File eap_tls_ocsp.patch of Package freeradius-server.34053
commit 08c960f1901873ea482741a9f969137c4129b6a7
Author: Isaac Boukris <iboukris@gmail.com>
Date: Thu Apr 5 03:41:34 2018 +0300
OCSP: Fix intermediate CA flow (port from v4)
It appears X509_STORE_CTX_get1_issuer() will only return
a trusted certificate, so in case of intermediate CA (not
trusted by it self) it may return null.
Use current_issuer instead, as the chain is already
validated (so we should have issuer certificate).
Also, if for some reason we still cannot get issuer, then
only allow skip if conf allows softfail.
diff --git a/src/main/tls.c b/src/main/tls.c
index dfaa5e6a04..6ab4f2cb9a 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1750,6 +1750,11 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
#endif
VALUE_PAIR *vp;
+ if (issuer_cert == NULL) {
+ RWDEBUG("Could not get issuer certificate");
+ goto skipped;
+ }
+
/*
* Create OCSP Request
*/
@@ -2410,30 +2415,29 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
} else {
RDEBUG2("Starting OCSP Request");
- if ((X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) ||
- !issuer_cert) {
- /*
- * Allow for external verify.
- */
- RERROR("Couldn't get issuer_cert for %s", common_name);
- do_verify = true;
- } else {
- /*
- * Do the full OCSP checks.
- *
- * If they fail, don't run the external verify. We don't want
- * to allow admins to force authentication success for bad
- * certificates.
- *
- * If the OCSP checks succeed, check whether we still want to
- * run the external verification routine. If it's marked as
- * "skip verify on OK", then we don't do verify.
- */
- my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);
- if (my_ok != OCSP_STATUS_FAILED) {
- do_verify = !conf->verify_skip_if_ocsp_ok;
- }
+ /*
+ * If we don't have an issuer, then we can't send
+ * and OCSP request, but pass the NULL issuer in
+ * so ocsp_check can decide on the correct
+ * return code.
+ */
+ issuer_cert = X509_STORE_CTX_get0_current_issuer(ctx);
+
+ /*
+ * Do the full OCSP checks.
+ *
+ * If they fail, don't run the external verify. We don't want
+ * to allow admins to force authentication success for bad
+ * certificates.
+ *
+ * If the OCSP checks succeed, check whether we still want to
+ * run the external verification routine. If it's marked as
+ * "skip verify on OK", then we don't do verify.
+ */
+ my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf);
+ if (my_ok != OCSP_STATUS_FAILED) {
+ do_verify = !conf->verify_skip_if_ocsp_ok;
}
}
}