Add toggle for requiring client certificates

diff --git a/share/dictionary/freeradius/dictionary.freeradius.internal b/share/dictionary/freeradius/dictionary.freeradius.internal
index e522b31dae43822b04fd22ce94a313da99822655..3f85dd9badb5755468fc0031520383f7cee00088 100644 (file)
--- a/share/dictionary/freeradius/dictionary.freeradius.internal
+++ b/share/dictionary/freeradius/dictionary.freeradius.internal
@@ -428,7 +428,8 @@ ATTRIBUTE   X509v3-Basic-Constraints                17      string
 END-TLV                TLS-Certificate
 
 ATTRIBUTE      TLS-PSK-Identity                        1933    string
-ATTRIBUTE      TLS-Session-Cert-File                   1934    string
+ATTRIBUTE      TLS-Session-Certificate-File            1934    string
+ATTRIBUTE      TLS-Session-Require-Client-Certificate  1935    bool
 
 # Set and retrieved by EAP-TLS code
 ATTRIBUTE      TLS-OCSP-Cert-Valid                     1943    integer

diff --git a/src/lib/tls/attrs.h b/src/lib/tls/attrs.h
index 75e0d836e1098564b7502376b2ab26f0062c0c84..866ee6270dc2f14cf7f9921ed225ae174b30bf1a 100644 (file)
--- a/src/lib/tls/attrs.h
+++ b/src/lib/tls/attrs.h
@@ -57,6 +57,7 @@ extern fr_dict_attr_t const *attr_tls_ocsp_response;
 extern fr_dict_attr_t const *attr_tls_psk_identity;
 
 extern fr_dict_attr_t const *attr_tls_session_cert_file;
+extern fr_dict_attr_t const *attr_tls_session_require_client_cert;
 extern fr_dict_attr_t const *attr_tls_session_cipher_suite;
 extern fr_dict_attr_t const *attr_tls_session_version;
 

diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index 8fa2580e9cad6c47d52c32591ba9e5ac45660151..94c01dd241904f9e83cfdeecd4533bd2411fabec 100644 (file)
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -97,6 +97,7 @@ fr_dict_attr_t const *attr_tls_ocsp_response;
 fr_dict_attr_t const *attr_tls_psk_identity;
 
 fr_dict_attr_t const *attr_tls_session_cert_file;
+fr_dict_attr_t const *attr_tls_session_require_client_cert;
 fr_dict_attr_t const *attr_tls_session_cipher_suite;
 fr_dict_attr_t const *attr_tls_session_version;
 
@@ -139,7 +140,8 @@ fr_dict_attr_autoload_t tls_dict_attr[] = {
        { .out = &attr_tls_ocsp_response, .name = "TLS-OCSP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
        { .out = &attr_tls_psk_identity, .name = "TLS-PSK-Identity", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 
-       { .out = &attr_tls_session_cert_file, .name = "TLS-Session-Cert-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+       { .out = &attr_tls_session_cert_file, .name = "TLS-Session-Certificate-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+       { .out = &attr_tls_session_require_client_cert, .name = "TLS-Session-Require-Client-Certificate", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
        { .out = &attr_tls_session_cipher_suite, .name = "TLS-Session-Cipher-Suite", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
        { .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 

diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c
index 959bea14e7e7cfa7a75952ea5de714bca1f12e47..26dfaa384d5f4597ce1716a571c986daf156e868 100644 (file)
--- a/src/lib/tls/session.c
+++ b/src/lib/tls/session.c
@@ -1707,6 +1707,14 @@ fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx,
                }
        }
 
+       /** Dynamic toggle for allowing disallowing client certs
+        *
+        * This is mainly used for testing in environments where we can't
+        * get test credentials for the host.
+        */
+       vp = fr_pair_find_by_da(&request->control_pairs, attr_tls_session_require_client_cert, 0);
+       if (vp) client_cert = vp->vp_bool;
+
        /*
         *      In Server mode we only accept.
         *