]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
Remove all OCSP code from the TLS library
authorArran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 17 Jun 2021 20:46:38 +0000 (15:46 -0500)
committerArran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 17 Jun 2021 20:48:04 +0000 (15:48 -0500)
This will be added back as a module at some point in the future

raddb/mods-available/eap
src/lib/eap/tls.c
src/lib/tls/all.mk
src/lib/tls/base-h
src/lib/tls/conf-h
src/lib/tls/conf.c
src/lib/tls/validate.c
src/modules/rlm_ocsp/conf.c [new file with mode: 0644]
src/modules/rlm_ocsp/ocsp [new file with mode: 0644]
src/modules/rlm_ocsp/ocsp.c [moved from src/lib/tls/ocsp.c with 100% similarity]
src/modules/rlm_ocsp/ocsp.h [new file with mode: 0644]

index 80ef6e051d20d8d30f90bf5bac94a38f63868574..0f77bbe2cf4920125aca9bac13adfbbf6d0c8495 100644 (file)
@@ -696,232 +696,6 @@ eap {
                        #  ====
                        #
                }
-
-               #
-               #  ### OCSP Configuration
-               #
-               #  Certificates can be verified against an OCSP Responder.
-               #  This makes it possible to immediately revoke certificates without
-               #  the distribution of new Certificate Revocation Lists (CRLs).
-               #
-               #  In addition to the configuration items below, the behaviour of
-               #  OCSP can be altered by runtime attributes.
-               #
-               #  If OCSP is enabled, the `&reply.TLS-OCSP-Cert-Valid` attribute will
-               #  be added after OCSP completes.  One of the following values will
-               #  be set:
-               #
-               #  [options="header,autowidth"]
-               #  |===
-               #  | Value   | Description
-               #  | no      | OCSP responder indicated the certificate is not valid.
-               #  | yes     | OCSP responder indicated the certificate is valid.
-               #  | skipped | OCSP checks were skipped.
-               #  |===
-               #
-               #  If an OCSP check is performed, the `&reply.TLS-OCSP-Next-Update`
-               #  attribute will also be added.  The value of this will attribute
-               #  be the number of seconds until the certificate state need be refreshed.
-               #  This can be used as a `Cache-TTL` value if you wish to use the cache
-               #  module to store OCSP certificate validation status.
-               #
-               #  If when the OCSP check is performed, a `&control.TLS-OCSP-Cert-Valid`
-               #  attribute is present, its value will force the outcome of the OCSP
-               #  check, and the OCSP responder will not be contacted.
-               #  Values map to the following OCSP responses:
-               #
-               #  [options="header,autowidth"]
-               #  |===
-               #  | Value   | Description
-               #  | no      | Invalid.
-               #  | yes     | Valid.
-               #  | skipped | If `softfail = yes` value else invalid.
-               #  |===
-               #
-               ocsp {
-                       #
-                       #  enable::
-                       #
-                       #  Deleting the entire `ocsp` subsection also disables ocsp checking.
-                       #
-                       #  Default is `no`.
-                       #
-#                      enable = no
-
-                       #
-                       #  virtual_server::
-                       #
-                       #  OCSP checks are performed immediately after the
-                       #  complete certificate is received from the supplicant,
-                       #  and directly after the attributes from that
-                       #  certificate are inserted into the request.
-                       #
-                       #  In order to retrieve cached OCSP states, a virtual
-                       #  server must be defined here.
-                       #
-                       #  See `raddb/sites-available/tls-cache` for details.
-                       #
-#                      virtual_server = 'tls-cache'
-
-                       #
-                       #  override_cert_url::
-                       #
-                       #  The OCSP Responder URL can be automatically extracted
-                       #  from the certificate in question. To override the
-                       #  OCSP Responder URL set `override_cert_url = yes`.
-                       #
-                       override_cert_url = yes
-
-                       #
-                       #  url::
-                       #
-                       #  If the OCSP Responder address is not extracted from
-                       #  the certificate, the URL can be defined here.
-                       #
-                       url = "http://127.0.0.1/ocsp/"
-
-                       #
-                       #  use_nonce::
-                       #
-                       #  If the OCSP Responder can not cope with nonce in the
-                       #  request, then it can be disabled here.
-                       #
-                       #  [WARNING]
-                       #  ====
-                       #  * For security reasons, disabling this option is not
-                       #  recommended as nonce protects against replay attacks.
-                       #
-                       #  * Microsoft AD Certificate Services OCSP
-                       #  Responder does not enable nonce by default. It is more
-                       #  secure to enable nonce on the responder than to
-                       #  disable it in the query here.
-                       #
-                       #  See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
-                       #  ====
-                       #
-#                      use_nonce = yes
-
-                       #
-                       #  timeout::
-                       #
-                       #  Number of seconds before giving up waiting for OCSP
-                       #  response.
-                       #
-                       #  Default is `0`.
-                       #
-#                      timeout = 0
-
-                       #
-                       #  softfail::
-                       #
-                       #  Normally an error in querying the OCSP responder (no
-                       #  response from server, server did not understand the
-                       #  request, etc) will result in a validation failure.
-                       #
-                       #  To treat these errors as `soft` failures and still
-                       #  accept the certificate, enable this option.
-                       #
-                       #  WARNING: this may enable clients with revoked
-                       #  certificates to connect if the OCSP responder is not
-                       #  available. *Use with caution*.
-                       #
-#                      softfail = no
-               }
-
-               #
-               #  ### OCSP stapling for server certificates
-               #
-               #  If requested, we query either the server listed below (as url),
-               #  or the one specified in our server certificate, to retrieve an
-               #  OCSP response to pass back to the TLS client.
-               #
-               #  staple { ... }::
-               #
-               #  This allows TLS clients to check for certificate revocation before
-               #  divulging credentials to a (possibly rogue) server, that may be
-               #  presenting a compromised certificate.
-               #
-               staple {
-                       #
-                       #  enable::
-                       #
-                       #  Enable it. Deleting the entire `ocsp` subsection also disables ocsp checking.
-                       #
-                       #  Default is `no`.
-                       #
-#                      enable = no
-
-                       #
-                       #  virtual_server::
-                       #
-                       #  OCSP checks are performed whenever a TLS client includes
-                       #  an OCSP stapling extension.
-                       #
-                       #  In order to retrieve cached OCSP staples, a virtual
-                       #  server must be defined here.
-                       #
-                       #  The same virtual server can be used for caching
-                       #  client OCSP response states, and stapling information.
-                       #
-                       #  See `raddb/sites-available/tls-cache` for details.
-                       #
-#                      virtual_server = 'tls-cache'
-
-                       #
-                       #  override_cert_url::
-                       #
-                       #  The OCSP Responder URL can be automatically extracted
-                       #  from the certificate in question. To override the
-                       #  OCSP Responder URL set `override_cert_url = yes`.
-                       #
-                       override_cert_url = yes
-
-                       #
-                       #  url::
-                       #
-                       #  If the OCSP Responder address is not extracted from
-                       #  the certificate, the URL can be defined here.
-                       #
-                       url = "http://127.0.0.1/ocsp/"
-
-                       #
-                       #  use_nonce::
-                       #
-                       #  If the OCSP Responder can not cope with nonce in the
-                       #  request, then it can be disabled here.
-                       #
-                       #  [WARNING]
-                       #  ====
-                       #  * For security reasons, disabling this option is not
-                       #  recommended as nonce protects against replay attacks.
-                       #
-                       #  * Microsoft AD Certificate Services OCSP
-                       #  Responder does not enable nonce by default. It is more
-                       #  secure to enable nonce on the responder than to
-                       #  disable it in the query here. See
-                       #  http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
-                       #  ====
-                       #
-#                      use_nonce = yes
-
-                       #
-                       #  Number of seconds before giving up waiting for OCSP
-                       #  response.
-                       #
-                       #  Default is `0`.
-                       #
-#                      timeout = 0
-
-                       #
-                       #  softfail::
-                       #
-                       #  Normally if we can't query the OCSP Responder
-                       #  we issue a fatal alert, and abort.  Set this to `true`
-                       #  to allow the session to continue without an OCSP
-                       #  stapling response being sent to the TLS client.
-                       #
-#                      softfail = no
-               }
        }
 
        #
index 33e1d7f231474f9fdcbd8cfcb4770f5f7747cd10..087ae883ed830eef9a25ebfefc64b95d3d5a4457 100644 (file)
@@ -1208,9 +1208,6 @@ eap_tls_session_t *eap_tls_session_init(request_t *request, eap_session_t *eap_s
        SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_TLS_SESSION, (void *)tls_session);
        SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_CONF, (void *)conf);
        SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_IDENTITY, (void *)&(eap_session->identity));
-#ifdef HAVE_OPENSSL_OCSP_H
-       SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp.store);
-#endif
 
        return eap_tls_session;
 }
index 2910cabb6214f49173384f25697fd3c9eec0f6de..0a4354e6fe8b221562a4f5c0345765cea9fea0ed 100644 (file)
@@ -11,7 +11,6 @@ SOURCES       := \
        ctx.c \
        engine.c \
        log.c \
-       ocsp.c \
        pairs.c \
        session.c \
        utils.c \
index 46d82c63831c58bcda20f9e65c62302a0b28e681..b3dc63bf87f5037e806f386e1ae3f24d46689e03 100644 (file)
@@ -180,19 +180,6 @@ void               fr_openssl_free(void);
 
 int            fr_tls_dict_init(void);
 
-/*
- *     tls/ocsp.c
- */
-int            fr_tls_ocsp_staple_cb(SSL *ssl, void *data);
-
-int            fr_tls_ocsp_check(request_t *request, SSL *ssl,
-                              X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
-                              fr_tls_ocsp_conf_t *conf, bool staple_response);
-
-int            fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);
-
-int            fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);
-
 /*
  *     tls/utils.c
  */
index 0a999fe97a210318c9dd8edb05e2313a1f209809..7df49723a62a52274a6f970e6a3ce45d71b2b16b 100644 (file)
@@ -32,27 +32,6 @@ RCSIDH(conf_h, "$Id$")
 extern "C" {
 #endif
 
-#ifdef HAVE_OPENSSL_OCSP_H
-/** OCSP Configuration
- *
- */
-typedef struct {
-       bool            enable;                         //!< Enable OCSP checks
-       char const      *cache_server;                  //!< Virtual server to restore retrieved OCSP status.
-       bool            override_url;                   //!< Always use the configured OCSP URL even if the
-                                                       //!< certificate contains one.
-       char const      *url;
-       bool            use_nonce;
-       X509_STORE      *store;
-       uint32_t        timeout;
-       bool            softfail;
-
-
-       fr_tls_cache_t  cache;                          //!< Cached cache section pointers.  Means we don't have
-                                                       ///< to look them up at runtime.
-} fr_tls_ocsp_conf_t;
-#endif
-
 /** Different chain building modes
  *
  */
@@ -163,13 +142,6 @@ struct fr_tls_conf_s {
 
        bool            require_client_cert;
 
-#ifdef HAVE_OPENSSL_OCSP_H
-       fr_tls_ocsp_conf_t      ocsp;                   //!< Configuration for validating client certificates
-                                                       //!< with ocsp.
-       fr_tls_ocsp_conf_t      staple;                 //!< Configuration for validating server certificates
-                                                       //!< with ocsp.
-#endif
-
 #ifndef OPENSSL_NO_ECDH
        char const              *ecdh_curve;
 #endif
index 4a665df1f20a68abb61177e1f4727afcb0e8d110..2f93fd741ad93651e4d18327362be53fdc8edd75 100644 (file)
@@ -187,11 +187,7 @@ CONF_PARSER fr_tls_server_config[] = {
 
        { FR_CONF_OFFSET("cache", FR_TYPE_SUBSECTION, fr_tls_conf_t, cache), .subcs = (void const *) cache_config },
 
-#ifdef HAVE_OPENSSL_OCSP_H
-       { FR_CONF_OFFSET("ocsp", FR_TYPE_SUBSECTION, fr_tls_conf_t, ocsp), .subcs = (void const *) ocsp_config },
-
-       { FR_CONF_OFFSET("staple", FR_TYPE_SUBSECTION, fr_tls_conf_t, staple), .subcs = (void const *) ocsp_config },
-#endif
+       { FR_CONF_DEPRECATED("verify", FR_TYPE_SUBSECTION, fr_tls_conf_t, NULL) },
        CONF_PARSER_TERMINATOR
 };
 
@@ -327,22 +323,9 @@ static X509_STORE *conf_ocsp_revocation_store(fr_tls_conf_t *conf)
  *     added to automatically free the data when the CONF_SECTION
  *     is freed.
  */
-static int _conf_server_free(
-#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)
-                            UNUSED
-#endif
-                            fr_tls_conf_t *conf)
+static int _conf_server_free(fr_tls_conf_t *conf)
 {
-#ifdef HAVE_OPENSSL_OCSP_H
-       if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);
-       conf->ocsp.store = NULL;
-       if (conf->staple.store) X509_STORE_free(conf->staple.store);
-       conf->staple.store = NULL;
-#endif
-
-#ifndef NDEBUG
        memset(conf, 0, sizeof(*conf));
-#endif
        return 0;
 }
 
@@ -397,28 +380,6 @@ fr_tls_conf_t *fr_tls_conf_parse_server(CONF_SECTION *cs)
        if (conf_cert_admin_password(conf) < 0) goto error;
 #endif
 
-#ifdef HAVE_OPENSSL_OCSP_H
-       /*
-        *      @fixme:  This is all pretty terrible.
-        *      The stores initialized here are for validating
-        *      OCSP responses.  They have nothing to do with
-        *      verifying other certificates.
-        */
-
-       /*
-        *      Initialize OCSP Revocation Store
-        */
-       if (conf->ocsp.enable) {
-               conf->ocsp.store = conf_ocsp_revocation_store(conf);
-               if (conf->ocsp.store == NULL) goto error;
-       }
-
-       if (conf->staple.enable) {
-               conf->staple.store = conf_ocsp_revocation_store(conf);
-               if (conf->staple.store == NULL) goto error;
-       }
-#endif /*HAVE_OPENSSL_OCSP_H*/
-
        /*
         *      Ensure our virtual server contains the
         *      correct sections for the specified
@@ -501,32 +462,6 @@ fr_tls_conf_t *fr_tls_conf_parse_server(CONF_SECTION *cs)
                fr_rand_buffer(conf->cache.session_ticket_key_rand, sizeof(conf->cache.session_ticket_key_rand));
        }
 
-#ifdef HAVE_OPENSSL_OCSP_H
-       if (conf->ocsp.cache_server) {
-               CONF_SECTION *server_cs;
-
-               server_cs = virtual_server_find(conf->ocsp.cache_server);
-               if (!server_cs) {
-                       ERROR("No such virtual server '%s'", conf->ocsp.cache_server);
-                       goto error;
-               }
-
-               if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, server_cs) < 0) goto error;
-       }
-
-       if (conf->staple.cache_server) {
-               CONF_SECTION *server_cs;
-
-               server_cs = virtual_server_find(conf->staple.cache_server);
-               if (!server_cs) {
-                       ERROR("No such virtual server '%s'", conf->staple.cache_server);
-                       goto error;
-               }
-
-               if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, server_cs) < 0) goto error;
-       }
-#endif
-
        /*
         *      Cache conf in cs in case we're asked to parse this again.
         */
index de46fd5848dfa62c9efaba4eaa4b9fea39a5f250..785349c5c256f272ec17c47d5ceeb607544bf893 100644 (file)
@@ -268,29 +268,6 @@ int fr_tls_validate_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
                }
        } /* check_cert_cn */
 
-#ifdef HAVE_OPENSSL_OCSP_H
-       /*
-        *      Do OCSP last, so we have the complete set of attributes
-        *      available for the virtual server.
-        *
-        *      Fixme: Do we want to store the matching TLS-Client-cert-Filename?
-        */
-       if (my_ok && conf->ocsp.enable){
-               X509    *issuer_cert;
-
-               RDEBUG2("Starting OCSP Request");
-
-               /*
-                *      If we don't have an issuer, then we can't send
-                *      and OCSP request, but pass the NULL issuer in
-                *      so fr_tls_ocsp_check can decide on the correct
-                *      return code.
-                */
-               issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);
-               my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);
-       }
-#endif
-
        /*
         *      If we have a client certificate, cache whether or not
         *      we validated it.
diff --git a/src/modules/rlm_ocsp/conf.c b/src/modules/rlm_ocsp/conf.c
new file mode 100644 (file)
index 0000000..8a1a641
--- /dev/null
@@ -0,0 +1,102 @@
+#ifdef HAVE_OPENSSL_OCSP_H
+       { FR_CONF_OFFSET("ocsp", FR_TYPE_SUBSECTION, fr_tls_conf_t, ocsp), .subcs = (void const *) ocsp_config },
+
+       { FR_CONF_OFFSET("staple", FR_TYPE_SUBSECTION, fr_tls_conf_t, staple), .subcs = (void const *) ocsp_config },
+#endif
+
+#ifdef HAVE_OPENSSL_OCSP_H
+       if (conf->ocsp.cache_server) {
+               CONF_SECTION *server_cs;
+
+               server_cs = virtual_server_find(conf->ocsp.cache_server);
+               if (!server_cs) {
+                       ERROR("No such virtual server '%s'", conf->ocsp.cache_server);
+                       goto error;
+               }
+
+               if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, server_cs) < 0) goto error;
+       }
+
+       if (conf->staple.cache_server) {
+               CONF_SECTION *server_cs;
+
+               server_cs = virtual_server_find(conf->staple.cache_server);
+               if (!server_cs) {
+                       ERROR("No such virtual server '%s'", conf->staple.cache_server);
+                       goto error;
+               }
+
+               if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, server_cs) < 0) goto error;
+       }
+#endif
+
+#ifdef HAVE_OPENSSL_OCSP_H
+       /*
+        *      @fixme:  This is all pretty terrible.
+        *      The stores initialized here are for validating
+        *      OCSP responses.  They have nothing to do with
+        *      verifying other certificates.
+        */
+
+       /*
+        *      Initialize OCSP Revocation Store
+        */
+       if (conf->ocsp.enable) {
+               conf->ocsp.store = conf_ocsp_revocation_store(conf);
+               if (conf->ocsp.store == NULL) goto error;
+       }
+
+       if (conf->staple.enable) {
+               conf->staple.store = conf_ocsp_revocation_store(conf);
+               if (conf->staple.store == NULL) goto error;
+       }
+#endif /*HAVE_OPENSSL_OCSP_H*/
+
+
+static int _conf_server_free(
+#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)
+                            UNUSED
+#endif
+                            fr_tls_conf_t *conf)
+{
+#ifdef HAVE_OPENSSL_OCSP_H
+       if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);
+       conf->ocsp.store = NULL;
+       if (conf->staple.store) X509_STORE_free(conf->staple.store);
+       conf->staple.store = NULL;
+#endif
+
+#ifndef NDEBUG
+       memset(conf, 0, sizeof(*conf));
+#endif
+       return 0;
+}
+
+/* Session init */
+#ifdef HAVE_OPENSSL_OCSP_H
+       SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_STORE, (void *)tls_conf->ocsp.store);
+#endif
+
+/* Validation checks */
+#ifdef HAVE_OPENSSL_OCSP_H
+       /*
+        *      Do OCSP last, so we have the complete set of attributes
+        *      available for the virtual server.
+        *
+        *      Fixme: Do we want to store the matching TLS-Client-cert-Filename?
+        */
+       if (my_ok && conf->ocsp.enable){
+               X509    *issuer_cert;
+
+               RDEBUG2("Starting OCSP Request");
+
+               /*
+                *      If we don't have an issuer, then we can't send
+                *      and OCSP request, but pass the NULL issuer in
+                *      so fr_tls_ocsp_check can decide on the correct
+                *      return code.
+                */
+               issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);
+               my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);
+       }
+#endif
diff --git a/src/modules/rlm_ocsp/ocsp b/src/modules/rlm_ocsp/ocsp
new file mode 100644 (file)
index 0000000..695af7c
--- /dev/null
@@ -0,0 +1,227 @@
+
+
+               #
+               #  ### OCSP Configuration
+               #
+               #  Certificates can be verified against an OCSP Responder.
+               #  This makes it possible to immediately revoke certificates without
+               #  the distribution of new Certificate Revocation Lists (CRLs).
+               #
+               #  In addition to the configuration items below, the behaviour of
+               #  OCSP can be altered by runtime attributes.
+               #
+               #  If OCSP is enabled, the `&reply.TLS-OCSP-Cert-Valid` attribute will
+               #  be added after OCSP completes.  One of the following values will
+               #  be set:
+               #
+               #  [options="header,autowidth"]
+               #  |===
+               #  | Value   | Description
+               #  | no      | OCSP responder indicated the certificate is not valid.
+               #  | yes     | OCSP responder indicated the certificate is valid.
+               #  | skipped | OCSP checks were skipped.
+               #  |===
+               #
+               #  If an OCSP check is performed, the `&reply.TLS-OCSP-Next-Update`
+               #  attribute will also be added.  The value of this will attribute
+               #  be the number of seconds until the certificate state need be refreshed.
+               #  This can be used as a `Cache-TTL` value if you wish to use the cache
+               #  module to store OCSP certificate validation status.
+               #
+               #  If when the OCSP check is performed, a `&control.TLS-OCSP-Cert-Valid`
+               #  attribute is present, its value will force the outcome of the OCSP
+               #  check, and the OCSP responder will not be contacted.
+               #  Values map to the following OCSP responses:
+               #
+               #  [options="header,autowidth"]
+               #  |===
+               #  | Value   | Description
+               #  | no      | Invalid.
+               #  | yes     | Valid.
+               #  | skipped | If `softfail = yes` value else invalid.
+               #  |===
+               #
+               ocsp {
+                       #
+                       #  enable::
+                       #
+                       #  Deleting the entire `ocsp` subsection also disables ocsp checking.
+                       #
+                       #  Default is `no`.
+                       #
+#                      enable = no
+
+                       #
+                       #  virtual_server::
+                       #
+                       #  OCSP checks are performed immediately after the
+                       #  complete certificate is received from the supplicant,
+                       #  and directly after the attributes from that
+                       #  certificate are inserted into the request.
+                       #
+                       #  In order to retrieve cached OCSP states, a virtual
+                       #  server must be defined here.
+                       #
+                       #  See `raddb/sites-available/tls-cache` for details.
+                       #
+#                      virtual_server = 'tls-cache'
+
+                       #
+                       #  override_cert_url::
+                       #
+                       #  The OCSP Responder URL can be automatically extracted
+                       #  from the certificate in question. To override the
+                       #  OCSP Responder URL set `override_cert_url = yes`.
+                       #
+                       override_cert_url = yes
+
+                       #
+                       #  url::
+                       #
+                       #  If the OCSP Responder address is not extracted from
+                       #  the certificate, the URL can be defined here.
+                       #
+                       url = "http://127.0.0.1/ocsp/"
+
+                       #
+                       #  use_nonce::
+                       #
+                       #  If the OCSP Responder can not cope with nonce in the
+                       #  request, then it can be disabled here.
+                       #
+                       #  [WARNING]
+                       #  ====
+                       #  * For security reasons, disabling this option is not
+                       #  recommended as nonce protects against replay attacks.
+                       #
+                       #  * Microsoft AD Certificate Services OCSP
+                       #  Responder does not enable nonce by default. It is more
+                       #  secure to enable nonce on the responder than to
+                       #  disable it in the query here.
+                       #
+                       #  See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+                       #  ====
+                       #
+#                      use_nonce = yes
+
+                       #
+                       #  timeout::
+                       #
+                       #  Number of seconds before giving up waiting for OCSP
+                       #  response.
+                       #
+                       #  Default is `0`.
+                       #
+#                      timeout = 0
+
+                       #
+                       #  softfail::
+                       #
+                       #  Normally an error in querying the OCSP responder (no
+                       #  response from server, server did not understand the
+                       #  request, etc) will result in a validation failure.
+                       #
+                       #  To treat these errors as `soft` failures and still
+                       #  accept the certificate, enable this option.
+                       #
+                       #  WARNING: this may enable clients with revoked
+                       #  certificates to connect if the OCSP responder is not
+                       #  available. *Use with caution*.
+                       #
+#                      softfail = no
+               }
+
+               #
+               #  ### OCSP stapling for server certificates
+               #
+               #  If requested, we query either the server listed below (as url),
+               #  or the one specified in our server certificate, to retrieve an
+               #  OCSP response to pass back to the TLS client.
+               #
+               #  staple { ... }::
+               #
+               #  This allows TLS clients to check for certificate revocation before
+               #  divulging credentials to a (possibly rogue) server, that may be
+               #  presenting a compromised certificate.
+               #
+               staple {
+                       #
+                       #  enable::
+                       #
+                       #  Enable it. Deleting the entire `ocsp` subsection also disables ocsp checking.
+                       #
+                       #  Default is `no`.
+                       #
+#                      enable = no
+
+                       #
+                       #  virtual_server::
+                       #
+                       #  OCSP checks are performed whenever a TLS client includes
+                       #  an OCSP stapling extension.
+                       #
+                       #  In order to retrieve cached OCSP staples, a virtual
+                       #  server must be defined here.
+                       #
+                       #  The same virtual server can be used for caching
+                       #  client OCSP response states, and stapling information.
+                       #
+                       #  See `raddb/sites-available/tls-cache` for details.
+                       #
+#                      virtual_server = 'tls-cache'
+
+                       #
+                       #  override_cert_url::
+                       #
+                       #  The OCSP Responder URL can be automatically extracted
+                       #  from the certificate in question. To override the
+                       #  OCSP Responder URL set `override_cert_url = yes`.
+                       #
+                       override_cert_url = yes
+
+                       #
+                       #  url::
+                       #
+                       #  If the OCSP Responder address is not extracted from
+                       #  the certificate, the URL can be defined here.
+                       #
+                       url = "http://127.0.0.1/ocsp/"
+
+                       #
+                       #  use_nonce::
+                       #
+                       #  If the OCSP Responder can not cope with nonce in the
+                       #  request, then it can be disabled here.
+                       #
+                       #  [WARNING]
+                       #  ====
+                       #  * For security reasons, disabling this option is not
+                       #  recommended as nonce protects against replay attacks.
+                       #
+                       #  * Microsoft AD Certificate Services OCSP
+                       #  Responder does not enable nonce by default. It is more
+                       #  secure to enable nonce on the responder than to
+                       #  disable it in the query here. See
+                       #  http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+                       #  ====
+                       #
+#                      use_nonce = yes
+
+                       #
+                       #  Number of seconds before giving up waiting for OCSP
+                       #  response.
+                       #
+                       #  Default is `0`.
+                       #
+#                      timeout = 0
+
+                       #
+                       #  softfail::
+                       #
+                       #  Normally if we can't query the OCSP Responder
+                       #  we issue a fatal alert, and abort.  Set this to `true`
+                       #  to allow the session to continue without an OCSP
+                       #  stapling response being sent to the TLS client.
+                       #
+#                      softfail = no
+               }
diff --git a/src/modules/rlm_ocsp/ocsp.h b/src/modules/rlm_ocsp/ocsp.h
new file mode 100644 (file)
index 0000000..b69e16b
--- /dev/null
@@ -0,0 +1,38 @@
+/** OCSP Configuration
+ *
+ */
+typedef struct {
+       bool            enable;                         //!< Enable OCSP checks
+       char const      *cache_server;                  //!< Virtual server to restore retrieved OCSP status.
+       bool            override_url;                   //!< Always use the configured OCSP URL even if the
+                                                       //!< certificate contains one.
+       char const      *url;
+       bool            use_nonce;
+       X509_STORE      *store;
+       uint32_t        timeout;
+       bool            softfail;
+
+
+       fr_tls_cache_t  cache;                          //!< Cached cache section pointers.  Means we don't have
+                                                       ///< to look them up at runtime.
+} fr_tls_ocsp_conf_t;
+
+#ifdef HAVE_OPENSSL_OCSP_H
+       fr_tls_ocsp_conf_t      ocsp;                   //!< Configuration for validating client certificates
+                                                       //!< with ocsp.
+       fr_tls_ocsp_conf_t      staple;                 //!< Configuration for validating server certificates
+                                                       //!< with ocsp.
+#endif
+
+/*
+ *     tls/ocsp.c
+ */
+int            fr_tls_ocsp_staple_cb(SSL *ssl, void *data);
+
+int            fr_tls_ocsp_check(request_t *request, SSL *ssl,
+                              X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
+                              fr_tls_ocsp_conf_t *conf, bool staple_response);
+
+int            fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);
+
+int            fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs);