+ * These functions don't do anything other than print debugging
+ * messages.
+ *
+ * FIXME: Write sessions to some long-term storage, so that
+ * session resumption can still occur after the server
+ * restarts.
+ */
+#define MAX_SESSION_SIZE (256)
+
+static void cbtls_remove_session(UNUSED SSL_CTX *ctx, SSL_SESSION *sess)
+{
+ size_t size;
+ char buffer[2 * MAX_SESSION_SIZE + 1];
+
+ size = sess->session_id_length;
+ if (size > MAX_SESSION_SIZE) size = MAX_SESSION_SIZE;
+
+ fr_bin2hex(sess->session_id, buffer, size);
+
+ DEBUG2(" SSL: Removing session %s from the cache", buffer);
+ SSL_SESSION_free(sess);
+
+ return;
+}
+
+static int cbtls_new_session(UNUSED SSL *s, SSL_SESSION *sess)
+{
+ size_t size;
+ char buffer[2 * MAX_SESSION_SIZE + 1];
+
+ size = sess->session_id_length;
+ if (size > MAX_SESSION_SIZE) size = MAX_SESSION_SIZE;
+
+ fr_bin2hex(sess->session_id, buffer, size);
+
+ DEBUG2(" SSL: adding session %s to cache", buffer);
+
+ return 1;
+}
+
+static SSL_SESSION *cbtls_get_session(UNUSED SSL *s,
+ unsigned char *data, int len,
+ UNUSED int *copy)
+{
+ size_t size;
+ char buffer[2 * MAX_SESSION_SIZE + 1];
+
+ size = len;
+ if (size > MAX_SESSION_SIZE) size = MAX_SESSION_SIZE;
+
+ fr_bin2hex(data, buffer, size);
+
+ DEBUG2(" SSL: Client requested nonexistent cached session %s",
+ buffer);
+
+ return NULL;
+}
+
+/*
+ * For creating certificate attributes.
+ */
+static const char *cert_attr_names[5][2] = {
+ { "TLS-Client-Cert-Serial", "TLS-Cert-Serial" },
+ { "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" },
+ { "TLS-Client-Cert-Subject", "TLS-Cert-Subject" },
+ { "TLS-Client-Cert-Issuer", "TLS-Cert-Issuer" },
+ { "TLS-Client-Cert-Common-Name", "TLS-Cert-Common-Name" }
+};
+
+#define EAPTLS_SERIAL (0)
+#define EAPTLS_EXPIRATION (1)
+#define EAPTLS_SUBJECT (2)
+#define EAPTLS_ISSUER (3)
+#define EAPTLS_CN (4)
+
+/*
+ * Before trusting a certificate, you must make sure that the
+ * certificate is 'valid'. There are several steps that your
+ * application can take in determining if a certificate is
+ * valid. Commonly used steps are:
+ *
+ * 1.Verifying the certificate's signature, and verifying that
+ * the certificate has been issued by a trusted Certificate
+ * Authority.
+ *
+ * 2.Verifying that the certificate is valid for the present date
+ * (i.e. it is being presented within its validity dates).
+ *
+ * 3.Verifying that the certificate has not been revoked by its
+ * issuing Certificate Authority, by checking with respect to a
+ * Certificate Revocation List (CRL).
+ *
+ * 4.Verifying that the credentials presented by the certificate
+ * fulfill additional requirements specific to the application,
+ * such as with respect to access control lists or with respect
+ * to OCSP (Online Certificate Status Processing).
+ *
+ * NOTE: This callback will be called multiple times based on the
+ * depth of the root certificate chain
+ */
+static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+{
+ char subject[1024]; /* Used for the subject name */
+ char issuer[1024]; /* Used for the issuer name */
+ char common_name[1024];
+ char cn_str[1024];
+ char buf[64];
+ EAP_HANDLER *handler = NULL;
+ X509 *client_cert;
+ SSL *ssl;
+ int err, depth, lookup;
+ EAP_TLS_CONF *conf;
+ int my_ok = ok;
+ REQUEST *request;
+ ASN1_INTEGER *sn = NULL;
+ ASN1_TIME *asn_time = NULL;
+
+ client_cert = X509_STORE_CTX_get_current_cert(ctx);
+ err = X509_STORE_CTX_get_error(ctx);
+ depth = X509_STORE_CTX_get_error_depth(ctx);
+
+ lookup = depth;
+
+ /*
+ * Log client/issuing cert. If there's an error, log
+ * issuing cert.
+ */
+ if ((lookup > 1) && !my_ok) lookup = 1;
+
+ /*
+ * Retrieve the pointer to the SSL of the connection currently treated
+ * and the application specific data stored into the SSL object.
+ */
+ ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ handler = (EAP_HANDLER *)SSL_get_ex_data(ssl, 0);
+ request = handler->request;
+ conf = (EAP_TLS_CONF *)SSL_get_ex_data(ssl, 1);
+
+ /*
+ * Get the Serial Number
+ */
+ buf[0] = '\0';
+ sn = X509_get_serialNumber(client_cert);
+
+ /*
+ * For this next bit, we create the attributes *only* if
+ * we're at the client or issuing certificate.
+ */
+ if ((lookup <= 1) && sn && (sn->length < (sizeof(buf) / 2))) {
+ char *p = buf;
+ int i;
+
+ for (i = 0; i < sn->length; i++) {
+ sprintf(p, "%02x", (unsigned int)sn->data[i]);
+ p += 2;
+ }
+ pairadd(&handler->certs,
+ pairmake(cert_attr_names[EAPTLS_SERIAL][lookup], buf, T_OP_SET));
+ }
+
+
+ /*
+ * Get the Expiration Date
+ */
+ buf[0] = '\0';
+ asn_time = X509_get_notAfter(client_cert);
+ if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
+ memcpy(buf, (char*) asn_time->data, asn_time->length);
+ buf[asn_time->length] = '\0';
+ pairadd(&handler->certs,
+ pairmake(cert_attr_names[EAPTLS_EXPIRATION][lookup], buf, T_OP_SET));
+ }
+
+ /*
+ * Get the Subject & Issuer
+ */
+ subject[0] = issuer[0] = '\0';
+ X509_NAME_oneline(X509_get_subject_name(client_cert), subject,
+ sizeof(subject));
+ subject[sizeof(subject) - 1] = '\0';
+ if ((lookup <= 1) && subject[0] && (strlen(subject) < MAX_STRING_LEN)) {
+ pairadd(&handler->certs,
+ pairmake(cert_attr_names[EAPTLS_SUBJECT][lookup], subject, T_OP_SET));
+ }
+
+ X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer,
+ sizeof(issuer));
+ issuer[sizeof(issuer) - 1] = '\0';
+ if ((lookup <= 1) && issuer[0] && (strlen(issuer) < MAX_STRING_LEN)) {
+ pairadd(&handler->certs,
+ pairmake(cert_attr_names[EAPTLS_ISSUER][lookup], issuer, T_OP_SET));
+ }
+
+ /*
+ * Get the Common Name
+ */
+ X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
+ NID_commonName, common_name, sizeof(common_name));
+ common_name[sizeof(common_name) - 1] = '\0';
+ if ((lookup <= 1) && common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
+ pairadd(&handler->certs,
+ pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
+ }
+
+ if (!my_ok) {
+ const char *p = X509_verify_cert_error_string(err);
+ radlog(L_ERR,"--> verify error:num=%d:%s\n",err, p);
+ radius_pairmake(request, &request->packet->vps,
+ "Module-Failure-Message", p, T_OP_SET);
+ return my_ok;
+ }
+
+ switch (ctx->error) {
+
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ radlog(L_ERR, "issuer= %s\n", issuer);
+ break;
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ radlog(L_ERR, "notBefore=");
+#if 0
+ ASN1_TIME_print(bio_err, X509_get_notBefore(ctx->current_cert));
+#endif
+ break;
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ radlog(L_ERR, "notAfter=");
+#if 0
+ ASN1_TIME_print(bio_err, X509_get_notAfter(ctx->current_cert));
+#endif
+ break;
+ }
+
+ /*
+ * If we're at the actual client cert, apply additional
+ * checks.
+ */
+ if (depth == 0) {
+ /*
+ * If the conf tells us to, check cert issuer
+ * against the specified value and fail
+ * verification if they don't match.
+ */
+ if (conf->check_cert_issuer &&
+ (strcmp(issuer, conf->check_cert_issuer) != 0)) {
+ radlog(L_AUTH, "rlm_eap_tls: Certificate issuer (%s) does not match specified value (%s)!", issuer, conf->check_cert_issuer);
+ my_ok = 0;
+ }
+
+ /*
+ * If the conf tells us to, check the CN in the
+ * cert against xlat'ed value, but only if the
+ * previous checks passed.
+ */
+ if (my_ok && conf->check_cert_cn) {
+ if (!radius_xlat(cn_str, sizeof(cn_str), conf->check_cert_cn, handler->request, NULL)) {
+ radlog(L_ERR, "rlm_eap_tls (%s): xlat failed.",
+ conf->check_cert_cn);
+ /* if this fails, fail the verification */
+ my_ok = 0;
+ } else {
+ RDEBUG2("checking certificate CN (%s) with xlat'ed value (%s)", common_name, cn_str);
+ if (strcmp(cn_str, common_name) != 0) {
+ radlog(L_AUTH, "rlm_eap_tls: Certificate CN (%s) does not match specified value (%s)!", common_name, cn_str);
+ my_ok = 0;
+ }
+ }
+ } /* check_cert_cn */
+
+ while (conf->verify_client_cert_cmd) {
+ char filename[256];
+ FILE *fp;
+
+ snprintf(filename, sizeof(filename), "%s/%s.client.XXXXXXXX",
+ conf->verify_tmp_dir, progname);
+ if (mkstemp(filename) < 0) {
+ RDEBUG("Failed creating file in %s: %s",
+ conf->verify_tmp_dir, strerror(errno));
+ break;
+ }
+
+ fp = fopen(filename, "w");
+ if (!fp) {
+ RDEBUG("Failed opening file %s: %s",
+ filename, strerror(errno));
+ break;
+ }
+
+ if (!PEM_write_X509(fp, client_cert)) {
+ fclose(fp);
+ RDEBUG("Failed writing certificate to file");
+ goto do_unlink;
+ }
+ fclose(fp);
+
+ if (!radius_pairmake(request, &request->packet->vps,
+ "TLS-Client-Cert-Filename",
+ filename, T_OP_SET)) {
+ RDEBUG("Failed creating TLS-Client-Cert-Filename");
+
+ goto do_unlink;
+ }
+
+ RDEBUG("Verifying client certificate: %s",
+ conf->verify_client_cert_cmd);
+ if (radius_exec_program(conf->verify_client_cert_cmd,
+ request, 1, NULL, 0,
+ request->packet->vps,
+ NULL, 1) != 0) {
+ radlog(L_AUTH, "rlm_eap_tls: Certificate CN (%s) fails external verification!", common_name);
+ my_ok = 0;
+ } else {
+ RDEBUG("Client certificate CN %s passed external validation", common_name);
+ }
+
+ do_unlink:
+ unlink(filename);
+ break;
+ }
+
+
+ } /* depth == 0 */
+
+ if (debug_flag > 0) {
+ RDEBUG2("chain-depth=%d, ", depth);
+ RDEBUG2("error=%d", err);
+
+ RDEBUG2("--> User-Name = %s", handler->identity);
+ RDEBUG2("--> BUF-Name = %s", common_name);
+ RDEBUG2("--> subject = %s", subject);
+ RDEBUG2("--> issuer = %s", issuer);
+ RDEBUG2("--> verify return:%d", my_ok);
+ }
+ return my_ok;
+}
+
+
+/*
+ * Free cached session data, which is always a list of VALUE_PAIRs
+ */
+static void eaptls_session_free(UNUSED void *parent, void *data_ptr,
+ UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx,
+ UNUSED long argl, UNUSED void *argp)
+{
+ VALUE_PAIR *vp = data_ptr;
+ if (!data_ptr) return;
+
+ pairfree(&vp);
+}
+
+
+/*