# revoke certificates without the distribution of
# new Certificate Revokation Lists (CRLs).
#
+ # Enable OCSP support by uncommenting this section,
+ # and its configuration items.
+ #
ocsp {
- #
- # Enable it. The default is "no".
- # Deleting the entire "ocsp" subsection
- # Also disables caching.
- #
- check_ocsp = no
-
#
# The OCSP Responder URL can be automatically
# extracted from the certificate in question.
# To override the OCSP Responder URL set
- # "define_ocsp_responder = yes".
+ # "override_cert_url = yes".
#
- define_ocsp_responder = yes
+ override_cert_url = yes
#
- # If the OCSP Responder address is not extracted
- # from the certificate, the URL can be defined here.
+ # If the OCSP Responder address is not
+ # extracted from the certificate, the
+ # URL can be defined here.
+
#
- # Limitation: Currently the HTTP Request is not
- # sending the "Host: " information to the web-server.
- # This can be a problem if the OCSP Responder is
- # running as a vhost.
+ # Limitation: Currently the HTTP
+ # Request is not sending the "Host: "
+ # information to the web-server. This
+ # can be a problem if the OCSP
+ # Responder is running as a vhost.
#
- ocsp_url = "http://127.0.0.1/ocsp/"
+ url = "http://127.0.0.1/ocsp/"
}
}
#include <sys/stat.h>
#endif
-/* OCSP Header */
+#ifdef HAVE_OPENSSL_OCSP_H
#include <openssl/ocsp.h>
+#endif
static CONF_PARSER cache_config[] = {
{ "enable", PW_TYPE_BOOLEAN,
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
+#ifdef HAVE_OPENSSL_OCSP_H
static CONF_PARSER ocsp_config[] = {
- { "check_ocsp", PW_TYPE_BOOLEAN,
- offsetof(EAP_TLS_CONF, check_ocsp), NULL, "no"},
- { "define_ocsp_responder", PW_TYPE_BOOLEAN,
- offsetof(EAP_TLS_CONF, define_ocsp_responder), NULL, "no"},
- { "ocsp_url", PW_TYPE_FILENAME,
+ { "override_cert_url", PW_TYPE_BOOLEAN,
+ offsetof(EAP_TLS_CONF, ocsp_override_url), NULL, "no"},
+ { "url", PW_TYPE_STRING_PTR,
offsetof(EAP_TLS_CONF, ocsp_url), NULL, NULL },
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
+#endif
static CONF_PARSER module_config[] = {
{ "rsa_key_exchange", PW_TYPE_BOOLEAN,
{ "verify", PW_TYPE_SUBSECTION, 0, NULL, (const void *) verify_config },
+#ifdef HAVE_OPENSSL_OCSP_H
{ "ocsp", PW_TYPE_SUBSECTION, 0, NULL, (const void *) ocsp_config },
+#endif
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
return NULL;
}
+#ifdef HAVE_OPENSSL_OCSP_H
/*
* This function extracts the OCSP Responder URL
* from an existing x509 certificate.
*/
-int ocsp_parse_cert_url(X509 *cert, char **phost, char **pport, char **ppath, int *pssl)
+static int ocsp_parse_cert_url(X509 *cert, char **phost, char **pport,
+ char **ppath, int *pssl)
{
int i;
* This function sends a OCSP request to a defined OCSP responder
* and checks the OCSP response for correctness.
*/
-int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert, EAP_TLS_CONF *conf)
+static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
+ EAP_TLS_CONF *conf)
{
OCSP_CERTID *certid;
OCSP_REQUEST *req;
*/
/* Get OCSP responder URL */
- if(conf->define_ocsp_responder) {
+ if(conf->ocsp_override_url) {
OCSP_parse_url(conf->ocsp_url, &host, &port, &path, &use_ssl);
}
else {
ocsp_parse_cert_url(client_cert, &host, &port, &path, &use_ssl);
}
- DEBUG2("[ocsp] --> Resonder URL = http://%s:%s%s", host, port, path);
+ DEBUG2("[ocsp] --> Responder URL = http://%s:%s%s", host, port, path);
/* Setup BIO socket to OCSP responder */
cbio = BIO_new_connect(host);
return ocsp_ok;
}
+#endif /* HAVE_OPENSSL_OCSP_H */
/*
* For creating certificate attributes.
EAP_TLS_CONF *conf;
int my_ok = ok;
REQUEST *request;
- X509_STORE *ocsp_store = NULL;
ASN1_INTEGER *sn = NULL;
ASN1_TIME *asn_time = NULL;
+#ifdef HAVE_OPENSSL_OCSP_H
+ X509_STORE *ocsp_store = NULL;
+#endif
client_cert = X509_STORE_CTX_get_current_cert(ctx);
err = X509_STORE_CTX_get_error(ctx);
handler = (EAP_HANDLER *)SSL_get_ex_data(ssl, 0);
request = handler->request;
conf = (EAP_TLS_CONF *)SSL_get_ex_data(ssl, 1);
+#ifdef HAVE_OPENSSL_OCSP_H
ocsp_store = (X509_STORE *)SSL_get_ex_data(ssl, 2);
+#endif
+
/*
* Get the Serial Number
}
}
} /* check_cert_cn */
+
+#ifdef HAVE_OPENSSL_OCSP_H
if (my_ok && conf->check_ocsp){
RDEBUG2("--> Starting OCSP Request");
- if(X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert)!=1)
+ if(X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert)!=1) {
radlog(L_ERR, "Error: Couldn't get issuer_cert for %s", common_name);
+ }
my_ok = ocsp_check(ocsp_store, issuer_cert, client_cert, conf);
}
+#endif
while (conf->verify_client_cert_cmd) {
char filename[256];
pairfree(&vp);
}
+#ifdef HAVE_OPENSSL_OCSP_H
/*
* Create Global X509 revocation store and use it to verify
* OCSP responses
#endif
return store;
}
+#endif /* HAVE_OPENSSL_OCSP_H */
/*
* Create Global context SSL and use it in every new session
return -1;
}
+#ifdef HAVE_OPENSSL_OCSP_H
/*
* Initialize OCSP Revocation Store
*/
- inst->store = init_revocation_store(conf);
- if (inst->store == NULL) {
- eaptls_detach(inst);
- return -1;
+ if (!conf->ocsp_url && !conf->ocsp_override_url) {
+ conf->check_ocsp = FALSE;
+ } else {
+ inst->store = init_revocation_store(conf);
+ if (inst->store == NULL) {
+ eaptls_detach(inst);
+ return -1;
+ }
}
+#endif HAVE_OPENSSL_OCSP_H
if (load_dh_params(inst->ctx, conf->dh_file) < 0) {
eaptls_detach(inst);
}
if (conf->verify_tmp_dir) {
- char filename[256];
-
if (chmod(conf->verify_tmp_dir, S_IRWXU) < 0) {
radlog(L_ERR, "rlm_eap_tls: Failed changing permissions on %s: %s", conf->verify_tmp_dir, strerror(errno));
eaptls_detach(inst);
projects / thirdparty / freeradius-server.git / commitdiff
