#
ATTRIBUTE WiMAX-MN-NAI 1900 string
-ATTRIBUTE TLS-Cert 1901 tlv
-BEGIN-TLV TLS-Cert
+ATTRIBUTE TLS-Certificate 1901 tlv
+BEGIN-TLV TLS-Certificate
ATTRIBUTE Serial 1 octets
ATTRIBUTE Signature 2 octets
ATTRIBUTE Signature-Algorithm 3 string
ATTRIBUTE X509v3-Subject-Key-Identifier 15 string
ATTRIBUTE X509v3-Authority-Key-Identifier 16 string
ATTRIBUTE X509v3-Basic-Constraints 17 string
-END-TLV TLS-Cert
+END-TLV TLS-Certificate
ATTRIBUTE TLS-PSK-Identity 1933 string
ATTRIBUTE TLS-Session-Cert-File 1934 string
*/
RCSIDH(attrs_h, "$Id$")
-extern fr_dict_attr_t const *attr_tls_cert;
+extern fr_dict_attr_t const *attr_tls_certificate;
static uint32_t instance_count = 0;
-fr_dict_attr_t const *attr_tls_cert;
+fr_dict_attr_t const *attr_tls_certificate;
static fr_dict_t const *dict_freeradius; /*internal dictionary for server*/
extern fr_dict_attr_autoload_t curl_attr[];
fr_dict_attr_autoload_t curl_attr[] = {
- { .out = &attr_tls_cert, .name = "TLS-Cert", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate, .name = "TLS-Certificate", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
{ NULL }
};
struct curl_slist *cert_attrs;
fr_pair_t *container;
- MEM(container = fr_pair_afrom_da(request->request_ctx, attr_tls_cert));
+ MEM(container = fr_pair_afrom_da(request->request_ctx, attr_tls_certificate));
fr_pair_append(&cert_vps, container);
RDEBUG2("Processing certificate %i",i);
strlcpy(buffer, cert_attrs->data, (q - cert_attrs->data) + 1);
for (p = buffer; *p != '\0'; p++) if (*p == ' ') *p = '-';
- da = fr_dict_attr_by_name(NULL, attr_tls_cert, buffer);
+ da = fr_dict_attr_by_name(NULL, attr_tls_certificate, buffer);
if (!da) {
RDEBUG3("Skipping %s += '%s'", buffer, q + 1);
RDEBUG3("If this value is required, define attribute \"%s\"", buffer);
extern fr_dict_attr_t const *attr_allow_session_resumption;
extern fr_dict_attr_t const *attr_session_resumed;
-extern fr_dict_attr_t const *attr_tls_cert;
-extern fr_dict_attr_t const *attr_tls_cert_serial;
-extern fr_dict_attr_t const *attr_tls_cert_signature;
-extern fr_dict_attr_t const *attr_tls_cert_signature_algorithm;
-extern fr_dict_attr_t const *attr_tls_cert_issuer;
-extern fr_dict_attr_t const *attr_tls_cert_not_before;
-extern fr_dict_attr_t const *attr_tls_cert_not_after;
-extern fr_dict_attr_t const *attr_tls_cert_subject;
-extern fr_dict_attr_t const *attr_tls_cert_common_name;
-extern fr_dict_attr_t const *attr_tls_cert_subject_alt_name_dns;
-extern fr_dict_attr_t const *attr_tls_cert_subject_alt_name_email;
-extern fr_dict_attr_t const *attr_tls_cert_subject_alt_name_upn;
-extern fr_dict_attr_t const *attr_tls_cert_x509v3_extended_key_usage;
-extern fr_dict_attr_t const *attr_tls_cert_x509v3_subject_key_identifier;
-extern fr_dict_attr_t const *attr_tls_cert_x509v3_authority_key_identifier;
-extern fr_dict_attr_t const *attr_tls_cert_x509v3_basic_constraints;
+extern fr_dict_attr_t const *attr_tls_certificate;
+extern fr_dict_attr_t const *attr_tls_certificate_serial;
+extern fr_dict_attr_t const *attr_tls_certificate_signature;
+extern fr_dict_attr_t const *attr_tls_certificate_signature_algorithm;
+extern fr_dict_attr_t const *attr_tls_certificate_issuer;
+extern fr_dict_attr_t const *attr_tls_certificate_not_before;
+extern fr_dict_attr_t const *attr_tls_certificate_not_after;
+extern fr_dict_attr_t const *attr_tls_certificate_subject;
+extern fr_dict_attr_t const *attr_tls_certificate_common_name;
+extern fr_dict_attr_t const *attr_tls_certificate_subject_alt_name_dns;
+extern fr_dict_attr_t const *attr_tls_certificate_subject_alt_name_email;
+extern fr_dict_attr_t const *attr_tls_certificate_subject_alt_name_upn;
+extern fr_dict_attr_t const *attr_tls_certificate_x509v3_extended_key_usage;
+extern fr_dict_attr_t const *attr_tls_certificate_x509v3_subject_key_identifier;
+extern fr_dict_attr_t const *attr_tls_certificate_x509v3_authority_key_identifier;
+extern fr_dict_attr_t const *attr_tls_certificate_x509v3_basic_constraints;
extern fr_dict_attr_t const *attr_tls_client_error_code;
extern fr_dict_attr_t const *attr_tls_ocsp_cert_valid;
/*
* Certificate decoding attributes
*/
-fr_dict_attr_t const *attr_tls_cert;
-fr_dict_attr_t const *attr_tls_cert_serial;
-fr_dict_attr_t const *attr_tls_cert_signature;
-fr_dict_attr_t const *attr_tls_cert_signature_algorithm;
-fr_dict_attr_t const *attr_tls_cert_issuer;
-fr_dict_attr_t const *attr_tls_cert_not_before;
-fr_dict_attr_t const *attr_tls_cert_not_after;
-fr_dict_attr_t const *attr_tls_cert_subject;
-fr_dict_attr_t const *attr_tls_cert_common_name;
-fr_dict_attr_t const *attr_tls_cert_subject_alt_name_dns;
-fr_dict_attr_t const *attr_tls_cert_subject_alt_name_email;
-fr_dict_attr_t const *attr_tls_cert_subject_alt_name_upn;
-fr_dict_attr_t const *attr_tls_cert_x509v3_extended_key_usage;
-fr_dict_attr_t const *attr_tls_cert_x509v3_subject_key_identifier;
-fr_dict_attr_t const *attr_tls_cert_x509v3_authority_key_identifier;
-fr_dict_attr_t const *attr_tls_cert_x509v3_basic_constraints;
+fr_dict_attr_t const *attr_tls_certificate;
+fr_dict_attr_t const *attr_tls_certificate_serial;
+fr_dict_attr_t const *attr_tls_certificate_signature;
+fr_dict_attr_t const *attr_tls_certificate_signature_algorithm;
+fr_dict_attr_t const *attr_tls_certificate_issuer;
+fr_dict_attr_t const *attr_tls_certificate_not_before;
+fr_dict_attr_t const *attr_tls_certificate_not_after;
+fr_dict_attr_t const *attr_tls_certificate_subject;
+fr_dict_attr_t const *attr_tls_certificate_common_name;
+fr_dict_attr_t const *attr_tls_certificate_subject_alt_name_dns;
+fr_dict_attr_t const *attr_tls_certificate_subject_alt_name_email;
+fr_dict_attr_t const *attr_tls_certificate_subject_alt_name_upn;
+fr_dict_attr_t const *attr_tls_certificate_x509v3_extended_key_usage;
+fr_dict_attr_t const *attr_tls_certificate_x509v3_subject_key_identifier;
+fr_dict_attr_t const *attr_tls_certificate_x509v3_authority_key_identifier;
+fr_dict_attr_t const *attr_tls_certificate_x509v3_basic_constraints;
fr_dict_attr_t const *attr_tls_client_error_code;
fr_dict_attr_t const *attr_tls_ocsp_cert_valid;
/*
* Certificate decoding attributes
*/
- { .out = &attr_tls_cert, .name = "TLS-Cert", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_serial, .name = "TLS-Cert.Serial", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_signature, .name = "TLS-Cert.Signature", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_signature_algorithm, .name = "TLS-Cert.Signature-Algorithm", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_issuer, .name = "TLS-Cert.Issuer", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_not_before, .name = "TLS-Cert.Not-Before", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_not_after, .name = "TLS-Cert.Not-After", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_subject, .name = "TLS-Cert.Subject", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_common_name, .name = "TLS-Cert.Common-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_subject_alt_name_dns, .name = "TLS-Cert.Subject-Alt-Name-Dns", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_subject_alt_name_email, .name = "TLS-Cert.Subject-Alt-Name-Email", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_subject_alt_name_upn, .name = "TLS-Cert.Subject-Alt-Name-Upn", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_x509v3_extended_key_usage, .name = "TLS-Cert.X509v3-Extended-Key-Usage", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_x509v3_subject_key_identifier, .name = "TLS-Cert.X509v3-Subject-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_x509v3_authority_key_identifier, .name = "TLS-Cert.X509v3-Authority-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
- { .out = &attr_tls_cert_x509v3_basic_constraints, .name = "TLS-Cert.X509v3-Basic-Constraints", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate, .name = "TLS-Certificate", .type = FR_TYPE_TLV, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_serial, .name = "TLS-Certificate.Serial", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_signature, .name = "TLS-Certificate.Signature", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_signature_algorithm, .name = "TLS-Certificate.Signature-Algorithm", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_issuer, .name = "TLS-Certificate.Issuer", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_not_before, .name = "TLS-Certificate.Not-Before", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_not_after, .name = "TLS-Certificate.Not-After", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_subject, .name = "TLS-Certificate.Subject", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_common_name, .name = "TLS-Certificate.Common-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_subject_alt_name_dns, .name = "TLS-Certificate.Subject-Alt-Name-Dns", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_subject_alt_name_email, .name = "TLS-Certificate.Subject-Alt-Name-Email", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_subject_alt_name_upn, .name = "TLS-Certificate.Subject-Alt-Name-Upn", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_x509v3_extended_key_usage, .name = "TLS-Certificate.X509v3-Extended-Key-Usage", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_x509v3_subject_key_identifier, .name = "TLS-Certificate.X509v3-Subject-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_x509v3_authority_key_identifier, .name = "TLS-Certificate.X509v3-Authority-Key-Identifier", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+ { .out = &attr_tls_certificate_x509v3_basic_constraints, .name = "TLS-Certificate.X509v3-Basic-Constraints", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
{ .out = &attr_tls_client_error_code, .name = "TLS-Client-Error-Code", .type = FR_TYPE_UINT8, .dict = &dict_freeradius },
{ .out = &attr_tls_ocsp_cert_valid, .name = "TLS-OCSP-Cert-Valid", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
/*
* Subject
*/
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_subject) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_subject) == 0);
if (unlikely(X509_NAME_print_ex(fr_tls_bio_dbuff_thread_local(vp, 256, 0),
X509_get_subject_name(cert), 0, XN_FLAG_ONELINE) < 0)) {
fr_tls_bio_dbuff_thread_local_clear();
if (slen > 0) {
char *cn;
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_common_name) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_common_name) == 0);
MEM(fr_pair_value_bstr_alloc(vp, &cn, (size_t)slen, true) == 0); /* Allocs \0 byte in addition to len */
slen = X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName, cn, (size_t)slen + 1);
X509_get0_signature(&sig, &alg, cert);
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_signature) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_signature) == 0);
MEM(fr_pair_value_memdup(vp,
(uint8_t const *)ASN1_STRING_get0_data(sig),
ASN1_STRING_length(sig), true) == 0);
OBJ_obj2txt(buff, sizeof(buff), alg->algorithm, 0);
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_signature_algorithm) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_signature_algorithm) == 0);
fr_pair_value_strdup(vp, buff);
}
/*
* Issuer
*/
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_issuer) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_issuer) == 0);
if (unlikely(X509_NAME_print_ex(fr_tls_bio_dbuff_thread_local(vp, 256, 0),
X509_get_issuer_name(cert), 0, XN_FLAG_ONELINE) < 0)) {
fr_tls_bio_dbuff_thread_local_clear();
goto error;
}
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_serial) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_serial) == 0);
MEM(fr_pair_value_memdup(vp, serial->data, serial->length, true) == 0);
}
goto error;
}
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_not_before) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_not_before) == 0);
vp->vp_date = fr_unix_time_from_sec(time);
/*
goto error;
}
- MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_cert_not_after) == 0);
+ MEM(fr_pair_append_by_da(ctx, &vp, pair_list, attr_tls_certificate_not_after) == 0);
vp->vp_date = fr_unix_time_from_sec(time);
/*
#ifdef GEN_EMAI
case GEN_EMAIL:
MEM(fr_pair_append_by_da(ctx, &vp, pair_list,
- attr_tls_cert_subject_alt_name_email) == 0);
+ attr_tls_certificate_subject_alt_name_email) == 0);
MEM(fr_pair_value_bstrndup(vp,
(char const *)ASN1_STRING_get0_data(name->d.rfc822Name),
ASN1_STRING_length(name->d.rfc822Name), true) == 0);
#ifdef GEN_DNS
case GEN_DNS:
MEM(fr_pair_append_by_da(ctx, &vp, pair_list,
- attr_tls_cert_subject_alt_name_dns) == 0);
+ attr_tls_certificate_subject_alt_name_dns) == 0);
MEM(fr_pair_value_bstrndup(vp,
(char const *)ASN1_STRING_get0_data(name->d.dNSName),
ASN1_STRING_length(name->d.dNSName), true) == 0);
/* we've got a UPN - Must be ASN1-encoded UTF8 string */
if (name->d.otherName->value->type == V_ASN1_UTF8STRING) {
MEM(fr_pair_append_by_da(ctx, &vp, pair_list,
- attr_tls_cert_subject_alt_name_upn) == 0);
+ attr_tls_certificate_subject_alt_name_upn) == 0);
MEM(fr_pair_value_bstrndup(vp,
(char const *)ASN1_STRING_get0_data(name->d.otherName->value->value.utf8string),
ASN1_STRING_length(name->d.otherName->value->value.utf8string),
goto again;
}
- da = fr_dict_attr_by_name(NULL, attr_tls_cert, (char *)fr_dbuff_current(out));
+ da = fr_dict_attr_by_name(NULL, attr_tls_certificate, (char *)fr_dbuff_current(out));
+
+ fr_dbuff_set(in, fr_dbuff_current(in) - 1); /* Ensure the \0 isn't counted in remaining */
+
if (!da) {
RWDEBUG3("Skipping attribute %pV: "
"Add a dictionary definition if you want to access it",
}
if (verify_applies(conf->verify.pair_mode, depth, untrusted) &&
- (!(container = fr_pair_find_by_da(&request->session_state_pairs, attr_tls_cert, depth)) ||
+ (!(container = fr_pair_find_by_da(&request->session_state_pairs, attr_tls_certificate, depth)) ||
fr_pair_list_empty(&container->vp_group))) {
if (!container) {
unsigned int i;
*
* OpenSSL passes us the deepest certificate
* first, so we need to build out sufficient
- * TLS-Cert container TLVs so the TLS-Cert
+ * TLS-Certificate container TLVs so the TLS-Certificate
* indexes match the attribute depth.
*/
- for (i = fr_pair_count_by_da(&request->session_state_pairs, attr_tls_cert);
+ for (i = fr_pair_count_by_da(&request->session_state_pairs, attr_tls_certificate);
i <= (unsigned int)depth;
i++) {
- MEM(container = fr_pair_afrom_da(request->session_state_ctx, attr_tls_cert));
+ MEM(container = fr_pair_afrom_da(request->session_state_ctx, attr_tls_certificate));
fr_pair_append(&request->session_state_pairs, container);
}
}
*/
if (fr_tls_session_pairs_from_x509_cert(&container->vp_group, container,
request, cert) < 0) {
- fr_pair_delete_by_da(&request->session_state_pairs, attr_tls_cert);
+ fr_pair_delete_by_da(&request->session_state_pairs, attr_tls_certificate);
my_ok = 0;
goto done;
}
{ "ldap-ssl STRING,", isc_ignore, 1}, // string options. e.g: opt1, opt2 or opt3 [arg1, ... ]
{ "ldap-tls-ca-dir STRING", isc_ignore, 1}, // text string
{ "ldap-tls-ca-file STRING", isc_ignore, 1}, // text string
- { "ldap-tls-cert STRING", isc_ignore, 1}, // text string
+ { "ldap-TLS-Certificate STRING", isc_ignore, 1}, // text string
{ "ldap-tls-ciphers STRING", isc_ignore, 1}, // text string
{ "ldap-tls-crlcheck STRING,", isc_ignore, 1}, // string options. e.g: opt1, opt2 or opt3 [arg1, ... ]
{ "ldap-tls-key STRING", isc_ignore, 1}, // text string
projects / thirdparty / freeradius-server.git / commitdiff
