tls-psk-identity fix

Kevin Wasserman krwasserman at painless-security.com
Mon Jul 21 20:08:09 CEST 2014 

Currently, the tls-psk-identity attribute is determined while the tls 
connection is established, but then discarded prior to packet decode.
The attached patch makes the tls-psk-identity attribute available during 
request processing. This is important for implementing constraint 
enforcement policy in Moonshot.

Kevin Wasserman
Painless Security, LLC


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
-------------- next part --------------
>From 1f6a4b1641345df7ffcdd7ea3276071ea6d091bd Mon Sep 17 00:00:00 2001
From: Kevin Wasserman <krwasserman at painless-security.com>
Date: Wed, 16 Jul 2014 14:00:59 -0400
Subject: [PATCH] Make tls-psk-identity available during request processing

Retrieve from SSL and add to request vps immediately prior to packet decode.
---
 src/main/process.c |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/src/main/process.c b/src/main/process.c
index 2a70e23..c2cd87b 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -1211,6 +1211,31 @@ STATE_MACHINE_DECL(request_response_delay)
 	}
 }
 
+static void retrieve_tls_identity(REQUEST *request)
+{
+	/* 
+	 * copy tls identity from sock vps to new request
+	 */
+	listen_socket_t *sock = NULL;
+#ifdef WITH_ACCOUNTING
+	if (request->listener->type != RAD_LISTEN_DETAIL)
+#endif
+	{
+		sock = request->listener->data;
+	}
+
+	if (sock && sock->ssn && sock->ssn->ssl) {
+		const char *identity = SSL_get_psk_identity(sock->ssn->ssl);
+		if (identity) {
+			RDEBUG("Retrieved psk identity: %s", identity);
+			VALUE_PAIR *vp = pairmake_packet("TLS-PSK-Identity", identity, T_OP_SET);
+			if (vp) {
+				RDEBUG("Set tls-psk-identity: %s", identity);
+			}
+		}
+	}
+}
+
 
 static int CC_HINT(nonnull) request_pre_handler(REQUEST *request, UNUSED int action)
 {
@@ -1234,6 +1259,8 @@ static int CC_HINT(nonnull) request_pre_handler(REQUEST *request, UNUSED int act
 	}
 
 	if (!request->packet->vps) { /* FIXME: check for correct state */
+		retrieve_tls_identity(request);
+
 		rcode = request->listener->decode(request->listener, request);
 
 #ifdef WITH_UNLANG
-- 
1.7.10.4

More information about the Freeradius-Devel mailing list