Autoload libfreeradius-tls attributes

share/dictionary.freeradius.internal

@@ -210,16 +210,8 @@ ATTRIBUTE	FreeRADIUS-Client-NAS-Type		1125	string
 ATTRIBUTE	FreeRADIUS-Client-Virtual-Server	1126	string
 
 # For session resumption
-ATTRIBUTE	Allow-Session-Resumption		1127	integer
-
-VALUE	Allow-Session-Resumption	no			0
-VALUE	Allow-Session-Resumption	yes			1
-
-ATTRIBUTE	EAP-Session-Resumed			1128	integer
-
-VALUE	EAP-Session-Resumed		no			0
-VALUE	EAP-Session-Resumed		yes			1
-
+ATTRIBUTE	Allow-Session-Resumption		1127	bool
+ATTRIBUTE	EAP-Session-Resumed			1128	bool
 #
 #	Expose EAP keys in the reply.
 #
@@ -639,7 +631,7 @@ ATTRIBUTE	Log-Type				1896	integer
 ATTRIBUTE	WiMAX-MN-NAI				1900	string
 
 ATTRIBUTE	TLS-Cert-Serial				1910	string
-ATTRIBUTE	TLS-Cert-Expiration			1911	string
+ATTRIBUTE	TLS-Cert-Expiration			1911	date
 ATTRIBUTE	TLS-Cert-Issuer				1912	string
 ATTRIBUTE	TLS-Cert-Subject			1913	string
 ATTRIBUTE	TLS-Cert-Common-Name			1914	string
@@ -648,7 +640,7 @@ ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Dns		1916	string
 ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Upn		1917	string
 # 1918 - 1919: reserved for future cert attributes
 ATTRIBUTE	TLS-Client-Cert-Serial			1920	string
-ATTRIBUTE	TLS-Client-Cert-Expiration		1921	string
+ATTRIBUTE	TLS-Client-Cert-Expiration		1921	date
 ATTRIBUTE	TLS-Client-Cert-Issuer			1922	string
 ATTRIBUTE	TLS-Client-Cert-Subject			1923	string
 ATTRIBUTE	TLS-Client-Cert-Common-Name		1924	string
@@ -662,7 +654,6 @@ ATTRIBUTE	TLS-Client-Cert-Subject-Alt-Name-Dns	1931	string
 ATTRIBUTE	TLS-Client-Cert-Subject-Alt-Name-Upn	1932	string
 ATTRIBUTE	TLS-PSK-Identity			1933	string
 ATTRIBUTE	TLS-Session-Cert-File			1934	string
-ATTRIBUTE	TLS-Client-Cert-Expiration-Time		1935	date
 
 # 1936 - 1939: reserved for future cert attributes
 

src/include/tls-h

@@ -468,7 +468,7 @@ SSL_CTX		*tls_ctx_alloc(fr_tls_conf_t const *conf, bool client);
 int		tls_global_version_check(char const *acknowledged);
 #endif
 
-int		tls_global_init(void);
+int		tls_global_init(char const *dictionary_dir);
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 void		tls_global_cleanup(void);
@@ -512,7 +512,7 @@ void 		tls_session_info_cb(SSL const *s, int where, int ret);
 void 		tls_session_msg_cb(int write_p, int msg_version, int content_type,
 				   void const *buf, size_t len, SSL *ssl, void *arg);
 
-int		tls_session_pairs_from_x509_cert(vp_cursor_t *cursor, TALLOC_CTX *ctx,
+int		tls_session_pairs_from_x509_cert(fr_cursor_t *cursor, TALLOC_CTX *ctx,
 				     	         tls_session_t *session, X509 *cert, int depth);
 
 int		tls_session_recv(REQUEST *request, tls_session_t *tls_session);

src/lib/tls/cache.c

@@ -32,13 +32,13 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
 #include <freeradius-devel/process.h>
 #include <freeradius-devel/modules.h>
 #include <freeradius-devel/rad_assert.h>
+#include "tls_attrs.h"
 
 /** Add attributes identifying the TLS session to be acted upon, and the action to be performed
  *
  * Adds the following attributes to the request:
  *
  *	- &request:TLS-Session-Id
- *	- &control:TLS-Session-Cache-Action
  *
  * Session identity will contain the binary session key used to create, retrieve
  * and delete cache entries related to the SSL session.
@@ -51,9 +51,9 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
  * @todo Move adding TLS-Session-Cache-Action to tls_cache_process and remove it again after calling
  *	the virtual server.
  *
- * @param[in] request The current request.
- * @param[in] key Identifier for the session.
- * @param[in] key_len Length of the key.
+ * @param[in] request		The current request.
+ * @param[in] key Identifier	for the session.
+ * @param[in] key_len		Length of the key.
  * @return
  *	- 0 on success.
  *	- -1 on failure.
@@ -62,19 +62,13 @@ static int tls_cache_session_id_to_vp(REQUEST *request, uint8_t const *key, size
 {
 	VALUE_PAIR *vp;
 
-	fr_pair_delete_by_num(&request->packet->vps, 0, FR_TLS_SESSION_ID, TAG_ANY);
-
-	vp = fr_pair_afrom_num(request->packet, 0, FR_TLS_SESSION_ID);
-	if (!vp) return -1;
-
+	MEM(pair_update_request(&vp, attr_tls_session_id) >= 0);
 	fr_pair_value_memcpy(vp, key, key_len);
-	fr_pair_add(&request->packet->vps, vp);
+
 	RINDENT();
 	rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
 	REXDENT();
 
-	rdebug_pair(L_DBG_LVL_2, request, vp, "&control:");
-
 	return 0;
 }
 
@@ -290,7 +284,7 @@ int tls_cache_write(REQUEST *request, tls_session_t *tls_session)
 	/*
 	 *	Put the SSL data into an attribute.
 	 */
-	vp = fr_pair_afrom_num(request->state_ctx, 0, FR_TLS_SESSION_DATA);
+	vp = fr_pair_afrom_da(request->state_ctx, attr_tls_session_data);
 	if (!vp) {
 		RPEDEBUG("Failed allocating &TLS-Session-Data");
 		return -1;
@@ -319,7 +313,7 @@ int tls_cache_write(REQUEST *request, tls_session_t *tls_session)
 	/*
 	 *	Ensure that the session data can't be used by anyone else.
 	 */
-	fr_pair_delete_by_num(&request->state, 0, FR_TLS_SESSION_DATA, TAG_ANY);
+	fr_pair_delete_by_da(&request->state, attr_tls_session_data);
 
 	return ret;
 }
@@ -374,7 +368,7 @@ static SSL_SESSION *tls_cache_read(SSL *ssl,
 		return NULL;
 	}
 
-	vp = fr_pair_find_by_num(request->state, 0, FR_TLS_SESSION_DATA, TAG_ANY);
+	vp = fr_pair_find_by_da(request->state, attr_tls_session_data, TAG_ANY);
 	if (!vp) {
 		RWDEBUG("No cached session found");
 		return NULL;
@@ -420,7 +414,7 @@ static SSL_SESSION *tls_cache_read(SSL *ssl,
 	/*
 	 *	Ensure that the session data can't be used by anyone else.
 	 */
-	fr_pair_delete_by_num(&request->state, 0, FR_TLS_SESSION_DATA, TAG_ANY);
+	fr_pair_delete_by_da(&request->state, attr_tls_session_data);
 
 	return sess;
 }
@@ -550,7 +544,7 @@ int tls_cache_disable_cb(SSL *ssl,
 	 */
 	if (!session->allow_session_resumption) goto disable;
 
-	vp = fr_pair_find_by_num(request->control, 0, FR_ALLOW_SESSION_RESUMPTION, TAG_ANY);
+	vp = fr_pair_find_by_da(request->control, attr_allow_session_resumption, TAG_ANY);
 	if (vp && (vp->vp_uint32 == 0)) {
 		RDEBUG2("&control:Allow-Session-Resumption == no, disabling session resumption");
 	disable:

src/lib/tls/global.c

@@ -34,6 +34,87 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
 
 #include <freeradius-devel/radiusd.h>
 #include <freeradius-devel/rad_assert.h>
+#include "tls_attrs.h"
+
+fr_dict_t const *dict_freeradius;
+fr_dict_t const *dict_radius;
+
+extern fr_dict_autoload_t tls_dict[];
+fr_dict_autoload_t tls_dict[] = {
+	{ .out = &dict_freeradius, .proto = "freeradius" },
+	{ .out = &dict_radius, .proto = "radius" },
+	{ NULL }
+};
+
+fr_dict_attr_t const *attr_allow_session_resumption;
+fr_dict_attr_t const *attr_eap_session_resumed;
+
+fr_dict_attr_t const *attr_tls_cert_common_name;
+fr_dict_attr_t const *attr_tls_cert_expiration;
+fr_dict_attr_t const *attr_tls_cert_issuer;
+fr_dict_attr_t const *attr_tls_cert_serial;
+fr_dict_attr_t const *attr_tls_cert_subject;
+fr_dict_attr_t const *attr_tls_cert_subject_alt_name_dns;
+fr_dict_attr_t const *attr_tls_cert_subject_alt_name_email;
+fr_dict_attr_t const *attr_tls_cert_subject_alt_name_upn;
+
+fr_dict_attr_t const *attr_tls_client_cert_common_name;
+fr_dict_attr_t const *attr_tls_client_cert_expiration;
+fr_dict_attr_t const *attr_tls_client_cert_issuer;
+fr_dict_attr_t const *attr_tls_client_cert_serial;
+fr_dict_attr_t const *attr_tls_client_cert_subject;
+fr_dict_attr_t const *attr_tls_client_cert_subject_alt_name_dns;
+fr_dict_attr_t const *attr_tls_client_cert_subject_alt_name_email;
+fr_dict_attr_t const *attr_tls_client_cert_subject_alt_name_upn;
+
+fr_dict_attr_t const *attr_tls_client_cert_filename;
+fr_dict_attr_t const *attr_tls_client_error_code;
+fr_dict_attr_t const *attr_tls_ocsp_cert_valid;
+fr_dict_attr_t const *attr_tls_ocsp_next_update;
+fr_dict_attr_t const *attr_tls_ocsp_response;
+fr_dict_attr_t const *attr_tls_psk_identity;
+fr_dict_attr_t const *attr_tls_session_cert_file;
+fr_dict_attr_t const *attr_tls_session_data;
+fr_dict_attr_t const *attr_tls_session_id;
+
+fr_dict_attr_t const *attr_framed_mtu;
+
+extern fr_dict_attr_autoload_t tls_dict_attr[];
+fr_dict_attr_autoload_t tls_dict_attr[] = {
+	{ .out = &attr_allow_session_resumption, .name = "Allow-Session-Resumption", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
+	{ .out = &attr_eap_session_resumed, .name = "EAP-Session-Resumed", .type = FR_TYPE_BOOL, .dict = &dict_freeradius },
+
+	{ .out = &attr_tls_cert_common_name, .name = "TLS-Cert-Common-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_cert_expiration, .name = "TLS-Cert-Expiration", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
+	{ .out = &attr_tls_cert_issuer, .name = "TLS-Cert-Issuer", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_cert_serial, .name = "TLS-Cert-Serial", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_cert_subject, .name = "TLS-Cert-Subject", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_cert_subject_alt_name_dns, .name = "TLS-Cert-Subject-Alt-Name-Dns", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_cert_subject_alt_name_email, .name = "TLS-Cert-Subject-Alt-Name-Email", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_cert_subject_alt_name_upn, .name = "TLS-Cert-Subject-Alt-Name-Upn", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+
+	{ .out = &attr_tls_client_cert_common_name, .name = "TLS-Client-Cert-Common-Name", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_cert_expiration, .name = "TLS-Client-Cert-Expiration", .type = FR_TYPE_DATE, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_cert_issuer, .name = "TLS-Client-Cert-Issuer", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_cert_serial, .name = "TLS-Client-Cert-Serial", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_cert_subject, .name = "TLS-Client-Cert-Subject", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_cert_subject_alt_name_dns, .name = "TLS-Client-Cert-Subject-Alt-Name-Dns", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_cert_subject_alt_name_email, .name = "TLS-Client-Cert-Subject-Alt-Name-Email", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_cert_subject_alt_name_upn, .name = "TLS-Client-Cert-Subject-Alt-Name-Upn", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+
+	{ .out = &attr_tls_client_cert_filename, .name = "TLS-Client-Cert-Filename", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_client_error_code, .name = "TLS-Client-Error-Code", .type = FR_TYPE_UINT8, .dict = &dict_freeradius },
+	{ .out = &attr_tls_ocsp_cert_valid, .name = "TLS-OCSP-Cert-Valid", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
+	{ .out = &attr_tls_ocsp_next_update, .name = "TLS-OCSP-Next-Update", .type = FR_TYPE_UINT32, .dict = &dict_freeradius },
+	{ .out = &attr_tls_ocsp_response, .name = "TLS-OCSP-Response", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+	{ .out = &attr_tls_psk_identity, .name = "TLS-PSK-Identity", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_session_cert_file, .name = "TLS-Session-Cert-File", .type = FR_TYPE_STRING, .dict = &dict_freeradius },
+	{ .out = &attr_tls_session_data, .name = "TLS-Session-Data", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+	{ .out = &attr_tls_session_id, .name = "TLS-Session-Id", .type = FR_TYPE_OCTETS, .dict = &dict_freeradius },
+
+	{ .out = &attr_framed_mtu, .name = "Framed-MTU", .type = FR_TYPE_UINT32, .dict = &dict_radius },
+	{ NULL }
+};
 
 /*
  *	Updated by threads.c in the server, and left alone for everyone else.
@@ -364,7 +445,7 @@ static void openssl_free(void *to_free)
  * This should be called exactly once from main, before reading the main config
  * or initialising any modules.
  */
-int tls_global_init(void)
+int tls_global_init(char const *dictionary_dir)
 {
 	ENGINE *rand_engine;
 
@@ -394,7 +475,8 @@ int tls_global_init(void)
 	 */
 	global_mutexes = global_mutexes_init(NULL);
 	if (!global_mutexes) {
-		ERROR("FATAL: Failed to set up SSL mutexes");
+		ERROR("Failed to set up SSL mutexes");
+		tls_global_cleanup();
 		return -1;
 	}
 
@@ -412,6 +494,19 @@ int tls_global_init(void)
 	if (rand_engine && (strcmp(ENGINE_get_id(rand_engine), "rdrand") == 0)) ENGINE_unregister_RAND(rand_engine);
 	ENGINE_register_all_complete();
 
+
+	if (fr_dict_autoload(dictionary_dir, tls_dict) < 0) {
+		PERROR("Failed loading dictionary");
+		tls_global_cleanup();
+		return -1;
+	}
+
+	if (fr_dict_attr_autoload(tls_dict_attr) < 0) {
+		PERROR("Failed resolving attributes");
+		tls_global_cleanup();
+		return -1;
+	}
+
 	tls_done_init = true;
 
 	return 0;
@@ -433,6 +528,8 @@ void tls_global_cleanup(void)
 
 	TALLOC_FREE(global_mutexes);
 
+	fr_dict_autofree(tls_dict);
+
 	tls_done_init = false;
 }
 #endif

src/lib/tls/ocsp.c

@@ -33,6 +33,7 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
 #include <freeradius-devel/modules.h>
 #include <freeradius-devel/rad_assert.h>
 #include <openssl/ocsp.h>
+#include "tls_attrs.h"
 
 /** Rcodes returned by the OCSP check function
  */
@@ -141,15 +142,13 @@ static int ocsp_staple_to_pair(VALUE_PAIR **out, REQUEST *request, OCSP_RESPONSE
 		return -1;
 	}
 
-	vp = pair_make_request("TLS-OCSP-Response", NULL, T_OP_SET);
-
-	MEM(p = buff = talloc_array(vp, uint8_t, len));			/* Alloc transitively in context of request */
+	MEM(p = buff = talloc_array(request, uint8_t, len));	/* Alloc in context of request - steal later */
 	len = i2d_OCSP_RESPONSE(resp, &p);
 	if (len <= 0) {
 		REDEBUG("Failed serialising OCSP response");
-		talloc_free(vp);					/* Also frees buff */
 		return -1;
 	}
+	MEM(pair_update_request(&vp, attr_tls_ocsp_response) >= 0);
 	fr_pair_value_memsteal(vp, buff);
 
 	RDEBUG2("Serializing OCSP response");
@@ -295,7 +294,7 @@ int tls_ocsp_check(REQUEST *request, SSL *ssl,
 	/*
 	 *	Allow us to cache the OCSP verified state externally
 	 */
-	vp = fr_pair_find_by_num(request->control, 0, FR_TLS_OCSP_CERT_VALID, TAG_ANY);
+	vp = fr_pair_find_by_da(request->control, attr_tls_ocsp_cert_valid, TAG_ANY);
 	if (vp) switch (vp->vp_uint32) {
 	case 0:	/* no */
 		RDEBUG2("Found &control:TLS-OCSP-Cert-Valid = no, forcing OCSP failure");
@@ -309,7 +308,7 @@ int tls_ocsp_check(REQUEST *request, SSL *ssl,
 		 *	we need to run the full OCSP check.
 		 */
 		if (staple_response) {
-			vp = fr_pair_find_by_num(request->control, 0, FR_TLS_OCSP_RESPONSE, TAG_ANY);
+			vp = fr_pair_find_by_da(request->control, attr_tls_ocsp_response, TAG_ANY);
 			if (!vp) {
 				RDEBUG2("No &control:TLS-OCSP-Response attribute found, performing full OCSP check");
 				break;
@@ -552,9 +551,10 @@ int tls_ocsp_check(REQUEST *request, SSL *ssl,
 		}
 		if (now.tv_sec < next){
 			RDEBUG2("Adding OCSP TTL attribute");
-			RINDENT();
-			vp = pair_make_request("TLS-OCSP-Next-Update", NULL, T_OP_SET);
+
+			MEM(pair_update_request(&vp, attr_tls_ocsp_next_update) >= 0);
 			vp->vp_uint32 = next - now.tv_sec;
+			RINDENT();
 			rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
 			REXDENT();
 		} else {
@@ -609,7 +609,7 @@ int tls_ocsp_check(REQUEST *request, SSL *ssl,
 			vp = NULL;	/* It's in the request, don't need to free it! */
 		}
 
-		vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+		MEM(pair_update_request(&vp, attr_tls_ocsp_cert_valid) >= 0);
 		vp->vp_uint32 = 1;	/* yes */
 		ocsp_status = OCSP_STATUS_OK;
 
@@ -618,7 +618,7 @@ int tls_ocsp_check(REQUEST *request, SSL *ssl,
 	case OCSP_STATUS_SKIPPED:
 	skipped:
 		SSL_DRAIN_ERROR_QUEUE(RWDEBUG, "", ssl_log);
-		vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+		MEM(pair_update_request(&vp, attr_tls_ocsp_cert_valid) >= 0);
 		vp->vp_uint32 = 2;	/* skipped */
 		if (conf->softfail) {
 			RWDEBUG("Unable to check certificate: %s",
@@ -638,7 +638,7 @@ int tls_ocsp_check(REQUEST *request, SSL *ssl,
 
 	default:
 		SSL_DRAIN_ERROR_QUEUE(REDEBUG, "", ssl_log);
-		vp = pair_make_request("TLS-OCSP-Cert-Valid", NULL, T_OP_SET);
+		MEM(pair_update_request(&vp, attr_tls_ocsp_cert_valid) >= 0);
 		vp->vp_uint32 = 0;	/* no */
 		REDEBUG("Failed to validate certificate");
 		break;