From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 7 Dec 2015 16:38:18 +0000 (-0500)
Subject: Added "skip verify if OCSP succeeds".  Fixes #1426
X-Git-Tag: release_3_0_11~109
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31d6cc482a4212a5b4f105bf855983d8d0c21435;p=thirdparty%2Ffreeradius-server.git

Added "skip verify if OCSP succeeds".  Fixes #1426
---

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 2ef6f008026..92c4c40765f 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -197,6 +197,8 @@ eap {
 		#
 		ca_file = ${cadir}/ca.pem
 
+		ca_file = foo
+
 	 	#  OpenSSL will automatically create certificate chains,
 	 	#  unless we tell it to not do that.  The problem is that
 	 	#  it sometimes gets the chains right from a certificate
@@ -424,7 +426,18 @@ eap {
 		#  default configuration.  Uncomment it, and configure
 		#  the correct paths below to enable it.
 		#
+		#  If OCSP checking is enabled, and the OCSP checks fail,
+		#  the verify section is skipped.
+		#
 		verify {
+			#  If the OCSP checks succeed, the verify section
+			#  is run to allow additional checks.
+			#
+			#  If you want to skip verify on OCSP success,
+			#  uncomment this configuration item, and set it
+			#  to "yes".
+	#		skip_if_ocsp_ok = no
+
 			#  A temporary directory where the client
 			#  certificates are stored.  This directory
 			#  MUST be owned by the UID of the server,
diff --git a/src/include/tls-h b/src/include/tls-h
index 1f46e633d6b..db2c543314c 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -369,6 +369,7 @@ struct fr_tls_server_conf_t {
 	char		session_context_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
 	time_t		session_last_flushed;
 
+	bool		verify_skip_if_ocsp_ok;
 	char const	*verify_tmp_dir;
 	char const	*verify_client_cert_cmd;
 	bool		require_client_cert;
diff --git a/src/main/tls.c b/src/main/tls.c
index 62066b5de0e..af2e7f679f0 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -991,6 +991,7 @@ static CONF_PARSER cache_config[] = {
 };
 
 static CONF_PARSER verify_config[] = {
+	{ "skip_if_ocsp_ok", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, verify_skip_if_ocsp_ok), "no" },
 	{ "tmpdir", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, verify_tmp_dir), NULL },
 	{ "client", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, verify_client_cert_cmd), NULL },
 	CONF_PARSER_TERMINATOR
@@ -2074,8 +2075,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		 *	If OCSP checks fail, don't run the verify
 		 *	command.  The user will be rejected no matter
 		 *	what, so we might as well do less work.
+		 *
+		 *	If OCSP checks succeed, we may want to skip the verify section.
 		 */
-		if (my_ok) while (conf->verify_client_cert_cmd) {
+		if (my_ok
+#ifdef HAVE_OPENSSL_OCSP_H
+		    && conf->ocsp_enable && (conf->verify_skip_if_ocsp_ok) && (my_ok == 1)
+#endif
+			) while (conf->verify_client_cert_cmd) {
 			char filename[256];
 			int fd;
 			FILE *fp;