X-Git-Url: https://git.ozlabs.org/?a=blobdiff_plain;f=pppd%2Fauth.c;h=0a49f53e9f3711ef481856b6fbdffeae29ba496c;hb=9c7ba0d42dee5e3f84ecb6e4fcdbefc6c1cd965c;hp=ffa0e14afb097e775e18cc0257f0e56d7256d9a9;hpb=6531eb055818ea1b4df386b3e7132392771cd0e5;p=ppp.git diff --git a/pppd/auth.c b/pppd/auth.c index ffa0e14..0a49f53 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -255,9 +255,12 @@ char *cacert_file = NULL; /* CA certificate file (pem format) */ char *ca_path = NULL; /* directory with CA certificates */ char *cert_file = NULL; /* client certificate file (pem format) */ char *privkey_file = NULL; /* client private key file (pem format) */ +char *pkcs12_file = NULL; /* client private key envelope file (pkcs12 format) */ char *crl_dir = NULL; /* directory containing CRL files */ char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */ +char *tls_verify_method = NULL; +bool tls_verify_key_usage = 0; bool need_peer_eap = 0; /* Require peer to authenticate us */ #endif @@ -443,8 +446,13 @@ option_t auth_options[] = { { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, { "crl", o_string, &crl_file, "Use specific CRL file" }, + { "pkcs12", o_string, &pkcs12_file, "EAP-TLS client credentials in PKCS12 format" }, { "max-tls-version", o_string, &max_tls_version, "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" }, + { "tls-verify-key-usage", o_bool, &tls_verify_key_usage, + "Verify certificate type and extended key usage" }, + { "tls-verify-method", o_string, &tls_verify_method, + "Verify peer by method (none|subject|name|suffix)" }, { "need-peer-eap", o_bool, &need_peer_eap, "Require the peer to authenticate us", 1 }, #endif /* USE_EAPTLS */ @@ -876,8 +884,8 @@ network_phase(int unit) /* * If the peer had to authenticate, run the auth-up script now. */ + notify(auth_up_notifier, 0); if (go->neg_chap || go->neg_upap || go->neg_eap) { - notify(auth_up_notifier, 0); auth_state = s_up; if (auth_script_state == s_down && auth_script_pid == 0) { auth_script_state = s_up; @@ -2458,6 +2466,8 @@ have_eaptls_secret_client(char *client, char *server) if ((cacert_file || ca_path) && cert_file && privkey_file) return 1; + if (pkcs12_file) + return 1; filename = _PATH_EAPTLSCLIFILE; f = fopen(filename, "r"); @@ -2641,7 +2651,7 @@ scan_authfile_eaptls(FILE *f, char *client, char *server, int get_eaptls_secret(int unit, char *client, char *server, char *clicertfile, char *servcertfile, char *cacertfile, - char *capath, char *pkfile, int am_server) + char *capath, char *pkfile, char *pkcs12, int am_server) { FILE *fp; int ret; @@ -2655,6 +2665,7 @@ get_eaptls_secret(int unit, char *client, char *server, bzero(cacertfile, MAXWORDLEN); bzero(capath, MAXWORDLEN); bzero(pkfile, MAXWORDLEN); + bzero(pkcs12, MAXWORDLEN); /* the ca+cert+privkey can also be specified as options */ if (!am_server && (cacert_file || ca_path) && cert_file && privkey_file ) @@ -2666,6 +2677,14 @@ get_eaptls_secret(int unit, char *client, char *server, strlcpy( capath, ca_path, MAXWORDLEN ); strlcpy( pkfile, privkey_file, MAXWORDLEN ); } + else if (!am_server && pkcs12_file) + { + strlcpy( pkcs12, pkcs12_file, MAXWORDLEN ); + if (cacert_file) + strlcpy( cacertfile, cacert_file, MAXWORDLEN ); + if (ca_path) + strlcpy( capath, ca_path, MAXWORDLEN ); + } else { filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE);