Added TLS-OCSP-Cert-Valid to 3.0

author Alan T. DeKok <aland@freeradius.org>

Thu, 10 Dec 2015 14:16:41 +0000 (09:16 -0500)

committer Alan T. DeKok <aland@freeradius.org>

Thu, 10 Dec 2015 14:17:19 +0000 (09:17 -0500)
author Alan T. DeKok <aland@freeradius.org>
Thu, 10 Dec 2015 14:16:41 +0000 (09:16 -0500)
committer Alan T. DeKok <aland@freeradius.org>
Thu, 10 Dec 2015 14:17:19 +0000 (09:17 -0500)
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal

index 09a824b903a7fa3c40522143a1f9dc096c1d8650..72793540149bc2b559605e8e60d7cf511cceff24 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -531,6 +531,15 @@ ATTRIBUTE  TLS-PSK-Identity                        1933    string
  
  # 1934 - 1939: reserved for future cert attributes
  
+# 1940 - 1949: reserved for TLS session caching, mostly in 3.1
+
+# Set by EAP-TLS code
+ATTRIBUTE      TLS-OCSP-Cert-Valid                     1943    integer internal
+VALUE  TLS-OCSP-Cert-Valid             unknown                 3
+VALUE  TLS-OCSP-Cert-Valid             skipped                 2
+VALUE  TLS-OCSP-Cert-Valid             yes                     1
+VALUE  TLS-OCSP-Cert-Valid             no                      0
+
  #
  #      Range:  1940-2099
  #              Free
diff --git a/src/main/tls.c b/src/main/tls.c

index f435a70e463bb31570f6d1ac49e0689f9a6a13db..5d2af7edc7db3e2bf8202e502c6bf6723ce4f0ca 100644 (file)
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1456,6 +1456,7 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
         struct timeval  now;
         struct timeval  when;
  #endif
+       VALUE_PAIR      *vp;
  
         /*
          * Create OCSP Request
@@ -1636,6 +1637,8 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
         switch (status) {
         case V_OCSP_CERTSTATUS_GOOD:
                 RDEBUG2("ocsp: Cert status: good");
+               vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+               vp->vp_integer = 1;     /* yes */
                 ocsp_status = OCSP_STATUS_OK;
                 break;
  
@@ -1670,6 +1673,8 @@ ocsp_end:
  
         case OCSP_STATUS_SKIPPED:
         skipped:
+               vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+               vp->vp_integer = 2;     /* skipped */
                 if (conf->ocsp_softfail) {
                         RWDEBUG("ocsp: Unable to check certificate, assuming it's valid");
                         RWDEBUG("ocsp: This may be insecure");
@@ -1685,6 +1690,8 @@ ocsp_end:
                 break;
  
         default:
+               vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+               vp->vp_integer = 0;     /* no */
                 REDEBUG("ocsp: Certificate has been expired/revoked");
                 break;
         }
author	Alan T. DeKok <aland@freeradius.org>
	Thu, 10 Dec 2015 14:16:41 +0000 (09:16 -0500)
committer	Alan T. DeKok <aland@freeradius.org>
	Thu, 10 Dec 2015 14:17:19 +0000 (09:17 -0500)
share/dictionary.freeradius.internal		patch \| blob \| blame \| history
src/main/tls.c		patch \| blob \| blame \| history