From: Matthew Newton <mcn4@leicester.ac.uk>
Date: Mon, 23 Jan 2012 12:48:49 +0000 (+0100)
Subject: Add OCSP softfail option
X-Git-Tag: release_3_0_0_beta0~393
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42074e8befdcdf8d1bf99a5f427d78cf07aeb289;p=thirdparty%2Ffreeradius-server.git

Add OCSP softfail option

Manual pull of commit 5fedd50c4af05164a
---

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 0e767d84368..26a7f43ad8a 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -465,6 +465,22 @@
 			      # for OCSP response. 0 uses system default.
 			      #
 			      # timeout = 0
+
+			      #
+			      # Normally an error in querying the OCSP
+			      # responder (no response from server, server did
+			      # not understand the request, etc) will result in
+			      # a validation failure.
+			      #
+			      # To treat these errors as 'soft' failures and
+			      # still accept the certificate, enable this
+			      # option.
+			      # 
+			      # Warning: this may enable clients with revoked
+			      # certificates to connect if the OCSP responder
+			      # is not available. Use with caution.
+			      #
+			      # softfail = no
 			}
 		}
 
diff --git a/src/include/tls.h b/src/include/tls.h
index 2b86902f7ab..ffac65ff2df 100644
--- a/src/include/tls.h
+++ b/src/include/tls.h
@@ -377,6 +377,7 @@ struct fr_tls_server_conf_t {
 	int		ocsp_use_nonce;
 	X509_STORE	*ocsp_store;
 	int		ocsp_timeout;
+	int		ocsp_softfail;
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
diff --git a/src/main/tls.c b/src/main/tls.c
index de0c428ff08..9fc2c3d4262 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -783,6 +783,8 @@ static CONF_PARSER ocsp_config[] = {
 	  offsetof(fr_tls_server_conf_t, ocsp_use_nonce), NULL, "yes"},
 	{ "timeout", PW_TYPE_INTEGER,
 	  offsetof(fr_tls_server_conf_t, ocsp_timeout), NULL, "yes"},
+	{ "softfail", PW_TYPE_BOOLEAN,
+	  offsetof(fr_tls_server_conf_t, ocsp_softfail), NULL, "yes"},
 	{ NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 #endif
@@ -1113,12 +1115,14 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
 	rc = BIO_do_connect(cbio);
 	if ((rc <= 0) && ((!conf->ocsp_timeout) || !BIO_should_retry(cbio))) {
 		radlog(L_ERR, "Error: Couldn't connect to OCSP responder");
+		ocsp_ok = 2;
 		goto ocsp_end;
 	}
 
 	ctx = OCSP_sendreq_new(cbio, path, req, -1);
 	if (!ctx) {
 		radlog(L_ERR, "Error: Couldn't send OCSP request");
+		ocsp_ok = 2;
 		goto ocsp_end;
 	}
 
@@ -1136,6 +1140,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
 
 	if (conf->ocsp_timeout && (rc == -1) && BIO_should_retry(cbio)) {
 		radlog(L_ERR, "Error: OCSP response timed out");
+		ocsp_ok = 2;
 		goto ocsp_end;
 	}
 
@@ -1143,6 +1148,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
 
 	if (rc == 0) {
 		radlog(L_ERR, "Error: Couldn't get OCSP response");
+		ocsp_ok = 2;
 		goto ocsp_end;
 	}
 
@@ -1209,10 +1215,23 @@ ocsp_end:
 	BIO_free_all(cbio);
 	OCSP_BASICRESP_free(bresp);
 
-	if (ocsp_ok) {
+	switch (ocsp_ok) {
+	case 1:
 		DEBUG2("[ocsp] --> Certificate is valid!");
-	} else {
+		break;
+	case 2:
+		if (conf->ocsp_softfail) {
+			DEBUG2("[ocsp] --> Unable to check certificate; assuming valid.");
+			DEBUG2("[ocsp] --> Warning! This may be insecure.");
+			ocsp_ok = 1;
+		} else {
+			DEBUG2("[ocsp] --> Unable to check certificate; failing!");
+			ocsp_ok = 0;
+		}
+		break;
+	default:
 		DEBUG2("[ocsp] --> Certificate has been expired/revoked!");
+		break;
 	}
 
 	return ocsp_ok;