Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
freeradius-server.18281
eap_tls_ocsp.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File eap_tls_ocsp.patch of Package freeradius-server.18281
commit 08c960f1901873ea482741a9f969137c4129b6a7 Author: Isaac Boukris <iboukris@gmail.com> Date: Thu Apr 5 03:41:34 2018 +0300 OCSP: Fix intermediate CA flow (port from v4) It appears X509_STORE_CTX_get1_issuer() will only return a trusted certificate, so in case of intermediate CA (not trusted by it self) it may return null. Use current_issuer instead, as the chain is already validated (so we should have issuer certificate). Also, if for some reason we still cannot get issuer, then only allow skip if conf allows softfail. diff --git a/src/main/tls.c b/src/main/tls.c index dfaa5e6a04..6ab4f2cb9a 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -1750,6 +1750,11 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue #endif VALUE_PAIR *vp; + if (issuer_cert == NULL) { + RWDEBUG("Could not get issuer certificate"); + goto skipped; + } + /* * Create OCSP Request */ @@ -2410,30 +2415,29 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) } else { RDEBUG2("Starting OCSP Request"); - if ((X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) || - !issuer_cert) { - /* - * Allow for external verify. - */ - RERROR("Couldn't get issuer_cert for %s", common_name); - do_verify = true; - } else { - /* - * Do the full OCSP checks. - * - * If they fail, don't run the external verify. We don't want - * to allow admins to force authentication success for bad - * certificates. - * - * If the OCSP checks succeed, check whether we still want to - * run the external verification routine. If it's marked as - * "skip verify on OK", then we don't do verify. - */ - my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf); - if (my_ok != OCSP_STATUS_FAILED) { - do_verify = !conf->verify_skip_if_ocsp_ok; - } + /* + * If we don't have an issuer, then we can't send + * and OCSP request, but pass the NULL issuer in + * so ocsp_check can decide on the correct + * return code. + */ + issuer_cert = X509_STORE_CTX_get0_current_issuer(ctx); + + /* + * Do the full OCSP checks. + * + * If they fail, don't run the external verify. We don't want + * to allow admins to force authentication success for bad + * certificates. + * + * If the OCSP checks succeed, check whether we still want to + * run the external verification routine. If it's marked as + * "skip verify on OK", then we don't do verify. + */ + my_ok = ocsp_check(request, ocsp_store, issuer_cert, client_cert, conf); + if (my_ok != OCSP_STATUS_FAILED) { + do_verify = !conf->verify_skip_if_ocsp_ok; } } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor