File eap_tls_ocsp.patch of Package freeradius-server.14500

commit 08c960f1901873ea482741a9f969137c4129b6a7
Author: Isaac Boukris <iboukris@gmail.com>
Date:   Thu Apr 5 03:41:34 2018 +0300

    OCSP: Fix intermediate CA flow (port from v4)
    
    It appears X509_STORE_CTX_get1_issuer() will only return
    a trusted certificate, so in case of intermediate CA (not
    trusted by it self) it may return null.
    Use current_issuer instead, as the chain is already
    validated (so we should have issuer certificate).
    
    Also, if for some reason we still cannot get issuer, then
    only allow skip if conf allows softfail.

diff --git a/src/main/tls.c b/src/main/tls.c
index dfaa5e6a04..6ab4f2cb9a 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1750,6 +1750,11 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
 #endif
 	VALUE_PAIR	*vp;
 
+	if (issuer_cert == NULL) {
+		RWDEBUG("Could not get issuer certificate");
+		goto skipped;
+	}
+
 	/*
 	 * Create OCSP Request
 	 */
@@ -2410,30 +2415,29 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 
 			} else {
 				RDEBUG2("Starting OCSP Request");
-				if ((X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) ||
-				    !issuer_cert) {
-					/*
-					 *	Allow for external verify.
-					 */
-					RERROR("Couldn't get issuer_cert for %s", common_name);
-					do_verify = true;
 
-				} else {
-					/*
-					 *	Do the full OCSP checks.
-					 *
-					 *	If they fail, don't run the external verify.  We don't want
-					 *	to allow admins to force authentication success for bad
-					 *	certificates.
-					 *
-					 *	If the OCSP checks succeed, check whether we still want to
-					 *	run the external verification routine.  If it's marked as
-					 *	"skip verify on OK", then we don't do verify.
-					 */
-					my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);
-					if (my_ok != OCSP_STATUS_FAILED) {
-						do_verify = !conf->verify_skip_if_ocsp_ok;
-					}
+				/*
+				 *	If we don't have an issuer, then we can't send
+				 *	and OCSP request, but pass the NULL issuer in
+				 *	so ocsp_check can decide on the correct
+				 *	return code.
+				 */
+				issuer_cert = X509_STORE_CTX_get0_current_issuer(ctx);
+
+				/*
+				 *	Do the full OCSP checks.
+				 *
+				 *	If they fail, don't run the external verify.  We don't want
+				 *	to allow admins to force authentication success for bad
+				 *	certificates.
+				 *
+				 *	If the OCSP checks succeed, check whether we still want to
+				 *	run the external verification routine.  If it's marked as
+				 *	"skip verify on OK", then we don't do verify.
+				 */
+				my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);
+				if (my_ok != OCSP_STATUS_FAILED) {
+					do_verify = !conf->verify_skip_if_ocsp_ok;
 				}
 			}
 		}