Overview

File freeradius-server-CVE-2015-4680.patch of Package freeradius-server.4927

Index: freeradius-server-3.0.3/raddb/mods-available/eap
===================================================================
--- freeradius-server-3.0.3.orig/raddb/mods-available/eap
+++ freeradius-server-3.0.3/raddb/mods-available/eap
@@ -274,9 +274,13 @@ eap {
 		#  1) Copy CA certificates and CRLs to same directory.
 		#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
 		#    'c_rehash' is OpenSSL's command.
-		#  3) uncomment the line below.
+		#  3) uncomment the lines below.
 		#  5) Restart radiusd
 	#	check_crl = yes
+
+		# Check if intermediate CAs have been revoked
+	#	check_all_crl = yes
+
 		ca_path = ${cadir}
 
 	       #
Index: freeradius-server-3.0.3/src/include/tls-h
===================================================================
--- freeradius-server-3.0.3.orig/src/include/tls-h
+++ freeradius-server-3.0.3/src/include/tls-h
@@ -353,6 +353,7 @@ struct fr_tls_server_conf_t {
 	 */
 	int		fragment_size;
 	bool		check_crl;
+	bool		check_all_crl;
 	bool		allow_expired_crl;
 	char		*check_cert_cn;
 	char		*cipher_list;
Index: freeradius-server-3.0.3/src/main/tls.c
===================================================================
--- freeradius-server-3.0.3.orig/src/main/tls.c
+++ freeradius-server-3.0.3/src/main/tls.c
@@ -922,6 +922,10 @@ static CONF_PARSER tls_client_config[] =
 	  offsetof(fr_tls_server_conf_t, include_length), NULL, "yes" },
 	{ "check_crl", PW_TYPE_BOOLEAN,
 	  offsetof(fr_tls_server_conf_t, check_crl), NULL, "no"},
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+	{ "check_all_crl", PW_TYPE_BOOLEAN,
+	  offsetof(fr_tls_server_conf_t, check_all_crl), NULL, "no" },
+#endif
 	{ "check_cert_cn", PW_TYPE_STRING_PTR,
 	  offsetof(fr_tls_server_conf_t, check_cert_cn), NULL, NULL},
 	{ "cipher_list", PW_TYPE_STRING_PTR,
@@ -1907,6 +1911,10 @@ static X509_STORE *init_revocation_store
 	if (conf->check_crl)
 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
 #endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+	if (conf->check_all_crl)
+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
 	return store;
 }
 #endif	/* HAVE_OPENSSL_OCSP_H */
@@ -2311,6 +2319,11 @@ post_ca:
 	    return NULL;
 	  }
 	  X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+	if (conf->check_all_crl)
+		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
 	}
 #endif
openSUSE Build Service is sponsored by
Places