From: Arran Cudbard-Bell Date: Fri, 8 Oct 2021 21:57:50 +0000 (-0500) Subject: Sync up code with docs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa4744a92b7f7cd8befc018c8579805ee1c37d43;p=thirdparty%2Ffreeradius-server.git Sync up code with docs --- diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap index 298ef89d4ac..62c08244bcc 100644 --- a/raddb/mods-available/eap +++ b/raddb/mods-available/eap @@ -569,9 +569,36 @@ eap { # ecdh_curve = prime256v1 + # + # verify:: Parameters for controlling client cert chain + # verification. + # + # Certificate verification is performed in two phases. + # The first is handled by the SSL library which checks + # whether a trusted chain of certificates can be built + # between the certificates loaded from `ca_file` or + # found in `ca_path`. + # + # The second (optional) phase is performed using the + # `verify * { ... }` sections of the tls + # `virtual_server`. + # verify { # - # mode:: Which client certificates should be verified + # mode:: Which certificates in the verification chain + # should be checked. + # + # Certificate verification is performed in two phases. + # The first is handled by the SSL library which checks + # whether a trusted chain of certificates can be built + # between the certificates loaded from `ca_file` or + # found in `ca_path`. + # + # The SSL library also checks that the the correct usage + # OIDs are present in the presented client certificate + # and that none of the certificates have expired. + # + # # [options="header,autowidth"] # |=== @@ -599,15 +626,6 @@ eap { # It is recommended to leave mode as `all` except # when debugging, or in an emergency situation. # - # [NOTE] - # ==== - # This verification is only applied during a full - # handshake, and with stateful session resumption. - # Verification for stateless session resumption - # should be performed using the `verify [*] { ... }` - # section(s) of the specified `virtual_server`. - # ==== - # # mode = all # @@ -642,8 +660,8 @@ eap { # | `client-and-issuer` # | Create attributes for the client certificate # and its issuer. - # | `client` # + # | `client` # | Only create attributes for the client # certificate. # |=== @@ -660,7 +678,7 @@ eap { # stateless session-resumption. # ==== # -# attribute_mode = client-and-issuer +# attribute_mode = untrusted # # check_crl:: Check the Certificate Revocation List. diff --git a/src/lib/tls/conf-h b/src/lib/tls/conf-h index b3a78bd2e15..a1176c2c6be 100644 --- a/src/lib/tls/conf-h +++ b/src/lib/tls/conf-h @@ -117,7 +117,7 @@ typedef struct { fr_tls_verify_mode_t mode; //!< What certificates we apply OpenSSL's pre-validation ///< mode to. - fr_tls_verify_mode_t pair_mode; //!< What set of certificates we're going to convert to + fr_tls_verify_mode_t attribute_mode; //!< What set of certificates we're going to convert to ///< pairs for verification. bool check_crl; //!< Check certificate revocation lists. diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c index 0fae16940ee..868b42f44c7 100644 --- a/src/lib/tls/conf.c +++ b/src/lib/tls/conf.c @@ -137,7 +137,7 @@ static CONF_PARSER tls_verify_config[] = { .len = &verify_mode_table_len }, .dflt = "all" }, - { FR_CONF_OFFSET("pair_mode", FR_TYPE_VOID, fr_tls_verify_conf_t, pair_mode), + { FR_CONF_OFFSET("attribute_mode", FR_TYPE_VOID, fr_tls_verify_conf_t, attribute_mode), .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = verify_mode_table, diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c index bc93b5b78d8..5e47e3b2c97 100644 --- a/src/lib/tls/verify.c +++ b/src/lib/tls/verify.c @@ -209,7 +209,7 @@ int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx) } } - if (verify_applies(conf->verify.pair_mode, depth, untrusted) && + if (verify_applies(conf->verify.attribute_mode, depth, untrusted) && (!(container = fr_pair_find_by_da(&request->session_state_pairs, attr_tls_certificate, depth)) || fr_pair_list_empty(&container->vp_group))) { if (!container) { @@ -261,7 +261,7 @@ done: * and we're meant to verify this cert * then call the virtual server. */ - if (my_ok && verify_applies(conf->verify.pair_mode, depth, untrusted)) { + if (my_ok && verify_applies(conf->verify.attribute_mode, depth, untrusted)) { if (conf->virtual_server && tls_session->verify_client_cert) { RDEBUG2("Requesting certificate validation");