6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
26 void cbtls_info(const SSL *s, int where, int ret)
28 const char *str, *state;
31 w = where & ~SSL_ST_MASK;
32 if (w & SSL_ST_CONNECT) str=" TLS_connect";
33 else if (w & SSL_ST_ACCEPT) str=" TLS_accept";
36 state = SSL_state_string_long(s);
37 state = state ? state : "NULL";
39 if (where & SSL_CB_LOOP) {
40 if (debug_flag) radlog(L_INFO, "%s: %s\n", str, state);
41 } else if (where & SSL_CB_HANDSHAKE_START) {
42 if (debug_flag) radlog(L_INFO, "%s: %s\n", str, state);
43 } else if (where & SSL_CB_HANDSHAKE_DONE) {
44 radlog(L_INFO, "%s: %s\n", str, state);
45 } else if (where & SSL_CB_ALERT) {
46 str=(where & SSL_CB_READ)?"read":"write";
47 radlog(L_ERR,"TLS Alert %s:%s:%s\n", str,
48 SSL_alert_type_string_long(ret),
49 SSL_alert_desc_string_long(ret));
50 } else if (where & SSL_CB_EXIT) {
52 radlog(L_ERR, "%s:failed in %s\n", str, state);
54 radlog(L_ERR, "%s:error in %s\n", str, state);
59 * Before trusting a certificate, you must make sure that the
60 * certificate is 'valid'. There are several steps that your
61 * application can take in determining if a certificate is
62 * valid. Commonly used steps are:
64 * 1.Verifying the certificate's signature, and verifying that
65 * the certificate has been issued by a trusted Certificate
68 * 2.Verifying that the certificate is valid for the present date
69 * (i.e. it is being presented within its validity dates).
71 * 3.Verifying that the certificate has not been revoked by its
72 * issuing Certificate Authority, by checking with respect to a
73 * Certificate Revocation List (CRL).
75 * 4.Verifying that the credentials presented by the certificate
76 * fulfill additional requirements specific to the application,
77 * such as with respect to access control lists or with respect
78 * to OCSP (Online Certificate Status Processing).
80 * NOTE: This callback will be called multiple times based on the
81 * depth of the root certificate chain
83 int cbtls_verify(int ok, X509_STORE_CTX *ctx)
85 char subject[256]; /* Used for the subject name */
86 char issuer[256]; /* Used for the issuer name */
89 EAP_HANDLER *handler = NULL;
96 client_cert = X509_STORE_CTX_get_current_cert(ctx);
97 err = X509_STORE_CTX_get_error(ctx);
98 depth = X509_STORE_CTX_get_error_depth(ctx);
101 radlog(L_ERR,"--> verify error:num=%d:%s\n",err,
102 X509_verify_cert_error_string(err));
104 * Catch too long Certificate chains
108 * Retrieve the pointer to the SSL of the connection currently treated
109 * and the application specific data stored into the SSL object.
111 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
112 handler = (EAP_HANDLER *)SSL_get_ex_data(ssl, 0);
113 conf = (EAP_TLS_CONF *)SSL_get_ex_data(ssl, 1);
116 * Get the Subject & Issuer
118 subject[0] = issuer[0] = '\0';
119 X509_NAME_oneline(X509_get_subject_name(client_cert), subject, 256);
120 X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256);
123 * Get the Common Name
125 X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
126 NID_commonName, buf, 256);
128 switch (ctx->error) {
130 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
131 radlog(L_ERR, "issuer= %s\n", issuer);
133 case X509_V_ERR_CERT_NOT_YET_VALID:
134 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
135 radlog(L_ERR, "notBefore=");
137 ASN1_TIME_print(bio_err, X509_get_notBefore(ctx->current_cert));
140 case X509_V_ERR_CERT_HAS_EXPIRED:
141 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
142 radlog(L_ERR, "notAfter=");
144 ASN1_TIME_print(bio_err, X509_get_notAfter(ctx->current_cert));
150 * If we're at the actual client cert and the conf tells
151 * us to, check the CN in the cert against the xlat'ed
154 if (depth == 0 && conf->check_cert_cn != NULL) {
155 if (!radius_xlat(cn_str, sizeof(cn_str), conf->check_cert_cn, handler->request, NULL)) {
156 radlog(L_ERR, "rlm_eap_tls (%s): xlat failed.",
157 conf->check_cert_cn);
158 /* if this fails, fail the verification */
161 DEBUG2(" rlm_eap_tls: checking certificate CN (%s) with xlat'ed value (%s)", buf, cn_str);
162 if (strncmp(cn_str, buf, sizeof(buf)) != 0) {
164 radlog(L_AUTH, "rlm_eap_tls: Certificate CN (%s) does not match specified value (%s)!", buf, cn_str);
168 if (debug_flag > 0) {
169 radlog(L_INFO, "chain-depth=%d, ", depth);
175 radlog(L_INFO, "error=%d", err);
177 radlog(L_INFO, "--> User-Name = %s", handler->identity);
178 radlog(L_INFO, "--> BUF-Name = %s", buf);
179 radlog(L_INFO, "--> subject = %s", subject);
180 radlog(L_INFO, "--> issuer = %s", issuer);
181 radlog(L_INFO, "--> verify return:%d", my_ok);
188 * Fill in our 'info' with TLS data.
190 void cbtls_msg(int write_p, int msg_version, int content_type,
191 const void *buf, size_t len,
192 SSL *ssl UNUSED, void *arg)
194 tls_session_t *state = (tls_session_t *)arg;
196 state->info.origin = (unsigned char)write_p;
197 state->info.content_type = (unsigned char)content_type;
198 state->info.record_len = len;
199 state->info.version = msg_version;
200 state->info.initialized = 1;
202 if (content_type == SSL3_RT_ALERT) {
203 state->info.alert_level = ((const unsigned char*)buf)[0];
204 state->info.alert_description = ((const unsigned char*)buf)[1];
205 state->info.handshake_type = 0x00;
207 } else if (content_type == SSL3_RT_HANDSHAKE) {
208 state->info.handshake_type = ((const unsigned char*)buf)[0];
209 state->info.alert_level = 0x00;
210 state->info.alert_description = 0x00;
212 tls_session_information(state);
215 int cbtls_password(char *buf,
220 strcpy(buf, (char *)userdata);
221 return(strlen((char *)userdata));
224 RSA *cbtls_rsa(SSL *s UNUSED, int is_export UNUSED, int keylength)
226 static RSA *rsa_tmp=NULL;
228 if (rsa_tmp == NULL) {
229 radlog(L_INFO, "Generating temp (%d bit) RSA key...", keylength);
230 rsa_tmp=RSA_generate_key(keylength, RSA_F4, NULL, NULL);
235 #endif /* !defined(NO_OPENSSL) */