Set X509_V_FLAG_CRL_CHECK_ALL

author Alan T. DeKok <aland@freeradius.org>

Mon, 22 Jun 2015 19:27:32 +0000 (15:27 -0400)

committer Alan T. DeKok <aland@freeradius.org>

Mon, 22 Jun 2015 19:27:32 +0000 (15:27 -0400)
author Alan T. DeKok <aland@freeradius.org>
Mon, 22 Jun 2015 19:27:32 +0000 (15:27 -0400)
committer Alan T. DeKok <aland@freeradius.org>
Mon, 22 Jun 2015 19:27:32 +0000 (15:27 -0400)
diff --git a/raddb/eap.conf b/raddb/eap.conf

index 95bebe4..ac93fd2 100644 (file)
--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -232,9 +232,13 @@
                         #  1) Copy CA certificates and CRLs to same directory.
                         #  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
                         #    'c_rehash' is OpenSSL's command.
-                       #  3) uncomment the line below.
+                       #  3) uncomment the lines below.
                         #  5) Restart radiusd
                 #       check_crl = yes
+
+                       # Check if intermediate CAs have been revoked.
+               #       check_all_crl = yes
+
                         CA_path = ${cadir}
  
                        #
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c

index a958d04..aac26bc 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -120,6 +120,8 @@ static CONF_PARSER module_config[] = {
           offsetof(EAP_TLS_CONF, include_length), NULL, "yes" },
         { "check_crl", PW_TYPE_BOOLEAN,
           offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
+       { "check_all_crl", PW_TYPE_BOOLEAN,
+         offsetof(EAP_TLS_CONF, check_all_crl), NULL, "no"},
         { "allow_expired_crl", PW_TYPE_BOOLEAN,
           offsetof(EAP_TLS_CONF, allow_expired_crl), NULL, NULL},
         { "check_cert_cn", PW_TYPE_STRING_PTR,
@@ -976,6 +978,10 @@ static X509_STORE *init_revocation_store(EAP_TLS_CONF *conf)
         if (conf->check_crl)
                 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
  #endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+       if (conf->check_all_crl)
+               X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
         return store;
  }
  #endif /* HAVE_OPENSSL_OCSP_H */
@@ -1240,6 +1246,10 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CONF *conf)
             return NULL;
           }
           X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+         if (conf->check_all_crl) {
+                 X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+         }
         }
  #endif
  
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h

index b8dbd86..a09e618 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
@@ -59,6 +59,7 @@ typedef struct eap_tls_conf {
          */
         int             fragment_size;
         int             check_crl;
+       int             check_all_crl;
         int             allow_expired_crl;
         char            *check_cert_cn;
         char            *cipher_list;
author	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Jun 2015 19:27:32 +0000 (15:27 -0400)
committer	Alan T. DeKok <aland@freeradius.org>
	Mon, 22 Jun 2015 19:27:32 +0000 (15:27 -0400)
raddb/eap.conf		patch \| blob \| history
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c		patch \| blob \| history
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h		patch \| blob \| history