNOINIT

doc/man/man5/slapd.conf.5

@@ -943,6 +943,26 @@ a non-default
 .B TLSVerifyClient
 setting must be chosen to enable SASL EXTERNAL authentication.
 .RE
+.TP
+.B TLSCRLCheck <level>
+Specifies if the Certificate Revocation List (CRL) of the CA should be 
+used to verify if the client certicates have not been revoked. This
+requires
+.B TLSCACertificatePath
+parameter to be set.
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B none
+No CRL checks are performed
+.TP
+.B peer
+Check the CRL of the peer certificate
+.TP
+.B all
+Check the CRL for a whole certificate chain
+.RE
 .SH GENERAL BACKEND OPTIONS
 Options in this section only apply to the configuration file section
 for the specified backend.  They are supported by every

include/ldap.h

@@ -133,6 +133,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_CIPHER_SUITE	0x6008
 #define LDAP_OPT_X_TLS_RANDOM_FILE	0x6009
 #define LDAP_OPT_X_TLS_SSL_CTX		0x600a
+#define LDAP_OPT_X_TLS_CRLCHECK		0x600b
 
 #define LDAP_OPT_X_TLS_NEVER	0
 #define LDAP_OPT_X_TLS_HARD		1
@@ -140,6 +141,10 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_ALLOW	3
 #define LDAP_OPT_X_TLS_TRY		4
 
+#define LDAP_OPT_X_TLS_CRL_NONE	0
+#define LDAP_OPT_X_TLS_CRL_PEER	1
+#define LDAP_OPT_X_TLS_CRL_ALL	2
+
 /* OpenLDAP SASL options */
 #define LDAP_OPT_X_SASL_MECH			0x6100
 #define LDAP_OPT_X_SASL_REALM			0x6101

libraries/libldap/init.c

@@ -98,6 +98,7 @@ static const struct ol_attribute {
   	{0, ATTR_TLS,	"TLS_REQCERT",		NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT},
 	{0, ATTR_TLS,	"TLS_RANDFILE",		NULL,	LDAP_OPT_X_TLS_RANDOM_FILE},
 	{0, ATTR_TLS,	"TLS_CIPHER_SUITE",	NULL,	LDAP_OPT_X_TLS_CIPHER_SUITE},
+	{0, ATTR_TLS,	"TLS_CRLCHECK",		NULL,	LDAP_OPT_X_TLS_CRLCHECK},
 #endif
 
 	{0, ATTR_NONE,		NULL,		NULL,	0}

libraries/libldap/tls.c

@@ -53,6 +53,7 @@ static char *tls_opt_keyfile = NULL;
 static char *tls_opt_cacertfile = NULL;
 static char *tls_opt_cacertdir = NULL;
 static int  tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;
+static int  tls_opt_crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
 static char *tls_opt_ciphersuite = NULL;
 static char *tls_opt_randfile = NULL;
 
@@ -331,6 +332,15 @@ ldap_pvt_tls_init_def_ctx( void )
 			tls_verify_ok : tls_verify_cb );
 		SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb );
 		/* SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); */
+		if ( tls_opt_crlcheck ) {
+			X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx );
+			if ( tls_opt_crlcheck == LDAP_OPT_X_TLS_CRL_PEER ) {
+				X509_STORE_set_flags( x509_s, X509_V_FLAG_CRL_CHECK );
+			} else if ( tls_opt_crlcheck == LDAP_OPT_X_TLS_CRL_ALL ) {
+				X509_STORE_set_flags( x509_s, 
+						X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL  );
+			}
+		}
 	}
 error_exit:
 	if ( rc == -1 && tls_def_ctx != NULL ) {
@@ -1091,12 +1101,24 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 			i = LDAP_OPT_X_TLS_HARD ;
 		}
 
+		if (i >= 0) {
+			return ldap_pvt_tls_set_option( ld, option, &i );
+		}
+		return -1;
+	case LDAP_OPT_X_TLS_CRLCHECK:
+		i = -1;
+		if ( strcasecmp( arg, "none" ) == 0 ) {
+			i = LDAP_OPT_X_TLS_CRL_NONE ;
+		} else if ( strcasecmp( arg, "peer" ) == 0 ) {
+			i = LDAP_OPT_X_TLS_CRL_PEER ;
+		} else if ( strcasecmp( arg, "all" ) == 0 ) {
+			i = LDAP_OPT_X_TLS_CRL_ALL ;
+		}
 		if (i >= 0) {
 			return ldap_pvt_tls_set_option( ld, option, &i );
 		}
 		return -1;
 	}
-
 	return -1;
 }
 
@@ -1152,6 +1174,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		*(int *)arg = tls_opt_require_cert;
 		break;
+	case LDAP_OPT_X_TLS_CRLCHECK:
+		*(int *)arg = tls_opt_crlcheck;
+		break;
 	case LDAP_OPT_X_TLS_RANDOM_FILE:
 		*(char **)arg = tls_opt_randfile ?
 			LDAP_STRDUP( tls_opt_randfile ) : NULL;
@@ -1254,6 +1279,15 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 			return 0;
 		}
 		return -1;
+	case LDAP_OPT_X_TLS_CRLCHECK:
+		switch( *(int *) arg ) {
+		case LDAP_OPT_X_TLS_CRL_NONE:
+		case LDAP_OPT_X_TLS_CRL_PEER:
+		case LDAP_OPT_X_TLS_CRL_ALL:
+			tls_opt_crlcheck = * (int *) arg;
+			return 0;
+		}
+		return -1;
 	case LDAP_OPT_X_TLS_CIPHER_SUITE:
 		if ( tls_opt_ciphersuite ) LDAP_FREE( tls_opt_ciphersuite );
 		tls_opt_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;

servers/slapd/config.c

@@ -1936,6 +1936,10 @@ restrict_unknown:;
 
 			if ( rc )
 				return rc;
+		} else if ( !strcasecmp( cargv[0], "TLSCRLCheck" ) ) {
+			rc = ldap_int_tls_config( NULL,
+						LDAP_OPT_X_TLS_CRLCHECK,
+						cargv[1] );
 
 #endif