From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 10 Dec 2015 14:16:41 +0000 (-0500)
Subject: Added TLS-OCSP-Cert-Valid to 3.0
X-Git-Tag: release_3_0_11~96
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=221f0569d66fe2fe058584dd60b65e641d8aa91c;p=thirdparty%2Ffreeradius-server.git

Added TLS-OCSP-Cert-Valid to 3.0

Set by the TLS code.  Not checked for anything.
---

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 09a824b903a..72793540149 100644
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -531,6 +531,15 @@ ATTRIBUTE	TLS-PSK-Identity			1933	string
 
 # 1934 - 1939: reserved for future cert attributes
 
+# 1940 - 1949: reserved for TLS session caching, mostly in 3.1
+
+# Set by EAP-TLS code
+ATTRIBUTE	TLS-OCSP-Cert-Valid			1943    integer internal
+VALUE	TLS-OCSP-Cert-Valid		unknown			3
+VALUE	TLS-OCSP-Cert-Valid		skipped			2
+VALUE	TLS-OCSP-Cert-Valid		yes			1
+VALUE	TLS-OCSP-Cert-Valid		no			0
+
 #
 #	Range:	1940-2099
 #		Free
diff --git a/src/main/tls.c b/src/main/tls.c
index f435a70e463..5d2af7edc7d 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1456,6 +1456,7 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
 	struct timeval	now;
 	struct timeval	when;
 #endif
+	VALUE_PAIR	*vp;
 
 	/*
 	 * Create OCSP Request
@@ -1636,6 +1637,8 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
 	switch (status) {
 	case V_OCSP_CERTSTATUS_GOOD:
 		RDEBUG2("ocsp: Cert status: good");
+		vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+		vp->vp_integer = 1;	/* yes */
 		ocsp_status = OCSP_STATUS_OK;
 		break;
 
@@ -1670,6 +1673,8 @@ ocsp_end:
 
 	case OCSP_STATUS_SKIPPED:
 	skipped:
+		vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+		vp->vp_integer = 2;	/* skipped */
 		if (conf->ocsp_softfail) {
 			RWDEBUG("ocsp: Unable to check certificate, assuming it's valid");
 			RWDEBUG("ocsp: This may be insecure");
@@ -1685,6 +1690,8 @@ ocsp_end:
 		break;
 
 	default:
+		vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+		vp->vp_integer = 0;	/* no */
 		REDEBUG("ocsp: Certificate has been expired/revoked");
 		break;
 	}