Do OCSP checks only if we got issuer_cert. Closes #756

author Alan T. DeKok <aland@freeradius.org>

Sun, 26 Oct 2014 13:57:48 +0000 (09:57 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Sun, 26 Oct 2014 13:57:48 +0000 (09:57 -0400)
author Alan T. DeKok <aland@freeradius.org>
Sun, 26 Oct 2014 13:57:48 +0000 (09:57 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Sun, 26 Oct 2014 13:57:48 +0000 (09:57 -0400)
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c

index 180fcac..86d7306 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -847,10 +847,11 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
  #ifdef HAVE_OPENSSL_OCSP_H
                 if (my_ok && conf->ocsp_enable){
                         RDEBUG2("--> Starting OCSP Request");
-                       if(X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert)!=1) {
+                       if (X509_STORE_CTX_get1_issuer(&issuer_cert, ctx, client_cert) != 1) {
                                 radlog(L_ERR, "Error: Couldn't get issuer_cert for %s", common_name);
+                       } else {
+                               my_ok = ocsp_check(ocsp_store, issuer_cert, client_cert, conf);
                         }
-                       my_ok = ocsp_check(ocsp_store, issuer_cert, client_cert, conf);
                 }
  #endif
author	Alan T. DeKok <aland@freeradius.org>
	Sun, 26 Oct 2014 13:57:48 +0000 (09:57 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Sun, 26 Oct 2014 13:57:48 +0000 (09:57 -0400)