From: Arran Cudbard-Bell Date: Thu, 17 Jun 2021 20:46:38 +0000 (-0500) Subject: Remove all OCSP code from the TLS library X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=427b9ec5d0cb29b95b2bab05620836bae46bcd7f;p=thirdparty%2Ffreeradius-server.git Remove all OCSP code from the TLS library This will be added back as a module at some point in the future --- diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 80ef6e051d2..0f77bbe2cf4 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -696,232 +696,6 @@ eap { # ==== # } - - # - # ### OCSP Configuration - # - # Certificates can be verified against an OCSP Responder. - # This makes it possible to immediately revoke certificates without - # the distribution of new Certificate Revocation Lists (CRLs). - # - # In addition to the configuration items below, the behaviour of - # OCSP can be altered by runtime attributes. - # - # If OCSP is enabled, the `&reply.TLS-OCSP-Cert-Valid` attribute will - # be added after OCSP completes. One of the following values will - # be set: - # - # [options="header,autowidth"] - # |=== - # | Value | Description - # | no | OCSP responder indicated the certificate is not valid. - # | yes | OCSP responder indicated the certificate is valid. - # | skipped | OCSP checks were skipped. - # |=== - # - # If an OCSP check is performed, the `&reply.TLS-OCSP-Next-Update` - # attribute will also be added. The value of this will attribute - # be the number of seconds until the certificate state need be refreshed. - # This can be used as a `Cache-TTL` value if you wish to use the cache - # module to store OCSP certificate validation status. - # - # If when the OCSP check is performed, a `&control.TLS-OCSP-Cert-Valid` - # attribute is present, its value will force the outcome of the OCSP - # check, and the OCSP responder will not be contacted. - # Values map to the following OCSP responses: - # - # [options="header,autowidth"] - # |=== - # | Value | Description - # | no | Invalid. - # | yes | Valid. - # | skipped | If `softfail = yes` value else invalid. - # |=== - # - ocsp { - # - # enable:: - # - # Deleting the entire `ocsp` subsection also disables ocsp checking. - # - # Default is `no`. - # -# enable = no - - # - # virtual_server:: - # - # OCSP checks are performed immediately after the - # complete certificate is received from the supplicant, - # and directly after the attributes from that - # certificate are inserted into the request. - # - # In order to retrieve cached OCSP states, a virtual - # server must be defined here. - # - # See `raddb/sites-available/tls-cache` for details. - # -# virtual_server = 'tls-cache' - - # - # override_cert_url:: - # - # The OCSP Responder URL can be automatically extracted - # from the certificate in question. To override the - # OCSP Responder URL set `override_cert_url = yes`. - # - override_cert_url = yes - - # - # url:: - # - # If the OCSP Responder address is not extracted from - # the certificate, the URL can be defined here. - # - url = "http://127.0.0.1/ocsp/" - - # - # use_nonce:: - # - # If the OCSP Responder can not cope with nonce in the - # request, then it can be disabled here. - # - # [WARNING] - # ==== - # * For security reasons, disabling this option is not - # recommended as nonce protects against replay attacks. - # - # * Microsoft AD Certificate Services OCSP - # Responder does not enable nonce by default. It is more - # secure to enable nonce on the responder than to - # disable it in the query here. - # - # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx - # ==== - # -# use_nonce = yes - - # - # timeout:: - # - # Number of seconds before giving up waiting for OCSP - # response. - # - # Default is `0`. - # -# timeout = 0 - - # - # softfail:: - # - # Normally an error in querying the OCSP responder (no - # response from server, server did not understand the - # request, etc) will result in a validation failure. - # - # To treat these errors as `soft` failures and still - # accept the certificate, enable this option. - # - # WARNING: this may enable clients with revoked - # certificates to connect if the OCSP responder is not - # available. *Use with caution*. - # -# softfail = no - } - - # - # ### OCSP stapling for server certificates - # - # If requested, we query either the server listed below (as url), - # or the one specified in our server certificate, to retrieve an - # OCSP response to pass back to the TLS client. - # - # staple { ... }:: - # - # This allows TLS clients to check for certificate revocation before - # divulging credentials to a (possibly rogue) server, that may be - # presenting a compromised certificate. - # - staple { - # - # enable:: - # - # Enable it. Deleting the entire `ocsp` subsection also disables ocsp checking. - # - # Default is `no`. - # -# enable = no - - # - # virtual_server:: - # - # OCSP checks are performed whenever a TLS client includes - # an OCSP stapling extension. - # - # In order to retrieve cached OCSP staples, a virtual - # server must be defined here. - # - # The same virtual server can be used for caching - # client OCSP response states, and stapling information. - # - # See `raddb/sites-available/tls-cache` for details. - # -# virtual_server = 'tls-cache' - - # - # override_cert_url:: - # - # The OCSP Responder URL can be automatically extracted - # from the certificate in question. To override the - # OCSP Responder URL set `override_cert_url = yes`. - # - override_cert_url = yes - - # - # url:: - # - # If the OCSP Responder address is not extracted from - # the certificate, the URL can be defined here. - # - url = "http://127.0.0.1/ocsp/" - - # - # use_nonce:: - # - # If the OCSP Responder can not cope with nonce in the - # request, then it can be disabled here. - # - # [WARNING] - # ==== - # * For security reasons, disabling this option is not - # recommended as nonce protects against replay attacks. - # - # * Microsoft AD Certificate Services OCSP - # Responder does not enable nonce by default. It is more - # secure to enable nonce on the responder than to - # disable it in the query here. See - # http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx - # ==== - # -# use_nonce = yes - - # - # Number of seconds before giving up waiting for OCSP - # response. - # - # Default is `0`. - # -# timeout = 0 - - # - # softfail:: - # - # Normally if we can't query the OCSP Responder - # we issue a fatal alert, and abort. Set this to `true` - # to allow the session to continue without an OCSP - # stapling response being sent to the TLS client. - # -# softfail = no - } } # diff --git a/src/lib/eap/tls.c b/src/lib/eap/tls.c index 33e1d7f2314..087ae883ed8 100644 --- a/src/lib/eap/tls.c +++ b/src/lib/eap/tls.c @@ -1208,9 +1208,6 @@ eap_tls_session_t *eap_tls_session_init(request_t *request, eap_session_t *eap_s SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session); SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf); SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_IDENTITY, (void *)&(eap_session->identity)); -#ifdef HAVE_OPENSSL_OCSP_H - SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp.store); -#endif return eap_tls_session; } diff --git a/src/lib/tls/all.mk b/src/lib/tls/all.mk index 2910cabb621..0a4354e6fe8 100644 --- a/src/lib/tls/all.mk +++ b/src/lib/tls/all.mk @@ -11,7 +11,6 @@ SOURCES := \ ctx.c \ engine.c \ log.c \ - ocsp.c \ pairs.c \ session.c \ utils.c \ diff --git a/src/lib/tls/base-h b/src/lib/tls/base-h index 46d82c63831..b3dc63bf87f 100644 --- a/src/lib/tls/base-h +++ b/src/lib/tls/base-h @@ -180,19 +180,6 @@ void fr_openssl_free(void); int fr_tls_dict_init(void); -/* - * tls/ocsp.c - */ -int fr_tls_ocsp_staple_cb(SSL *ssl, void *data); - -int fr_tls_ocsp_check(request_t *request, SSL *ssl, - X509_STORE *store, X509 *issuer_cert, X509 *client_cert, - fr_tls_ocsp_conf_t *conf, bool staple_response); - -int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs); - -int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs); - /* * tls/utils.c */ diff --git a/src/lib/tls/conf-h b/src/lib/tls/conf-h index 0a999fe97a2..7df49723a62 100644 --- a/src/lib/tls/conf-h +++ b/src/lib/tls/conf-h @@ -32,27 +32,6 @@ RCSIDH(conf_h, "$Id$") extern "C" { #endif -#ifdef HAVE_OPENSSL_OCSP_H -/** OCSP Configuration - * - */ -typedef struct { - bool enable; //!< Enable OCSP checks - char const *cache_server; //!< Virtual server to restore retrieved OCSP status. - bool override_url; //!< Always use the configured OCSP URL even if the - //!< certificate contains one. - char const *url; - bool use_nonce; - X509_STORE *store; - uint32_t timeout; - bool softfail; - - - fr_tls_cache_t cache; //!< Cached cache section pointers. Means we don't have - ///< to look them up at runtime. -} fr_tls_ocsp_conf_t; -#endif - /** Different chain building modes * */ @@ -163,13 +142,6 @@ struct fr_tls_conf_s { bool require_client_cert; -#ifdef HAVE_OPENSSL_OCSP_H - fr_tls_ocsp_conf_t ocsp; //!< Configuration for validating client certificates - //!< with ocsp. - fr_tls_ocsp_conf_t staple; //!< Configuration for validating server certificates - //!< with ocsp. -#endif - #ifndef OPENSSL_NO_ECDH char const *ecdh_curve; #endif diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c index 4a665df1f20..2f93fd741ad 100644 --- a/src/lib/tls/conf.c +++ b/src/lib/tls/conf.c @@ -187,11 +187,7 @@ CONF_PARSER fr_tls_server_config[] = { { FR_CONF_OFFSET("cache", FR_TYPE_SUBSECTION, fr_tls_conf_t, cache), .subcs = (void const *) cache_config }, -#ifdef HAVE_OPENSSL_OCSP_H - { FR_CONF_OFFSET("ocsp", FR_TYPE_SUBSECTION, fr_tls_conf_t, ocsp), .subcs = (void const *) ocsp_config }, - - { FR_CONF_OFFSET("staple", FR_TYPE_SUBSECTION, fr_tls_conf_t, staple), .subcs = (void const *) ocsp_config }, -#endif + { FR_CONF_DEPRECATED("verify", FR_TYPE_SUBSECTION, fr_tls_conf_t, NULL) }, CONF_PARSER_TERMINATOR }; @@ -327,22 +323,9 @@ static X509_STORE *conf_ocsp_revocation_store(fr_tls_conf_t *conf) * added to automatically free the data when the CONF_SECTION * is freed. */ -static int _conf_server_free( -#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG) - UNUSED -#endif - fr_tls_conf_t *conf) +static int _conf_server_free(fr_tls_conf_t *conf) { -#ifdef HAVE_OPENSSL_OCSP_H - if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store); - conf->ocsp.store = NULL; - if (conf->staple.store) X509_STORE_free(conf->staple.store); - conf->staple.store = NULL; -#endif - -#ifndef NDEBUG memset(conf, 0, sizeof(*conf)); -#endif return 0; } @@ -397,28 +380,6 @@ fr_tls_conf_t *fr_tls_conf_parse_server(CONF_SECTION *cs) if (conf_cert_admin_password(conf) < 0) goto error; #endif -#ifdef HAVE_OPENSSL_OCSP_H - /* - * @fixme: This is all pretty terrible. - * The stores initialized here are for validating - * OCSP responses. They have nothing to do with - * verifying other certificates. - */ - - /* - * Initialize OCSP Revocation Store - */ - if (conf->ocsp.enable) { - conf->ocsp.store = conf_ocsp_revocation_store(conf); - if (conf->ocsp.store == NULL) goto error; - } - - if (conf->staple.enable) { - conf->staple.store = conf_ocsp_revocation_store(conf); - if (conf->staple.store == NULL) goto error; - } -#endif /*HAVE_OPENSSL_OCSP_H*/ - /* * Ensure our virtual server contains the * correct sections for the specified @@ -501,32 +462,6 @@ fr_tls_conf_t *fr_tls_conf_parse_server(CONF_SECTION *cs) fr_rand_buffer(conf->cache.session_ticket_key_rand, sizeof(conf->cache.session_ticket_key_rand)); } -#ifdef HAVE_OPENSSL_OCSP_H - if (conf->ocsp.cache_server) { - CONF_SECTION *server_cs; - - server_cs = virtual_server_find(conf->ocsp.cache_server); - if (!server_cs) { - ERROR("No such virtual server '%s'", conf->ocsp.cache_server); - goto error; - } - - if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, server_cs) < 0) goto error; - } - - if (conf->staple.cache_server) { - CONF_SECTION *server_cs; - - server_cs = virtual_server_find(conf->staple.cache_server); - if (!server_cs) { - ERROR("No such virtual server '%s'", conf->staple.cache_server); - goto error; - } - - if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, server_cs) < 0) goto error; - } -#endif - /* * Cache conf in cs in case we're asked to parse this again. */ diff --git a/src/lib/tls/validate.c b/src/lib/tls/validate.c index de46fd5848d..785349c5c25 100644 --- a/src/lib/tls/validate.c +++ b/src/lib/tls/validate.c @@ -268,29 +268,6 @@ int fr_tls_validate_cert_cb(int ok, X509_STORE_CTX *x509_ctx) } } /* check_cert_cn */ -#ifdef HAVE_OPENSSL_OCSP_H - /* - * Do OCSP last, so we have the complete set of attributes - * available for the virtual server. - * - * Fixme: Do we want to store the matching TLS-Client-cert-Filename? - */ - if (my_ok && conf->ocsp.enable){ - X509 *issuer_cert; - - RDEBUG2("Starting OCSP Request"); - - /* - * If we don't have an issuer, then we can't send - * and OCSP request, but pass the NULL issuer in - * so fr_tls_ocsp_check can decide on the correct - * return code. - */ - issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx); - my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false); - } -#endif - /* * If we have a client certificate, cache whether or not * we validated it. diff --git a/src/modules/rlm_ocsp/conf.c b/src/modules/rlm_ocsp/conf.c new file mode 100644 index 00000000000..8a1a6415a6b --- /dev/null +++ b/src/modules/rlm_ocsp/conf.c @@ -0,0 +1,102 @@ +#ifdef HAVE_OPENSSL_OCSP_H + { FR_CONF_OFFSET("ocsp", FR_TYPE_SUBSECTION, fr_tls_conf_t, ocsp), .subcs = (void const *) ocsp_config }, + + { FR_CONF_OFFSET("staple", FR_TYPE_SUBSECTION, fr_tls_conf_t, staple), .subcs = (void const *) ocsp_config }, +#endif + +#ifdef HAVE_OPENSSL_OCSP_H + if (conf->ocsp.cache_server) { + CONF_SECTION *server_cs; + + server_cs = virtual_server_find(conf->ocsp.cache_server); + if (!server_cs) { + ERROR("No such virtual server '%s'", conf->ocsp.cache_server); + goto error; + } + + if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, server_cs) < 0) goto error; + } + + if (conf->staple.cache_server) { + CONF_SECTION *server_cs; + + server_cs = virtual_server_find(conf->staple.cache_server); + if (!server_cs) { + ERROR("No such virtual server '%s'", conf->staple.cache_server); + goto error; + } + + if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, server_cs) < 0) goto error; + } +#endif + +#ifdef HAVE_OPENSSL_OCSP_H + /* + * @fixme: This is all pretty terrible. + * The stores initialized here are for validating + * OCSP responses. They have nothing to do with + * verifying other certificates. + */ + + /* + * Initialize OCSP Revocation Store + */ + if (conf->ocsp.enable) { + conf->ocsp.store = conf_ocsp_revocation_store(conf); + if (conf->ocsp.store == NULL) goto error; + } + + if (conf->staple.enable) { + conf->staple.store = conf_ocsp_revocation_store(conf); + if (conf->staple.store == NULL) goto error; + } +#endif /*HAVE_OPENSSL_OCSP_H*/ + + +static int _conf_server_free( +#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG) + UNUSED +#endif + fr_tls_conf_t *conf) +{ +#ifdef HAVE_OPENSSL_OCSP_H + if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store); + conf->ocsp.store = NULL; + if (conf->staple.store) X509_STORE_free(conf->staple.store); + conf->staple.store = NULL; +#endif + +#ifndef NDEBUG + memset(conf, 0, sizeof(*conf)); +#endif + return 0; +} + +/* Session init */ +#ifdef HAVE_OPENSSL_OCSP_H + SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp.store); +#endif + +/* Validation checks */ +#ifdef HAVE_OPENSSL_OCSP_H + /* + * Do OCSP last, so we have the complete set of attributes + * available for the virtual server. + * + * Fixme: Do we want to store the matching TLS-Client-cert-Filename? + */ + if (my_ok && conf->ocsp.enable){ + X509 *issuer_cert; + + RDEBUG2("Starting OCSP Request"); + + /* + * If we don't have an issuer, then we can't send + * and OCSP request, but pass the NULL issuer in + * so fr_tls_ocsp_check can decide on the correct + * return code. + */ + issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx); + my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false); + } +#endif diff --git a/src/modules/rlm_ocsp/ocsp b/src/modules/rlm_ocsp/ocsp new file mode 100644 index 00000000000..695af7c3157 --- /dev/null +++ b/src/modules/rlm_ocsp/ocsp @@ -0,0 +1,227 @@ + + + # + # ### OCSP Configuration + # + # Certificates can be verified against an OCSP Responder. + # This makes it possible to immediately revoke certificates without + # the distribution of new Certificate Revocation Lists (CRLs). + # + # In addition to the configuration items below, the behaviour of + # OCSP can be altered by runtime attributes. + # + # If OCSP is enabled, the `&reply.TLS-OCSP-Cert-Valid` attribute will + # be added after OCSP completes. One of the following values will + # be set: + # + # [options="header,autowidth"] + # |=== + # | Value | Description + # | no | OCSP responder indicated the certificate is not valid. + # | yes | OCSP responder indicated the certificate is valid. + # | skipped | OCSP checks were skipped. + # |=== + # + # If an OCSP check is performed, the `&reply.TLS-OCSP-Next-Update` + # attribute will also be added. The value of this will attribute + # be the number of seconds until the certificate state need be refreshed. + # This can be used as a `Cache-TTL` value if you wish to use the cache + # module to store OCSP certificate validation status. + # + # If when the OCSP check is performed, a `&control.TLS-OCSP-Cert-Valid` + # attribute is present, its value will force the outcome of the OCSP + # check, and the OCSP responder will not be contacted. + # Values map to the following OCSP responses: + # + # [options="header,autowidth"] + # |=== + # | Value | Description + # | no | Invalid. + # | yes | Valid. + # | skipped | If `softfail = yes` value else invalid. + # |=== + # + ocsp { + # + # enable:: + # + # Deleting the entire `ocsp` subsection also disables ocsp checking. + # + # Default is `no`. + # +# enable = no + + # + # virtual_server:: + # + # OCSP checks are performed immediately after the + # complete certificate is received from the supplicant, + # and directly after the attributes from that + # certificate are inserted into the request. + # + # In order to retrieve cached OCSP states, a virtual + # server must be defined here. + # + # See `raddb/sites-available/tls-cache` for details. + # +# virtual_server = 'tls-cache' + + # + # override_cert_url:: + # + # The OCSP Responder URL can be automatically extracted + # from the certificate in question. To override the + # OCSP Responder URL set `override_cert_url = yes`. + # + override_cert_url = yes + + # + # url:: + # + # If the OCSP Responder address is not extracted from + # the certificate, the URL can be defined here. + # + url = "http://127.0.0.1/ocsp/" + + # + # use_nonce:: + # + # If the OCSP Responder can not cope with nonce in the + # request, then it can be disabled here. + # + # [WARNING] + # ==== + # * For security reasons, disabling this option is not + # recommended as nonce protects against replay attacks. + # + # * Microsoft AD Certificate Services OCSP + # Responder does not enable nonce by default. It is more + # secure to enable nonce on the responder than to + # disable it in the query here. + # + # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx + # ==== + # +# use_nonce = yes + + # + # timeout:: + # + # Number of seconds before giving up waiting for OCSP + # response. + # + # Default is `0`. + # +# timeout = 0 + + # + # softfail:: + # + # Normally an error in querying the OCSP responder (no + # response from server, server did not understand the + # request, etc) will result in a validation failure. + # + # To treat these errors as `soft` failures and still + # accept the certificate, enable this option. + # + # WARNING: this may enable clients with revoked + # certificates to connect if the OCSP responder is not + # available. *Use with caution*. + # +# softfail = no + } + + # + # ### OCSP stapling for server certificates + # + # If requested, we query either the server listed below (as url), + # or the one specified in our server certificate, to retrieve an + # OCSP response to pass back to the TLS client. + # + # staple { ... }:: + # + # This allows TLS clients to check for certificate revocation before + # divulging credentials to a (possibly rogue) server, that may be + # presenting a compromised certificate. + # + staple { + # + # enable:: + # + # Enable it. Deleting the entire `ocsp` subsection also disables ocsp checking. + # + # Default is `no`. + # +# enable = no + + # + # virtual_server:: + # + # OCSP checks are performed whenever a TLS client includes + # an OCSP stapling extension. + # + # In order to retrieve cached OCSP staples, a virtual + # server must be defined here. + # + # The same virtual server can be used for caching + # client OCSP response states, and stapling information. + # + # See `raddb/sites-available/tls-cache` for details. + # +# virtual_server = 'tls-cache' + + # + # override_cert_url:: + # + # The OCSP Responder URL can be automatically extracted + # from the certificate in question. To override the + # OCSP Responder URL set `override_cert_url = yes`. + # + override_cert_url = yes + + # + # url:: + # + # If the OCSP Responder address is not extracted from + # the certificate, the URL can be defined here. + # + url = "http://127.0.0.1/ocsp/" + + # + # use_nonce:: + # + # If the OCSP Responder can not cope with nonce in the + # request, then it can be disabled here. + # + # [WARNING] + # ==== + # * For security reasons, disabling this option is not + # recommended as nonce protects against replay attacks. + # + # * Microsoft AD Certificate Services OCSP + # Responder does not enable nonce by default. It is more + # secure to enable nonce on the responder than to + # disable it in the query here. See + # http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx + # ==== + # +# use_nonce = yes + + # + # Number of seconds before giving up waiting for OCSP + # response. + # + # Default is `0`. + # +# timeout = 0 + + # + # softfail:: + # + # Normally if we can't query the OCSP Responder + # we issue a fatal alert, and abort. Set this to `true` + # to allow the session to continue without an OCSP + # stapling response being sent to the TLS client. + # +# softfail = no + } diff --git a/src/lib/tls/ocsp.c b/src/modules/rlm_ocsp/ocsp.c similarity index 100% rename from src/lib/tls/ocsp.c rename to src/modules/rlm_ocsp/ocsp.c diff --git a/src/modules/rlm_ocsp/ocsp.h b/src/modules/rlm_ocsp/ocsp.h new file mode 100644 index 00000000000..b69e16bb2fc --- /dev/null +++ b/src/modules/rlm_ocsp/ocsp.h @@ -0,0 +1,38 @@ +/** OCSP Configuration + * + */ +typedef struct { + bool enable; //!< Enable OCSP checks + char const *cache_server; //!< Virtual server to restore retrieved OCSP status. + bool override_url; //!< Always use the configured OCSP URL even if the + //!< certificate contains one. + char const *url; + bool use_nonce; + X509_STORE *store; + uint32_t timeout; + bool softfail; + + + fr_tls_cache_t cache; //!< Cached cache section pointers. Means we don't have + ///< to look them up at runtime. +} fr_tls_ocsp_conf_t; + +#ifdef HAVE_OPENSSL_OCSP_H + fr_tls_ocsp_conf_t ocsp; //!< Configuration for validating client certificates + //!< with ocsp. + fr_tls_ocsp_conf_t staple; //!< Configuration for validating server certificates + //!< with ocsp. +#endif + +/* + * tls/ocsp.c + */ +int fr_tls_ocsp_staple_cb(SSL *ssl, void *data); + +int fr_tls_ocsp_check(request_t *request, SSL *ssl, + X509_STORE *store, X509 *issuer_cert, X509 *client_cert, + fr_tls_ocsp_conf_t *conf, bool staple_response); + +int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs); + +int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);