FR 3.0.11, RadSec, validation via an external command

Martin Stanislav ms at uakom.sk
Wed Sep 21 11:44:29 CEST 2016 

Hi,

May I ask for your comment on how to fix/deal with two issues I've experienced with FR 3.0.11?

Required funcionality:
 RadSec TLS peer/client certificate to be validated by an external command.

AFAIU certificate validation by external command (i.e. tls configuration stanza verify) requires ocsp to be enabled, accordig to FR 3.0.11 documentation.


Issue 1 (OCSP checks fail for a RadSec client):

FR 3.0.11 is passing a null-valued cert. store pointer over to openssl's function OCSP_basic_verify() resulting in segfault within openssl's libcrypto. Prior FR code attempt to fill ocsp_store pointer via SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_STORE) call is of no help as FR 3.0.11 code path doesn't seem to invoke a corresponding SSL_set_ex_data() function call for a RadSec client TLS connection.

I'm not sure what a correct fix should look like. I've replaced the function call:
 ocsp_store = (X509_STORE *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_STORE);
by a reference:
 ocsp_store = conf->ocsp_store;
for purpose of a local test as conf->ocsp_store is already initialized at that point in code.


Issue 2 (validation via external command blocked by if clause):

Even if ocsp check is enabled, there seems to be little chance for external validation to kick in. Contrary to FR 3.0.11 documentation, the code requires two contending conditions to be satisfied at once. These conditions prevent external validation command from beeing called in case prior ocsp check returns OK.

Local interim/test fix for both issues is attached.

Thanks for your comments.

Kind regards,
Martin

-------------- next part --------------
--- freeradius-server-3.0.11/src/main/tls.c	2016-01-25 19:27:03.000000000 +0100
+++ freeradius-server-3.0.11.test/src/main/tls.c	2016-09-21 10:43:03.669931647 +0200
@@ -1804,7 +1804,7 @@
 
 	identity = (char **)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_IDENTITY);
 #ifdef HAVE_OPENSSL_OCSP_H
-	ocsp_store = (X509_STORE *)SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_STORE);
+	ocsp_store = conf->ocsp_store;
 #endif
 
 	talloc_ctx = SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_TALLOC);
@@ -2098,7 +2098,7 @@
 		 */
 		if ((my_ok != 0)
 #ifdef HAVE_OPENSSL_OCSP_H
-		    && conf->ocsp_enable && (my_ok != OCSP_STATUS_OK) && conf->verify_skip_if_ocsp_ok
+		    && conf->ocsp_enable && !(conf->verify_skip_if_ocsp_ok)
 #endif
 			) while (conf->verify_client_cert_cmd) {
 			char filename[256];

More information about the Freeradius-Users mailing list