From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Tue, 7 Sep 2021 14:59:41 +0000 (-0500)
Subject: Add toggle for requiring client certificates
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b3c92cdd0e7ef3e520a7d492933741dbbff68292;p=thirdparty%2Ffreeradius-server.git

Add toggle for requiring client certificates
---

diff --git a/share/dictionary/freeradius/dictionary.freeradius.internal b/share/dictionary/freeradius/dictionary.freeradius.internal
index e522b31dae4..3f85dd9badb 100644
--- a/share/dictionary/freeradius/dictionary.freeradius.internal
+++ b/share/dictionary/freeradius/dictionary.freeradius.internal
@@ -428,7 +428,8 @@ ATTRIBUTE	X509v3-Basic-Constraints		17	string
 END-TLV		TLS-Certificate
 
 ATTRIBUTE	TLS-PSK-Identity			1933	string
-ATTRIBUTE	TLS-Session-Cert-File			1934	string
+ATTRIBUTE	TLS-Session-Certificate-File		1934	string
+ATTRIBUTE	TLS-Session-Require-Client-Certificate	1935	bool
 
 # Set and retrieved by EAP-TLS code
 ATTRIBUTE	TLS-OCSP-Cert-Valid			1943	integer
diff --git a/src/lib/tls/attrs.h b/src/lib/tls/attrs.h
index 75e0d836e10..866ee6270dc 100644
--- a/src/lib/tls/attrs.h
+++ b/src/lib/tls/attrs.h
@@ -57,6 +57,7 @@ extern fr_dict_attr_t const *attr_tls_ocsp_response;
 extern fr_dict_attr_t const *attr_tls_psk_identity;
 
 extern fr_dict_attr_t const *attr_tls_session_cert_file;
+extern fr_dict_attr_t const *attr_tls_session_require_client_cert;
 extern fr_dict_attr_t const *attr_tls_session_cipher_suite;
 extern fr_dict_attr_t const *attr_tls_session_version;
 
diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index 8fa2580e9ca..94c01dd2419 100644
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -97,6 +97,7 @@ fr_dict_attr_t const *attr_tls_ocsp_response;
 fr_dict_attr_t const *attr_tls_psk_identity;
 
 fr_dict_attr_t const *attr_tls_session_cert_file;
+fr_dict_attr_t const *attr_tls_session_require_client_cert;
 fr_dict_attr_t const *attr_tls_session_cipher_suite;
 fr_dict_attr_t const *attr_tls_session_version;
 
@@ -139,7 +140,8 @@ fr_dict_attr_autoload_t tls_dict_attr[] = {
 	{ .out = &attr_tls_ocsp_response, .name = "TLS-OCSP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
 	{ .out = &attr_tls_psk_identity, .name = "TLS-PSK-Identity", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 
-	{ .out = &attr_tls_session_cert_file, .name = "TLS-Session-Cert-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_session_cert_file, .name = "TLS-Session-Certificate-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_session_require_client_cert, .name = "TLS-Session-Require-Client-Certificate", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
 	{ .out = &attr_tls_session_cipher_suite, .name = "TLS-Session-Cipher-Suite", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 	{ .out = &attr_tls_session_version, .name = "TLS-Session-Version", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
 
diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c
index 959bea14e7e..26dfaa384d5 100644
--- a/src/lib/tls/session.c
+++ b/src/lib/tls/session.c
@@ -1707,6 +1707,14 @@ fr_tls_session_t *fr_tls_session_alloc_server(TALLOC_CTX *ctx, SSL_CTX *ssl_ctx,
 		}
 	}
 
+	/** Dynamic toggle for allowing disallowing client certs
+	 *
+	 * This is mainly used for testing in environments where we can't
+	 * get test credentials for the host.
+	 */
+	vp = fr_pair_find_by_da(&request->control_pairs, attr_tls_session_require_client_cert, 0);
+	if (vp) client_cert = vp->vp_bool;
+
 	/*
 	 *	In Server mode we only accept.
 	 *