From 5e698b407dcac2bc45cf03484bac4398109d25c3 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Mon, 22 Jun 2015 15:27:32 -0400
Subject: [PATCH] Set X509_V_FLAG_CRL_CHECK_ALL

---
 raddb/eap.conf                                      |  6 +++++-
 src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c | 10 ++++++++++
 src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h |  1 +
 3 files changed, 16 insertions(+), 1 deletion(-)

--- a/raddb/eap.conf
+++ b/raddb/eap.conf
@@ -232,9 +232,13 @@
 			#  1) Copy CA certificates and CRLs to same directory.
 			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
 			#    'c_rehash' is OpenSSL's command.
-			#  3) uncomment the line below.
+			#  3) uncomment the lines below.
 			#  5) Restart radiusd
 		#	check_crl = yes
+
+			# Check if intermediate CAs have been revoked.
+		#	check_all_crl = yes
+
 			CA_path = ${cadir}
 
 		       #
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -120,6 +120,8 @@ static CONF_PARSER module_config[] = {
 	  offsetof(EAP_TLS_CONF, include_length), NULL, "yes" },
 	{ "check_crl", PW_TYPE_BOOLEAN,
 	  offsetof(EAP_TLS_CONF, check_crl), NULL, "no"},
+	{ "check_all_crl", PW_TYPE_BOOLEAN,
+	  offsetof(EAP_TLS_CONF, check_all_crl), NULL, "no"},
 	{ "allow_expired_crl", PW_TYPE_BOOLEAN,
 	  offsetof(EAP_TLS_CONF, allow_expired_crl), NULL, NULL},
 	{ "check_cert_cn", PW_TYPE_STRING_PTR,
@@ -947,6 +949,10 @@ static X509_STORE *init_revocation_store
 	if (conf->check_crl)
 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
 #endif
+#ifdef X509_V_FLAG_CRL_CHECK_ALL
+	if (conf->check_all_crl)
+		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
 	return store;
 }
 #endif	/* HAVE_OPENSSL_OCSP_H */
@@ -1203,6 +1209,10 @@ static SSL_CTX *init_tls_ctx(EAP_TLS_CON
 	    return NULL;
 	  }
 	  X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
+
+	  if (conf->check_all_crl) {
+		  X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK_ALL);
+	  }
 	}
 #endif
 
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.h
@@ -57,6 +57,7 @@ typedef struct eap_tls_conf {
 	 */
 	int		fragment_size;
 	int		check_crl;
+	int		check_all_crl;
 	int		allow_expired_crl;
 	char		*check_cert_cn;
 	char		*cipher_list;