/** Register a function as compare function
*
* @param[in] name the attribute comparison to register.
* @param[in] from the attribute we want to compare with.
* Normally this is the same as attribute.
* If null call the comparison function on
* every attributes in the request if
* first_only is false.
* @param[in] first_only will decide if we loop over the request
* attributes or stop on the first one.
* @param[in] func comparison function.
* @param[in] instance argument to comparison function.
* @return
* - 0 on success
* - <0 on error
*/
int paircmp_register_by_name(char const *name, fr_dict_attr_t const *from,
bool first_only, RAD_COMPARE_FUNC func, void *instance)
{
fr_dict_attr_flags_t flags;
fr_dict_attr_t const *da;
memset(&flags, 0, sizeof(flags));
da = fr_dict_attr_by_name(fr_dict_internal, name);
if (da) {
if (paircmp_find(da)) {
fr_strerror_printf_push("Cannot register two comparions for attribute %s",
name);
return -1;
}
} else if (from) {
if (fr_dict_attr_add(fr_dict_internal, fr_dict_root(fr_dict_internal),
name, -1, from->type, &flags) < 0) {
fr_strerror_printf_push("Failed creating attribute '%s'", name);
return -1;
}
da = fr_dict_attr_by_name(fr_dict_internal, name);
if (!da) {
fr_strerror_printf("Failed finding attribute '%s'", name);
return -1;
}
DEBUG("Creating attribute %s", name);
}
return paircmp_register(da, from, first_only, func, instance);
}
static int arp_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
{
int i;
uint8_t const *p = request->packet->data, *end = p + request->packet->data_len;
fr_cursor_t cursor;
fr_cursor_init(&cursor, &request->packet->vps);
for (i = 0; header_names[i].name != NULL; i++) {
ssize_t ret;
size_t len;
fr_dict_attr_t const *da;
VALUE_PAIR *vp = NULL;
len = header_names[i].len;
if (!fr_cond_assert((size_t)(end - p) < len)) return -1; /* Should have been detected in socket_recv */
da = fr_dict_attr_by_name(dict_arp, header_names[i].name);
if (!da) return 0;
MEM(vp = fr_pair_afrom_da(request->packet, da));
ret = fr_value_box_from_network(vp, &vp->data, da->type, da, p, len, true);
if (ret <= 0) {
fr_pair_to_unknown(vp);
fr_pair_value_memcpy(vp, p, len);
}
DEBUG2("&%pP", vp);
fr_cursor_insert(&cursor, vp);
}
return 0;
}
static int _map_proc_client_get_vp(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request,
vp_map_t const *map, void *uctx)
{
client_get_vp_ctx_t *client = uctx;
VALUE_PAIR *head = NULL, *vp;
fr_cursor_t cursor;
fr_dict_attr_t const *da;
CONF_PAIR const *cp;
rad_assert(ctx != NULL);
fr_cursor_init(&cursor, &head);
/*
* FIXME: allow multiple entries.
*/
if (map->lhs->type == TMPL_TYPE_ATTR) {
da = map->lhs->tmpl_da;
} else {
char *attr;
if (tmpl_aexpand(ctx, &attr, request, map->lhs, NULL, NULL) <= 0) {
RWDEBUG("Failed expanding string");
return -1;
}
da = fr_dict_attr_by_name(request->dict, attr);
if (!da) {
RWDEBUG("No such attribute '%s'", attr);
return -1;
}
talloc_free(attr);
}
for (cp = client->cp;
cp;
cp = cf_pair_find_next(client->cs, cp, client->field)) {
char const *value = cf_pair_value(cp);
MEM(vp = fr_pair_afrom_da(ctx, da));
if (fr_pair_value_from_str(vp, value, talloc_array_length(value) - 1, '\0', false) < 0) {
RWDEBUG("Failed parsing value \"%pV\" for attribute %s: %s", fr_box_strvalue(value),
map->lhs->tmpl_da->name, fr_strerror());
fr_pair_list_free(&head);
talloc_free(vp);
return -1;
}
vp->op = map->op;
fr_cursor_append(&cursor, vp);
if (map->op != T_OP_ADD) break; /* Create multiple attribute for multiple CONF_PAIRs */
}
*out = head;
return 0;
}
/*
* Convert field X to a VP.
*/
static int csv_map_getvalue(TALLOC_CTX *ctx, VALUE_PAIR **out, REQUEST *request, vp_map_t const *map, void *uctx)
{
char const *str = uctx;
VALUE_PAIR *head = NULL, *vp;
fr_cursor_t cursor;
fr_dict_attr_t const *da;
rad_assert(ctx != NULL);
fr_cursor_init(&cursor, &head);
/*
* FIXME: allow multiple entries.
*/
if (map->lhs->type == TMPL_TYPE_ATTR) {
da = map->lhs->tmpl_da;
} else {
char *attr;
if (tmpl_aexpand(ctx, &attr, request, map->lhs, NULL, NULL) <= 0) {
RWDEBUG("Failed expanding string");
return -1;
}
da = fr_dict_attr_by_name(request->dict, attr);
if (!da) {
RWDEBUG("No such attribute '%s'", attr);
return -1;
}
talloc_free(attr);
}
vp = fr_pair_afrom_da(ctx, da);
rad_assert(vp);
if (fr_pair_value_from_str(vp, str, talloc_array_length(str) - 1, '\0', true) < 0) {
RWDEBUG("Failed parsing value \"%pV\" for attribute %s: %s", fr_box_strvalue_buffer(str),
map->lhs->tmpl_da->name, fr_strerror());
talloc_free(vp);
return -1;
}
vp->op = map->op;
fr_cursor_append(&cursor, vp);
*out = head;
return 0;
}
/* Initialize the pwattr array for supported password encodings. */
void
otp_pwe_init(void)
{
fr_dict_attr_t const *da;
/*
* Setup known password types. These are pairs.
* NB: Increase pwattr array size when adding a type.
* It should be sized as (number of password types * 2)
* NB: Array indices must match otp_pwe_t! (see otp.h)
*/
(void) memset(pwattr, 0, sizeof(pwattr));
/* PAP */
da = fr_dict_attr_by_name(NULL, "User-Password");
if (da) {
pwattr[0] = da;
pwattr[1] = da;
}
/* CHAP */
da = fr_dict_attr_by_name(NULL, "CHAP-Challenge");
if (da) {
pwattr[2] = da;
da = fr_dict_attr_by_name(NULL, "CHAP-Password");
if (da) {
pwattr[3] = da;
} else {
pwattr[2] = NULL;
}
}
#if 0
/* MS-CHAP (recommended not to use) */
da = fr_dict_attr_by_name("MS-CHAP-Challenge");
if (da) {
pwattr[4] = da;
da = fr_dict_attr_by_name("MS-CHAP-Response");
if (da) {
pwattr[5] = da;
} else {
pwattr[4] = NULL;
}
}
#endif /* 0 */
/* MS-CHAPv2 */
da = fr_dict_attr_by_name(NULL, "MS-CHAP-Challenge");
if (da) {
pwattr[6] = da;
da = fr_dict_attr_by_name(NULL, "MS-CHAP2-Response");
if (da) {
pwattr[7] = da;
} else {
pwattr[6] = NULL;
}
}
}
/*
* Do the statistics
*/
static rlm_rcode_t CC_HINT(nonnull) mod_stats(void *instance, void *thread, REQUEST *request)
{
int i;
uint32_t stats_type;
rlm_stats_thread_t *t = thread;
rlm_stats_t *inst = instance;
VALUE_PAIR *vp;
rlm_stats_data_t mydata, *stats;
fr_cursor_t cursor;
char buffer[64];
uint64_t local_stats[sizeof(inst->stats) / sizeof(inst->stats[0])];
/*
* Increment counters only in "send foo" sections.
*
* i.e. only when we have a reply to send.
*/
if (request->request_state == REQUEST_SEND) {
int src_code, dst_code;
src_code = request->packet->code;
if (src_code >= FR_MAX_PACKET_CODE) src_code = 0;
dst_code = request->reply->code;
if (dst_code >= FR_MAX_PACKET_CODE) dst_code = 0;
t->stats[src_code]++;
t->stats[dst_code]++;
/*
* Update source statistics
*/
mydata.ipaddr = request->packet->src_ipaddr;
stats = rbtree_finddata(t->src, &mydata);
if (!stats) {
MEM(stats = talloc_zero(t, rlm_stats_data_t));
stats->ipaddr = request->packet->src_ipaddr;
stats->created = request->async->recv_time;
(void) rbtree_insert(t->src, stats);
}
stats->last_packet = request->async->recv_time;
stats->stats[src_code]++;
stats->stats[dst_code]++;
/*
* Update destination statistics
*/
mydata.ipaddr = request->packet->dst_ipaddr;
stats = rbtree_finddata(t->dst, &mydata);
if (!stats) {
MEM(stats = talloc_zero(t, rlm_stats_data_t));
stats->ipaddr = request->packet->dst_ipaddr;
stats->created = request->async->recv_time;
(void) rbtree_insert(t->dst, stats);
}
stats->last_packet = request->async->recv_time;
stats->stats[src_code]++;
stats->stats[dst_code]++;
/*
* @todo - periodically clean up old entries.
*/
if ((t->last_global_update + NANOSEC) > request->async->recv_time) {
return RLM_MODULE_UPDATED;
}
t->last_global_update = request->async->recv_time;
pthread_mutex_lock(&inst->mutex);
for (i = 0; i < FR_MAX_PACKET_CODE; i++) {
inst->stats[i] += t->stats[i];
t->stats[i] = 0;
}
pthread_mutex_unlock(&inst->mutex);
return RLM_MODULE_UPDATED;
}
/*
* Ignore "authenticate" and anything other than Status-Server
*/
if ((request->request_state != REQUEST_RECV) ||
(request->packet->code != FR_CODE_STATUS_SERVER)) {
return RLM_MODULE_NOOP;
}
vp = fr_pair_find_by_da(request->packet->vps, attr_freeradius_stats4_type, TAG_ANY);
if (!vp) {
stats_type = FR_FREERADIUS_STATS4_TYPE_VALUE_GLOBAL;
} else {
stats_type = vp->vp_uint32;
}
/*
* Create attributes based on the statistics.
*/
fr_cursor_init(&cursor, &request->reply->vps);
MEM(pair_update_reply(&vp, attr_freeradius_stats4_type) >= 0);
vp->vp_uint32 = stats_type;
switch (stats_type) {
case FR_FREERADIUS_STATS4_TYPE_VALUE_GLOBAL: /* global */
/*
* Merge our stats with the global stats, and then copy
* the global stats to a thread-local variable.
*
* The copy helps minimize mutex contention.
*/
pthread_mutex_lock(&inst->mutex);
for (i = 0; i < FR_MAX_PACKET_CODE; i++) {
inst->stats[i] += t->stats[i];
t->stats[i] = 0;
}
memcpy(&local_stats, inst->stats, sizeof(inst->stats));
pthread_mutex_unlock(&inst->mutex);
vp = NULL;
break;
case FR_FREERADIUS_STATS4_TYPE_VALUE_CLIENT: /* src */
vp = fr_pair_find_by_da(request->packet->vps, attr_freeradius_stats4_ipv4_address, TAG_ANY);
if (!vp) vp = fr_pair_find_by_da(request->packet->vps, attr_freeradius_stats4_ipv6_address, TAG_ANY);
if (!vp) return RLM_MODULE_NOOP;
mydata.ipaddr = vp->vp_ip;
coalesce(local_stats, t, offsetof(rlm_stats_thread_t, src), &mydata);
break;
case FR_FREERADIUS_STATS4_TYPE_VALUE_LISTENER: /* dst */
vp = fr_pair_find_by_da(request->packet->vps, attr_freeradius_stats4_ipv4_address, TAG_ANY);
if (!vp) vp = fr_pair_find_by_da(request->packet->vps, attr_freeradius_stats4_ipv6_address, TAG_ANY);
if (!vp) return RLM_MODULE_NOOP;
mydata.ipaddr = vp->vp_ip;
coalesce(local_stats, t, offsetof(rlm_stats_thread_t, dst), &mydata);
break;
default:
REDEBUG("Invalid value '%d' for FreeRADIUS-Stats4-type", stats_type);
return RLM_MODULE_FAIL;
}
if (vp ) {
vp = fr_pair_copy(request->reply, vp);
if (vp) {
fr_cursor_append(&cursor, vp);
(void) fr_cursor_tail(&cursor);
}
}
strcpy(buffer, "FreeRADIUS-Stats4-");
for (i = 0; i < FR_MAX_PACKET_CODE; i++) {
fr_dict_attr_t const *da;
if (!local_stats[i]) continue;
strlcpy(buffer + 18, fr_packet_codes[i], sizeof(buffer) - 18);
da = fr_dict_attr_by_name(dict_radius, buffer);
if (!da) continue;
vp = fr_pair_afrom_da(request->reply, da);
if (!vp) return RLM_MODULE_FAIL;
vp->vp_uint64 = local_stats[i];
fr_cursor_append(&cursor, vp);
(void) fr_cursor_tail(&cursor);
}
return RLM_MODULE_OK;
}
static int mod_bootstrap(CONF_SECTION *conf, void *instance)
{
rlm_sql_t *inst = instance;
/*
* Hack...
*/
inst->config = &inst->myconfig;
inst->cs = conf;
inst->name = cf_section_name2(conf);
if (!inst->name) inst->name = cf_section_name1(conf);
/*
* Load the appropriate driver for our database.
*
* We need this to check if the sql_fields callback is provided.
*/
inst->handle = lt_dlopenext(inst->config->sql_driver_name);
if (!inst->handle) {
ERROR("Could not link driver %s: %s", inst->config->sql_driver_name, fr_strerror());
ERROR("Make sure it (and all its dependent libraries!) are in the search path of your system's ld");
return -1;
}
inst->module = (rlm_sql_module_t *) dlsym(inst->handle, inst->config->sql_driver_name);
if (!inst->module) {
ERROR("Could not link symbol %s: %s", inst->config->sql_driver_name, dlerror());
return -1;
}
INFO("rlm_sql (%s): Driver %s (module %s) loaded and linked", inst->name,
inst->config->sql_driver_name, inst->module->name);
if (inst->config->groupmemb_query) {
char buffer[256];
char const *group_attribute;
if (inst->config->group_attribute) {
group_attribute = inst->config->group_attribute;
} else if (cf_section_name2(conf)) {
snprintf(buffer, sizeof(buffer), "%s-SQL-Group", inst->name);
group_attribute = buffer;
} else {
group_attribute = "SQL-Group";
}
/*
* Checks if attribute already exists.
*/
if (paircompare_register_byname(group_attribute, fr_dict_attr_by_num(NULL, 0, PW_USER_NAME),
false, sql_groupcmp, inst) < 0) {
ERROR("Failed registering group comparison: %s", fr_strerror());
return -1;
}
inst->group_da = fr_dict_attr_by_name(NULL, group_attribute);
if (!inst->group_da) {
ERROR("Failed resolving group attribute \"%s\"", group_attribute);
return -1;
}
}
/*
* Register the SQL xlat function
*/
xlat_register(inst, inst->name, sql_xlat, sql_escape_for_xlat_func, NULL, 0, 0);
/*
* Register the SQL map processor function
*/
if (inst->module->sql_fields) map_proc_register(inst, inst->name, mod_map_proc, sql_escape_for_xlat_func, NULL, 0);
return 0;
}
static int mod_instantiate(CONF_SECTION *conf, void *instance)
{
rlm_sql_t *inst = instance;
/*
* Sanity check for crazy people.
*/
if (strncmp(inst->config->sql_driver_name, "rlm_sql_", 8) != 0) {
ERROR("rlm_sql (%s): \"%s\" is NOT an SQL driver!", inst->name, inst->config->sql_driver_name);
return -1;
}
/*
* We need authorize_group_check_query or authorize_group_reply_query
* if group_membership_query is set.
*
* Or we need group_membership_query if authorize_group_check_query or
* authorize_group_reply_query is set.
*/
if (!inst->config->groupmemb_query) {
if (inst->config->authorize_group_check_query) {
WARN("rlm_sql (%s): Ignoring authorize_group_reply_query as group_membership_query "
"is not configured", inst->name);
}
if (inst->config->authorize_group_reply_query) {
WARN("rlm_sql (%s): Ignoring authorize_group_check_query as group_membership_query "
"is not configured", inst->name);
}
if (!inst->config->read_groups) {
WARN("rlm_sql (%s): Ignoring read_groups as group_membership_query "
"is not configured", inst->name);
inst->config->read_groups = false;
}
} /* allow the group check / reply queries to be NULL */
/*
* This will always exist, as cf_section_parse_init()
* will create it if it doesn't exist. However, the
* "reference" config item won't exist in an auto-created
* configuration. So if that doesn't exist, we ignore
* the whole subsection.
*/
inst->config->accounting.cs = cf_section_sub_find(conf, "accounting");
inst->config->accounting.reference_cp = (cf_pair_find(inst->config->accounting.cs, "reference") != NULL);
inst->config->postauth.cs = cf_section_sub_find(conf, "post-auth");
inst->config->postauth.reference_cp = (cf_pair_find(inst->config->postauth.cs, "reference") != NULL);
/*
* Cache the SQL-User-Name fr_dict_attr_t, so we can be slightly
* more efficient about creating SQL-User-Name attributes.
*/
inst->sql_user = fr_dict_attr_by_name(NULL, "SQL-User-Name");
if (!inst->sql_user) {
return -1;
}
/*
* Export these methods, too. This avoids RTDL_GLOBAL.
*/
inst->sql_set_user = sql_set_user;
inst->sql_query = rlm_sql_query;
inst->sql_select_query = rlm_sql_select_query;
inst->sql_fetch_row = rlm_sql_fetch_row;
if (inst->module->mod_instantiate) {
CONF_SECTION *cs;
char const *name;
name = strrchr(inst->config->sql_driver_name, '_');
if (!name) {
name = inst->config->sql_driver_name;
} else {
name++;
}
cs = cf_section_sub_find(conf, name);
if (!cs) {
cs = cf_section_alloc(conf, name, NULL);
if (!cs) {
return -1;
}
}
/*
* It's up to the driver to register a destructor
*/
if (inst->module->mod_instantiate(cs, inst->config) < 0) {
return -1;
}
}
/*
* Either use the module specific escape function
* or our default one.
*/
inst->sql_escape_func = inst->module->sql_escape_func ?
inst->module->sql_escape_func :
sql_escape_func;
inst->ef = exfile_init(inst, 64, 30, true);
if (!inst->ef) {
cf_log_err_cs(conf, "Failed creating log file context");
return -1;
}
/*
* Initialise the connection pool for this instance
*/
INFO("rlm_sql (%s): Attempting to connect to database \"%s\"", inst->name, inst->config->sql_db);
inst->pool = module_connection_pool_init(inst->cs, inst, mod_conn_create, NULL, NULL);
if (!inst->pool) return -1;
if (inst->config->do_clients) {
if (generate_sql_clients(inst) == -1){
ERROR("Failed to load clients from SQL");
return -1;
}
}
return RLM_MODULE_OK;
}
/** Extract attributes from an X509 certificate
*
* @param cursor to copy attributes to.
* @param ctx to allocate attributes in.
* @param session current TLS session.
* @param cert to validate.
* @param depth the certificate is in the certificate chain (0 == leaf).
* @return
* - 0 on success.
* - < 0 on failure.
*/
int tls_session_pairs_from_x509_cert(fr_cursor_t *cursor, TALLOC_CTX *ctx,
tls_session_t *session, X509 *cert, int depth)
{
char buffer[1024];
char attribute[256];
char **identity;
int attr_index, loc;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
STACK_OF(X509_EXTENSION) const *ext_list = NULL;
#else
STACK_OF(X509_EXTENSION) *ext_list = NULL;
#endif
ASN1_INTEGER *sn = NULL;
ASN1_TIME *asn_time = NULL;
VALUE_PAIR *vp = NULL;
REQUEST *request;
#define CERT_ATTR_ADD(_attr, _attr_index, _value) tls_session_cert_attr_add(ctx, request, cursor, _attr, _attr_index, _value)
attr_index = depth;
if (attr_index > 1) attr_index = 1;
request = (REQUEST *)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_REQUEST);
rad_assert(request != NULL);
identity = (char **)SSL_get_ex_data(session->ssl, FR_TLS_EX_INDEX_IDENTITY);
if (RDEBUG_ENABLED3) {
buffer[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
RDEBUG3("Creating attributes for \"%s\":", buffer[0] ? buffer : "Cert missing subject OID");
}
/*
* Get the Serial Number
*/
sn = X509_get_serialNumber(cert);
if (sn && ((size_t) sn->length < (sizeof(buffer) / 2))) {
char *p = buffer;
int i;
for (i = 0; i < sn->length; i++) {
sprintf(p, "%02x", (unsigned int)sn->data[i]);
p += 2;
}
CERT_ATTR_ADD(IDX_SERIAL, attr_index, buffer);
}
/*
* Get the Expiration Date
*/
buffer[0] = '\0';
asn_time = X509_get_notAfter(cert);
if (identity && asn_time && (asn_time->length < (int)sizeof(buffer))) {
time_t expires;
/*
* Add expiration as a time since the epoch
*/
if (tls_utils_asn1time_to_epoch(&expires, asn_time) < 0) {
RPWDEBUG("Failed parsing certificate expiry time");
} else {
vp = CERT_ATTR_ADD(IDX_EXPIRATION, attr_index, NULL);
vp->vp_date = expires;
}
}
/*
* Get the Subject & Issuer
*/
buffer[0] = '\0';
X509_NAME_oneline(X509_get_subject_name(cert), buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
if (identity && buffer[0]) {
CERT_ATTR_ADD(IDX_SUBJECT, attr_index, buffer);
/*
* Get the Common Name, if there is a subject.
*/
X509_NAME_get_text_by_NID(X509_get_subject_name(cert),
NID_commonName, buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
if (buffer[0]) {
CERT_ATTR_ADD(IDX_COMMON_NAME, attr_index, buffer);
}
}
X509_NAME_oneline(X509_get_issuer_name(cert), buffer, sizeof(buffer));
buffer[sizeof(buffer) - 1] = '\0';
if (identity && buffer[0]) {
CERT_ATTR_ADD(IDX_ISSUER, attr_index, buffer);
}
/*
* Get the RFC822 Subject Alternative Name
*/
loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, 0);
if (loc >= 0) {
X509_EXTENSION *ext = NULL;
GENERAL_NAMES *names = NULL;
int i;
ext = X509_get_ext(cert, loc);
if (ext && (names = X509V3_EXT_d2i(ext))) {
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
switch (name->type) {
#ifdef GEN_EMAIL
case GEN_EMAIL: {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
char const *rfc822Name = (char const *)ASN1_STRING_get0_data(name->d.rfc822Name);
#else
char *rfc822Name = (char *)ASN1_STRING_data(name->d.rfc822Name);
#endif
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_EMAIL, attr_index, rfc822Name);
break;
}
#endif /* GEN_EMAIL */
#ifdef GEN_DNS
case GEN_DNS: {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
char const *dNSName = (char const *)ASN1_STRING_get0_data(name->d.dNSName);
#else
char *dNSName = (char *)ASN1_STRING_data(name->d.dNSName);
#endif
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_DNS, attr_index, dNSName);
break;
}
#endif /* GEN_DNS */
#ifdef GEN_OTHERNAME
case GEN_OTHERNAME:
/* look for a MS UPN */
if (NID_ms_upn != OBJ_obj2nid(name->d.otherName->type_id)) break;
/* we've got a UPN - Must be ASN1-encoded UTF8 string */
if (name->d.otherName->value->type == V_ASN1_UTF8STRING) {
CERT_ATTR_ADD(IDX_SUBJECT_ALT_NAME_UPN, attr_index,
(char *)name->d.otherName->value->value.utf8string);
break;
}
RWARN("Invalid UPN in Subject Alt Name (should be UTF-8)");
break;
#endif /* GEN_OTHERNAME */
default:
/* XXX TODO handle other SAN types */
break;
}
}
}
if (names != NULL) GENERAL_NAMES_free(names);
}
/*
* Only add extensions for the actual client certificate
*/
if (attr_index == 0) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
ext_list = X509_get0_extensions(cert);
#else
ext_list = cert->cert_info->extensions;
#endif
/*
* Grab the X509 extensions, and create attributes out of them.
* For laziness, we re-use the OpenSSL names
*/
if (sk_X509_EXTENSION_num(ext_list) > 0) {
int i, len;
char *p;
BIO *out;
out = BIO_new(BIO_s_mem());
strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute));
for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) {
char value[1024];
ASN1_OBJECT *obj;
X509_EXTENSION *ext;
fr_dict_attr_t const *da;
ext = sk_X509_EXTENSION_value(ext_list, i);
obj = X509_EXTENSION_get_object(ext);
i2a_ASN1_OBJECT(out, obj);
len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1);
if (len <= 0) continue;
attribute[16 + len] = '\0';
for (p = attribute + 16; *p != '\0'; p++) if (*p == ' ') *p = '-';
X509V3_EXT_print(out, ext, 0, 0);
len = BIO_read(out, value , sizeof(value) - 1);
if (len <= 0) continue;
value[len] = '\0';
da = fr_dict_attr_by_name(dict_freeradius, attribute);
if (!da) {
RWDEBUG3("Skipping attribute %s: "
"Add dictionary definition if you want to access it", attribute);
continue;
}
MEM(vp = fr_pair_afrom_da(request, da));
if (fr_pair_value_from_str(vp, value, -1, '\0', true) < 0) {
RPWDEBUG3("Skipping: %s += '%s'", attribute, value);
talloc_free(vp);
continue;
}
fr_cursor_append(cursor, vp);
}
BIO_free_all(out);
}
}
return 0;
}
