From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 22 Nov 2010 15:40:27 +0000 (+0100)
Subject: Added "ocsp enable" functionality back
X-Git-Tag: release_2_1_11~202
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0944efe549286615f9150c7a5052a307e7e547c;p=thirdparty%2Ffreeradius-server.git

Added "ocsp enable" functionality back
---

diff --git a/raddb/eap.conf b/raddb/eap.conf
index a56729401a6..7b4f7d8edca 100644
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -389,10 +389,14 @@
 			#  revoke certificates without the distribution of
 			#  new Certificate Revokation Lists (CRLs).
 			#
-			#  Enable OCSP support by uncommenting this section,
-			#  and its configuration items.
-			#
 			ocsp {
+			      #
+			      #  Enable it.  The default is "no".
+			      #  Deleting the entire "ocsp" subsection
+			      #  Also disables ocsp checking
+			      #
+			      enable = no
+
 			      #
 			      #  The OCSP Responder URL can be automatically
 			      #  extracted from the certificate in question.
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 5f9cd9efbf2..e2b7c484b25 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -69,6 +69,8 @@ static CONF_PARSER verify_config[] = {
 
 #ifdef HAVE_OPENSSL_OCSP_H
 static CONF_PARSER ocsp_config[] = {
+	{ "enable", PW_TYPE_BOOLEAN,
+	  offsetof(EAP_TLS_CONF, ocsp_enable), NULL, "no"},
 	{ "override_cert_url", PW_TYPE_BOOLEAN,
 	  offsetof(EAP_TLS_CONF, ocsp_override_url), NULL, "no"},
 	{ "url", PW_TYPE_STRING_PTR,
@@ -583,7 +585,7 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		} /* check_cert_cn */
 
 #ifdef HAVE_OPENSSL_OCSP_H
-		if (my_ok && conf->check_ocsp){
+		if (my_ok && conf->ocsp_enable){
 			RDEBUG2("--> Starting OCSP Request");
 			if(X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert)!=1) {
 				radlog(L_ERR, "Error: Couldn't get issuer_cert for %s", common_name);
@@ -1144,13 +1146,11 @@ static int eaptls_attach(CONF_SECTION *cs, void **instance)
 	/*
 	 * 	Initialize OCSP Revocation Store
 	 */
-	if (!conf->ocsp_url && !conf->ocsp_override_url) {
-		conf->check_ocsp = FALSE;
-	} else {
+	if (conf->ocsp_enable) {
 		inst->store = init_revocation_store(conf);
 		if (inst->store == NULL) {
 			eaptls_detach(inst);
-			return -1;
+		  return -1;
 		}
 	}
 #endif HAVE_OPENSSL_OCSP_H
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
index 9151542d885..49c8bc72ba7 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
@@ -74,7 +74,7 @@ typedef struct eap_tls_conf {
 	/*
 	 * OCSP Configuration
 	 */
-	int		check_ocsp;
+	int		ocsp_enable;
 	int		ocsp_override_url;
 	char		*ocsp_url;
 #endif