]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
Remove check_cert_issuer and check_cert_cn
authorArran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 17 Jun 2021 23:17:31 +0000 (18:17 -0500)
committerArran Cudbard-Bell <a.cudbardb@freeradius.org>
Thu, 17 Jun 2021 23:19:07 +0000 (18:19 -0500)
src/lib/tls/conf-h
src/lib/tls/conf.c
src/lib/tls/validate.c

index 7df49723a62a52274a6f970e6a3ce45d71b2b16b..45ea0e8181244f2eb1674b8f640127079199c361 100644 (file)
@@ -131,14 +131,12 @@ struct fr_tls_conf_s {
 
        bool            check_crl;                      //!< Check certificate revocation lists.
        bool            allow_expired_crl;              //!< Don't error out if CRL is expired.
-       char const      *check_cert_cn;                 //!< Verify cert CN matches the expansion of this string.
 
        char const      *cipher_list;                   //!< Acceptable ciphers.
        bool            cipher_server_preference;       //!< use server preferences for cipher selection
 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
        bool            allow_renegotiation;            //!< Whether or not to allow cipher renegotiation.
 #endif
-       char const      *check_cert_issuer;             //!< Verify cert issuer matches the expansion of this string.
 
        bool            require_client_cert;
 
index 2f93fd741ad93651e4d18327362be53fdc8edd75..be02805ba1225d303d12dd09647c7474aa2f2d83 100644 (file)
@@ -169,14 +169,11 @@ CONF_PARSER fr_tls_server_config[] = {
        { FR_CONF_DEPRECATED("check_all_crl", FR_TYPE_BOOL, fr_tls_conf_t, NULL) },
 #endif
        { FR_CONF_OFFSET("allow_expired_crl", FR_TYPE_BOOL, fr_tls_conf_t, allow_expired_crl) },
-       { FR_CONF_OFFSET("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
        { FR_CONF_OFFSET("cipher_list", FR_TYPE_STRING, fr_tls_conf_t, cipher_list) },
        { FR_CONF_OFFSET("cipher_server_preference", FR_TYPE_BOOL, fr_tls_conf_t, cipher_server_preference), .dflt = "yes" },
 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
        { FR_CONF_OFFSET("allow_renegotiation", FR_TYPE_BOOL, fr_tls_conf_t, allow_renegotiation), .dflt = "no" },
 #endif
-       { FR_CONF_OFFSET("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
-       { FR_CONF_OFFSET("require_client_cert", FR_TYPE_BOOL, fr_tls_conf_t, require_client_cert) },
 
 #ifndef OPENSSL_NO_ECDH
        { FR_CONF_OFFSET("ecdh_curve", FR_TYPE_STRING, fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
@@ -188,6 +185,8 @@ CONF_PARSER fr_tls_server_config[] = {
        { FR_CONF_OFFSET("cache", FR_TYPE_SUBSECTION, fr_tls_conf_t, cache), .subcs = (void const *) cache_config },
 
        { FR_CONF_DEPRECATED("verify", FR_TYPE_SUBSECTION, fr_tls_conf_t, NULL) },
+       { FR_CONF_DEPRECATED("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
+       { FR_CONF_DEPRECATED("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
        CONF_PARSER_TERMINATOR
 };
 
@@ -209,9 +208,8 @@ CONF_PARSER fr_tls_client_config[] = {
        { FR_CONF_OFFSET("random_file", FR_TYPE_STRING, fr_tls_conf_t, random_file) },
        { FR_CONF_OFFSET("fragment_size", FR_TYPE_UINT32, fr_tls_conf_t, fragment_size), .dflt = "1024" },
        { FR_CONF_OFFSET("check_crl", FR_TYPE_BOOL, fr_tls_conf_t, check_crl), .dflt = "no" },
-       { FR_CONF_OFFSET("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
+
        { FR_CONF_OFFSET("cipher_list", FR_TYPE_STRING, fr_tls_conf_t, cipher_list) },
-       { FR_CONF_OFFSET("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
 
 #ifndef OPENSSL_NO_ECDH
        { FR_CONF_OFFSET("ecdh_curve", FR_TYPE_STRING, fr_tls_conf_t, ecdh_curve), .dflt = "prime256v1" },
@@ -221,6 +219,8 @@ CONF_PARSER fr_tls_client_config[] = {
 
        { FR_CONF_OFFSET("tls_min_version", FR_TYPE_FLOAT32, fr_tls_conf_t, tls_min_version), .dflt = "1.2" },
 
+       { FR_CONF_DEPRECATED("check_cert_issuer", FR_TYPE_STRING, fr_tls_conf_t, check_cert_issuer) },
+       { FR_CONF_DEPRECATED("check_cert_cn", FR_TYPE_STRING, fr_tls_conf_t, check_cert_cn) },
        CONF_PARSER_TERMINATOR
 };
 
index 785349c5c256f272ec17c47d5ceeb607544bf893..27dc1d630aa474821900dbc74324287d661f5945 100644 (file)
@@ -236,38 +236,6 @@ int fr_tls_validate_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
                return my_ok;
        }
 
-       /*
-        *      If the conf tells us to, check cert issuer
-        *      against the specified value and fail
-        *      verification if they don't match.
-        */
-       if (conf->check_cert_issuer && (strcmp(issuer, conf->check_cert_issuer) != 0)) {
-               REDEBUG("Certificate issuer (%s) does not match specified value (%s)!",
-                       issuer, conf->check_cert_issuer);
-               my_ok = 0;
-       }
-
-       /*
-        *      If the conf tells us to, check the CN in the
-        *      cert against xlat'ed value, but only if the
-        *      previous checks passed.
-        */
-       if (my_ok && conf->check_cert_cn) {
-               char cn_str[1024];
-
-               if (xlat_eval(cn_str, sizeof(cn_str), request, conf->check_cert_cn, NULL, NULL) < 0) {
-                       /* if this fails, fail the verification */
-                       my_ok = 0;
-               } else {
-                       RDEBUG2("checking certificate CN (%s) with xlat'ed value (%s)", common_name, cn_str);
-                       if (strcmp(cn_str, common_name) != 0) {
-                               REDEBUG("Certificate CN (%s) does not match specified value (%s)!",
-                                       common_name, cn_str);
-                               my_ok = 0;
-                       }
-               }
-       } /* check_cert_cn */
-
        /*
         *      If we have a client certificate, cache whether or not
         *      we validated it.