From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 22 Jun 2015 19:27:10 +0000 (-0400)
Subject: Set X509_V_FLAG_CRL_CHECK_ALL
X-Git-Tag: release_3_0_9~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=874b39451702338389260edbfc52b381b20352ec;p=thirdparty%2Ffreeradius-server.git

Set X509_V_FLAG_CRL_CHECK_ALL
---

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 165971aff60..10026ec7151 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -269,9 +269,13 @@ eap {
 		#  1) Copy CA certificates and CRLs to same directory.
 		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
 		#    'c_rehash' is OpenSSL's command.
-		#  3) uncomment the line below.
+		#  3) uncomment the lines below.
 		#  5) Restart radiusd
 	#	check_crl = yes
+
+		# Check if intermediate CAs have been revoked.
+	#	check_all_crl = yes
+
 		ca_path = ${cadir}
 
 		#
diff --git a/src/include/tls-h b/src/include/tls-h
index 9fdc775fa06..a41c6f5abfc 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -347,6 +347,7 @@ struct fr_tls_server_conf_t {
 	 */
 	uint32_t	fragment_size;
 	bool		check_crl;
+	bool		check_all_crl;
 	bool		allow_expired_crl;
 	char const	*check_cert_cn;
 	char const	*cipher_list;
diff --git a/src/main/tls.c b/src/main/tls.c
index 692651fa599..9df48b4c445 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -999,6 +999,9 @@ static CONF_PARSER tls_server_config[] = {
 	{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
 	{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
 	{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+	{ "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
+#endif
 	{ "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL },
 	{ "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL },
 	{ "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL },
@@ -2103,6 +2106,10 @@ static X509_STORE *init_revocation_store(fr_tls_server_conf_t *conf)
 #ifdef X509_V_FLAG_CRL_CHECK
 	if (conf->check_crl)
 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
+#endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+	if (conf->check_all_crl)
+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
 #endif
 	return store;
 }
@@ -2591,6 +2598,11 @@ post_ca:
 	    		return NULL;
 		}
 		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+		if (conf->check_all_crl)
+			X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
 	}
 #endif