From 5bab3db707898f6b8432df315747e3d5f8b68d9a Mon Sep 17 00:00:00 2001 From: Fabian Mauchle Date: Tue, 18 Jun 2019 18:08:47 +0200 Subject: [PATCH] add explicit option for SubjectAltName:IP check --- ChangeLog | 2 +- radsecproxy.conf.5 | 12 ++++++++---- radsecproxy.h | 3 +++ tlscommon.c | 19 +++++++++++++++++++ 4 files changed, 31 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index d4036cc..9fde94a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,7 +2,7 @@ changes since 1.7.2 New features: - Autodetect status-server capability of servers - Minimalistic status-server - - Explicit SubjectAltName:DNS match on certificates + - Explicit SubjectAltName:DNS and :IP match on certificates Misc: - No longer require docbook2x tools, but include plain manpages diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5 index 23d4ab6..4d322e0 100644 --- a/radsecproxy.conf.5 +++ b/radsecproxy.conf.5 @@ -411,10 +411,12 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address. .RE -\fBMatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR +\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/ +.br +\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR .RS -Perform additional validation of certificate attributes. Currently only matching -of CN and SubjectAltName type URI and DNS is supported. Note that currently this +Perform additional validation of certificate attributes. Currently matching +of CN and SubjectAltName types URI DNS and IP is supported. Note that currently this option can only be specified once in a client block. .RE @@ -607,7 +609,9 @@ block. The details are not repeated here. Please refer to the definitions in the .br .BR "CertificateNameCheck (" on | off ) .br -\fBmatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR +\fBmatchCertificateAttribute (\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/ +.br +\fBMatchCertificateAttribute \fRSubjectAltName:IP:\fIaddress\fR .br .BR "AddTTL " 1-255 .br diff --git a/radsecproxy.h b/radsecproxy.h index 06a55eb..0ee1f20 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -6,6 +6,7 @@ #include #include #include +#include #include "list.h" #include "tlv11.h" #include "radmsg.h" @@ -149,6 +150,8 @@ struct clsrvconf { regex_t *certcnregex; regex_t *certuriregex; regex_t *certdnsregex; + in6_addr_t certipmatch; + int certipmatchaf; char *confrewritein; char *confrewriteout; char *confrewriteusername; diff --git a/tlscommon.c b/tlscommon.c index f9fa7fb..4522942 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -709,6 +709,7 @@ int certnamecheck(X509 *cert, struct list *hostports) { int verifyconfcert(X509 *cert, struct clsrvconf *conf) { char *subject; + char addrbuf[INET6_ADDRSTRLEN]; int ok = 1; subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); @@ -741,6 +742,13 @@ int verifyconfcert(X509 *cert, struct clsrvconf *conf) { ok = 0; } } + if (conf->certipmatchaf) { + debug(DBG_DBG, "verifyconfcert: matching subjectaltname IP %s", inet_ntop(conf->certipmatchaf, &conf->certipmatch, addrbuf, INET6_ADDRSTRLEN)); + if (subjectaltnameaddr(cert, conf->certipmatchaf, &conf->certipmatch) < 1) { + debug(DBG_WARN, "verifyconfcert: subjectaltname IP not matching regex for host %s (%s)", conf->name, subject); + ok = 0; + } + } free(subject); return ok; } @@ -821,6 +829,17 @@ int addmatchcertattr(struct clsrvconf *conf) { char *v; regex_t **r; + if (!strncasecmp(conf->matchcertattr, "SubjectAltName:IP:", 18)) { + if (inet_pton(AF_INET, conf->matchcertattr+18, &conf->certipmatch)) + conf->certipmatchaf = AF_INET; + else if (inet_pton(AF_INET6, conf->matchcertattr+18, &conf->certipmatch)) + conf->certipmatchaf = AF_INET6; + else + return 0; + return 1; + } + + /* the other cases below use a common regex match */ if (!strncasecmp(conf->matchcertattr, "CN:/", 4)) { r = &conf->certcnregex; v = conf->matchcertattr + 4;