[389-commits] [389-ds-base] 01/01: Ticket 49557 - Add config option for checking CRL on outbound SSL Connections

This is an automated email from the git hooks/post-receive script.

tbordaz pushed a commit to branch master
in repository 389-ds-base.

commit ca8f1fd0a3e3beda381dd1c1d898451a8023ecfc
Author: Mark Reynolds <mreynolds@redhat.com>
Date: Thu Feb 1 14:28:24 2018 -0500

Ticket 49557 - Add config option for checking CRL on outbound SSL Connections

Bug Description: There are cases where a CRL is not available during an outbound
replication connection. This is seen as an error by openldap,
and the connection fails.

Fix Description: Add on/off option for checking the CRL. The default is not to
check the CRL.

https://pagure.io/389-ds-base/issue/49557

Reviewed by: wibrown, Ludwig Krispenz, Thierry Bordaz
---
dirsrvtests/tests/suites/{ssl => tls}/__init__.py | 0
dirsrvtests/tests/suites/tls/tls_check_crl_test.py | 52 +++++++++++++++++
ldap/schema/01core389.ldif | 1 +
ldap/servers/slapd/ldaputil.c | 9 ++-
ldap/servers/slapd/libglobs.c | 66 +++++++++++++++++++++-
ldap/servers/slapd/proto-slap.h | 2 +
ldap/servers/slapd/slap.h | 10 +++-
7 files changed, 135 insertions(+), 5 deletions(-)

diff --git a/dirsrvtests/tests/suites/ssl/__init__.py b/dirsrvtests/tests/suites/tls/__init__.py
similarity index 100%
rename from dirsrvtests/tests/suites/ssl/__init__.py
rename to dirsrvtests/tests/suites/tls/__init__.py
diff --git a/dirsrvtests/tests/suites/tls/tls_check_crl_test.py b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py
new file mode 100644
index 0000000..8b4d07f
--- /dev/null
+++ b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py
@@ -0,0 +1,52 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2018 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+
+
+import pytest
+import ldap
+from lib389.topologies import topology_st
+
+def test_tls_check_crl(topology_st):
+ """Test that TLS check_crl configurations work as expected.
+
+ :id:
+ :steps:
+ 1. Enable TLS
+ 2. Set invalid value
+ 3. Set valid values
+ 4. Check config reset
+ :expectedresults:
+ 1. TlS is setup
+ 2. The invalid value is rejected
+ 3. The valid values are used
+ 4. The value can be reset
+ """
+ standalone = topology_st.standalone
+ # Enable TLS
+ standalone.enable_tls()
+ # Check all the valid values.
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
+ with pytest.raises(ldap.OPERATIONS_ERROR):
+ standalone.config.set('nsslapd-tls-check-crl', 'tnhoeutnoeutn')
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
+
+ standalone.config.set('nsslapd-tls-check-crl', 'peer')
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'peer')
+
+ standalone.config.set('nsslapd-tls-check-crl', 'none')
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
+
+ standalone.config.set('nsslapd-tls-check-crl', 'all')
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'all')
+
+ standalone.config.remove_all('nsslapd-tls-check-crl')
+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
+
+
+
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 2eccc0a..67f5469 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -309,6 +309,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2338 NAME 'nsDS5ReplicaBindDNGroup' DESC
attributeTypes: ( 2.16.840.1.113730.3.1.2339 NAME 'nsslapd-changelogdir' DESC 'The changelog5 directory storage location' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2340 NAME 'nsslapd-changelogmaxage' DESC 'The changelog5 time where an entry will be retained' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2341 NAME 'nsslapd-changelogmaxentries' DESC 'The changelog5 max entries limit' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2344 NAME 'nsslapd-tls-check-crl' DESC 'Check CRL when opening outbound TLS connections. Valid options are none, peer, all.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
#
# objectclasses
#
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index fa9d276..2fc2f06 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -570,6 +570,7 @@ slapi_ldif_parse_line(
}

#if defined(USE_OPENLDAP)
+
static int
setup_ol_tls_conn(LDAP *ld, int clientauth)
{
@@ -602,7 +603,13 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
}
}
if (slapi_client_uses_openssl(ld)) {
- const int crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
+ tls_check_crl_t tls_check_state = config_get_tls_check_crl();
+ if (tls_check_state == TLS_CHECK_PEER) {
+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
+ } else if (tls_check_state == TLS_CHECK_ALL) {
+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
+ }
/* Sets the CRL evaluation strategy. */
rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
if (rc) {
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 304f470..c7a8730 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -157,7 +157,8 @@ typedef enum {
CONFIG_STRING_OR_EMPTY, /* use an empty string */
CONFIG_SPECIAL_ANON_ACCESS_SWITCH, /* maps strings to an enumeration */
CONFIG_SPECIAL_VALIDATE_CERT_SWITCH, /* maps strings to an enumeration */
- CONFIG_SPECIAL_UNHASHED_PW_SWITCH /* unhashed pw: on/off/nolog */
+ CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */
+ CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */
} ConfigVarType;

static int32_t config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *errorbuf, int apply);
@@ -1181,7 +1182,15 @@ static struct config_get_and_set
{CONFIG_LOGGING_BACKEND, NULL,
log_set_backend, 0,
(void **)&global_slapdFrontendConfig.logging_backend,
- CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL}};
+ CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL},
+ {CONFIG_TLS_CHECK_CRL_ATTRIBUTE, config_set_tls_check_crl,
+ NULL, 0,
+ (void **)&global_slapdFrontendConfig.tls_check_crl,
+ CONFIG_SPECIAL_TLS_CHECK_CRL, (ConfigGetFunc)config_get_tls_check_crl,
+ "none" /* Allow reset to this value */}
+
+ /* End config */
+ };

/*
* hashNocaseString - used for case insensitive hash lookups
@@ -1514,7 +1523,6 @@ FrontendConfig_init(void)
cfg->maxdescriptors = SLAPD_DEFAULT_MAXDESCRIPTORS;
cfg->groupevalnestlevel = SLAPD_DEFAULT_GROUPEVALNESTLEVEL;
cfg->snmp_index = SLAPD_DEFAULT_SNMP_INDEX;
-
cfg->SSLclientAuth = SLAPD_DEFAULT_SSLCLIENTAUTH;

#ifdef USE_SYSCONF
@@ -1532,6 +1540,7 @@ FrontendConfig_init(void)