From: Alan T. DeKok <aland@freeradius.org>
Date: Thu, 22 Jul 2021 21:04:58 +0000 (-0400)
Subject: allow TLS-Session-Cert-File to be set
X-Git-Tag: release_3_0_24~122
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=625ba7819701b823d0e7b6da3538cfdefdedc366;p=thirdparty%2Ffreeradius-server.git

allow TLS-Session-Cert-File to be set
---

diff --git a/src/main/tls.c b/src/main/tls.c
index 7343b43c134..9e72a50d255 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -709,6 +709,43 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, REQU
 	SSL_set_msg_callback_arg(new_tls, state);
 	SSL_set_info_callback(new_tls, cbtls_info);
 
+	/*
+	 *	Allow policies to load context-specific certificate chains.
+	 */
+	vp = fr_pair_find_by_num(request->config, PW_TLS_SESSION_CERT_FILE, 0, TAG_ANY);
+	if (vp) {
+		RDEBUG2("(TLS) Loading session certificate file \"%s\"", vp->vp_strvalue);
+
+		if (SSL_use_certificate_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
+			tls_error_log(request, "Failed loading TLS session certificate \"%s\"",
+				      vp->vp_strvalue);
+		error:
+			talloc_free(state);
+			return NULL;
+		}
+
+		/*
+		 *	Note that there is either no password, or it
+		 *	has to be the same as what's in the
+		 *	configuration.
+		 *
+		 *	There is just no additional security to
+		 *	putting a password into the same file system
+		 *	as the private key.
+		 */
+		if (SSL_use_PrivateKey_file(state->ssl, vp->vp_strvalue, SSL_FILETYPE_PEM) != 1) {
+			tls_error_log(request, "Failed loading TLS session certificate \"%s\"",
+				      vp->vp_strvalue);
+			goto error;
+		}
+
+		if (SSL_check_private_key(state->ssl) != 1) {
+			tls_error_log(request, "Failed validating TLS session certificate \"%s\"",
+				      vp->vp_strvalue);
+			goto error;
+		}
+	}
+
 	/*
 	 *	In Server mode we only accept.
 	 */