]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bb46711)
Add ocspd verifycert boolean (#4800)
authorCraig Huckabee <craighuckabee@gmail.com>
Sat, 10 Dec 2022 00:11:36 +0000 (19:11 -0500)
committerGitHub <noreply@github.com>
Sat, 10 Dec 2022 00:11:36 +0000 (18:11 -0600)
* Add verifycert boolean to disable OCSP server certificate validation

* Fix typo

Co-authored-by: Craig Huckabee <craig.huckabee@niwc.navy.mil>
src/modules/rlm_ocsp/conf.c patch | blob | blame | history
src/modules/rlm_ocsp/ocsp.c patch | blob | blame | history
src/modules/rlm_ocsp/ocsp.h patch | blob | blame | history

diff --git a/src/modules/rlm_ocsp/conf.c b/src/modules/rlm_ocsp/conf.c
index e531cb7d191e0df3a7993d7b0b1ff4fcda2b5fa1..8b1dc8273a7f9343555733a022cff3a415311547 100644 (file)
--- a/src/modules/rlm_ocsp/conf.c
+++ b/src/modules/rlm_ocsp/conf.c
@@ -9,6 +9,7 @@ static CONF_PARSER ocsp_config[] = {
        { FR_CONF_OFFSET("use_nonce", FR_TYPE_BOOL, fr_tls_ocsp_conf_t, use_nonce), .dflt = "yes" },
        { FR_CONF_OFFSET("timeout", FR_TYPE_UINT32, fr_tls_ocsp_conf_t, timeout), .dflt = "yes" },
        { FR_CONF_OFFSET("softfail", FR_TYPE_BOOL, fr_tls_ocsp_conf_t, softfail), .dflt = "no" },
+       { FR_CONF_OFFSET("verifycert", FR_TYPE_BOOL, fr_tls_ocsp_conf_t, verifycert), .dflt = "yes" },
 
        CONF_PARSER_TERMINATOR
 };
diff --git a/src/modules/rlm_ocsp/ocsp.c b/src/modules/rlm_ocsp/ocsp.c
index 63db754e174722035b6b1cc7f5324c45e3d524b9..b927a6da2076a365af50bb8591493bdf030b6ab5 100644 (file)
--- a/src/modules/rlm_ocsp/ocsp.c
+++ b/src/modules/rlm_ocsp/ocsp.c
@@ -564,10 +564,13 @@ int fr_tls_ocsp_check(request_t *request, SSL *ssl,
                REDEBUG("Response has wrong nonce value");
                goto finish;
        }
-       if (OCSP_basic_verify(bresp, NULL, store, 0) != 1){
-               REDEBUG("Couldn't verify OCSP basic response");
-               goto finish;
-       }
+       
+       if (conf->verifycert) {
+               if (OCSP_basic_verify(bresp, NULL, store, 0) != 1){
+                       REDEBUG("Couldn't verify OCSP basic response");
+                       goto finish;
+               }
+        }
 
        /*      Verify OCSP cert status */
        if (!OCSP_resp_find_status(bresp, certid, (int *)&status, &reason, &rev, &this_update, &next_update)) {
diff --git a/src/modules/rlm_ocsp/ocsp.h b/src/modules/rlm_ocsp/ocsp.h
index b69e16bb2fc71d5fc3be03068e87348858733bb8..512535f36c4c32c871ab1c5fe151c45faf49147f 100644 (file)
--- a/src/modules/rlm_ocsp/ocsp.h
+++ b/src/modules/rlm_ocsp/ocsp.h
@@ -11,6 +11,7 @@ typedef struct {
        X509_STORE      *store;
        uint32_t        timeout;
        bool            softfail;
+       bool            verifycert;
 
 
        fr_tls_cache_t  cache;                          //!< Cached cache section pointers.  Means we don't have
Mirror of https://github.com/FreeRADIUS/freeradius-server.git