Added "ocsp enable" functionality back

diff --git a/raddb/eap.conf b/raddb/eap.conf
index a56729401a632633033f9850c6cd1c98054fbfda..7b4f7d8edca4a2bf20e473b940c505a246b7508c 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -389,10 +389,14 @@
                        #  revoke certificates without the distribution of
                        #  new Certificate Revokation Lists (CRLs).
                        #
-                       #  Enable OCSP support by uncommenting this section,
-                       #  and its configuration items.
-                       #
                        ocsp {
+                             #
+                             #  Enable it.  The default is "no".
+                             #  Deleting the entire "ocsp" subsection
+                             #  Also disables ocsp checking
+                             #
+                             enable = no
+
                              #
                              #  The OCSP Responder URL can be automatically
                              #  extracted from the certificate in question.

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 5f9cd9efbf225ef5b3f61a13ef93c4d7d4bc164b..e2b7c484b250b1036756ac7b4eae4b36f5ecaaea 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -69,6 +69,8 @@ static CONF_PARSER verify_config[] = {
 
 #ifdef HAVE_OPENSSL_OCSP_H
 static CONF_PARSER ocsp_config[] = {
+       { "enable", PW_TYPE_BOOLEAN,
+         offsetof(EAP_TLS_CONF, ocsp_enable), NULL, "no"},
        { "override_cert_url", PW_TYPE_BOOLEAN,
          offsetof(EAP_TLS_CONF, ocsp_override_url), NULL, "no"},
        { "url", PW_TYPE_STRING_PTR,
@@ -583,7 +585,7 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                } /* check_cert_cn */
 
 #ifdef HAVE_OPENSSL_OCSP_H
-               if (my_ok && conf->check_ocsp){
+               if (my_ok && conf->ocsp_enable){
                        RDEBUG2("--> Starting OCSP Request");
                        if(X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert)!=1) {
                                radlog(L_ERR, "Error: Couldn't get issuer_cert for %s", common_name);
@@ -1144,13 +1146,11 @@ static int eaptls_attach(CONF_SECTION *cs, void **instance)
        /*
         *      Initialize OCSP Revocation Store
         */
-       if (!conf->ocsp_url && !conf->ocsp_override_url) {
-               conf->check_ocsp = FALSE;
-       } else {
+       if (conf->ocsp_enable) {
                inst->store = init_revocation_store(conf);
                if (inst->store == NULL) {
                        eaptls_detach(inst);
-                       return -1;
+                 return -1;
                }
        }
 #endif HAVE_OPENSSL_OCSP_H

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
index 9151542d8857b35a1090e237c72c8a9addb53056..49c8bc72ba70fe1bf07c5242ffa86fe31ccd7cc7 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
@@ -74,7 +74,7 @@ typedef struct eap_tls_conf {
        /*
         * OCSP Configuration
         */
-       int             check_ocsp;
+       int             ocsp_enable;
        int             ocsp_override_url;
        char            *ocsp_url;
 #endif