FR 3.0.11, RadSec, validation via an external command

Martin Stanislav ms at uakom.sk
Fri Sep 23 15:32:20 CEST 2016 

On Wed, Sep 21, 2016 at 09:45:08AM -0400, Alan DeKok wrote:
> > 
>   		#  If OCSP checking is enabled, and the OCSP checks fail,
> 		#  the verify section is skipped.
> 
>   You should be able to run the external command without OCSP.

That makes sense. But as I understand the code, it doesn't allow
for external command without OCSP enabled. I think I even tested it.

Also, the following two lines in verify stanza (eap module) don't
make things clear enough:

                        #  If the OCSP checks succeed, the verify section
                        #  is run to allow additional checks.

> > Issue 1 (OCSP checks fail for a RadSec client):

>   OK, that makes sense.  I'll push a fix.

Thanks for pushing the fix.

> > Issue 2 (validation via external command blocked by if clause):
> > 
>   The problem is that your patch completely removes all of the logic about checking the OCSP status.

I admit I've oversimlified a bit.

>   I'll push a fix which matches the comments in the code, and the documentation.

I see the patched code, commit c88614354f80bec0e0e777338e170474f2242212.
However, the documentation says:

           * If OCSP returns skipped (2), we run the verify command, unless
           * conf->verify_skip_if_ocsp_ok is true.

That demands one more modification to fit exactly:

- ((my_ok == OCSP_STATUS_SKIPPED) && conf->verify_skip_if_ocsp_ok))
+ ((my_ok == OCSP_STATUS_SKIPPED) && !conf->verify_skip_if_ocsp_ok))


The code will get even more convoluted, should it introduce a possibility
to run an external command (verify) when ocsp is disabled. See attached
nasty diff.

Thanks for your comments and care.

Martin

-------------- next part --------------
--- tls.c.orig	2016-09-21 17:34:44.000000000 +0200
+++ tls.c	2016-09-23 15:12:12.717252747 +0200
@@ -2216,9 +2216,9 @@
 		 */
 		if ((my_ok != OCSP_STATUS_FAILED)
 #ifdef HAVE_OPENSSL_OCSP_H
-		    && conf->ocsp_enable &&
+		    && (!conf->ocsp_enable || (conf->ocsp_enable &&
 		    (((my_ok == OCSP_STATUS_OK) && !conf->verify_skip_if_ocsp_ok) ||
-		     ((my_ok == OCSP_STATUS_SKIPPED) && conf->verify_skip_if_ocsp_ok))
+		     ((my_ok == OCSP_STATUS_SKIPPED) && !conf->verify_skip_if_ocsp_ok)))
 
 #endif
 			) while (conf->verify_client_cert_cmd) {

More information about the Freeradius-Users mailing list