FreeRADIUS · natarajanmm · May 11, 2023 · May 11, 2023 · May 16, 2023 · lytboris
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
@@ -571,6 +571,7 @@ ATTRIBUTE	TLS-PSK-Identity			1933	string
 ATTRIBUTE	TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936	string
 ATTRIBUTE	TLS-Client-Cert-Valid-Since		1937	string
 ATTRIBUTE	TLS-Cache-Method			1938	integer
+ATTRIBUTE	TLS-Cert-CRL-Distribution-Points	1939	string
 VALUE	TLS-Cache-Method		save			1
 VALUE	TLS-Cache-Method		load			2
 VALUE	TLS-Cache-Method		clear			3

diff --git a/src/include/stats.h b/src/include/stats.h
@@ -80,7 +80,8 @@ void request_stats_reply(REQUEST *request);
 void radius_stats_ema(fr_stats_ema_t *ema,
 		      struct timeval *start, struct timeval *end);
 
-#define FR_STATS_INC(_x, _y) radius_ ## _x ## _stats._y++;if (listener) listener->stats._y++;if (client) client->_x._y++;
+#define FR_STATS_INC(_x, _y) radius_ ## _x ## _stats._y++;if (listener) listener->stats._y++;if (client) client->_x._y++;\
+	 if (listener && listener->parent) listener->parent->stats._y++;
 #define FR_STATS_TYPE_INC(_x) _x++
 
 #else  /* WITH_STATS */

diff --git a/src/main/stats.c b/src/main/stats.c
@@ -109,25 +109,29 @@ void request_stats_final(REQUEST *request)
 		return;
 
 #undef INC_AUTH
-#define INC_AUTH(_x) radius_auth_stats._x++;request->listener->stats._x++;request->client->auth._x++;
+#define INC_AUTH(_x) radius_auth_stats._x++;request->listener->stats._x++;request->client->auth._x++;\
+	if (request->listener->parent) {request->listener->parent->stats._x++;}
 
 #undef INC_ACCT
 #ifdef WITH_ACCOUNTING
-#define INC_ACCT(_x) radius_acct_stats._x++;request->listener->stats._x++;request->client->acct._x++
+#define INC_ACCT(_x) radius_acct_stats._x++;request->listener->stats._x++;request->client->acct._x++;\
+	if (request->listener->parent) {request->listener->parent->stats._x++;}
 #else
 #define INC_ACCT(_x)
 #endif
 
 #undef INC_COA
 #ifdef WITH_COA
-#define INC_COA(_x) radius_coa_stats._x++;request->listener->stats._x++;request->client->coa._x++
+#define INC_COA(_x) radius_coa_stats._x++;request->listener->stats._x++;request->client->coa._x++;\
+	if (request->listener->parent) {request->listener->parent->stats._x++;}
 #else
 #define INC_COA(_x)
 #endif
 
 #undef INC_DSC
 #ifdef WITH_DSC
-#define INC_DSC(_x) radius_dsc_stats._x++;request->listener->stats._x++;request->client->dsc._x++
+#define INC_DSC(_x) radius_dsc_stats._x++;request->listener->stats._x++;request->client->dsc._x++;\
+	if (request->listener->parent) {request->listener->parent->stats._x++;}
 #else
 #define INC_DSC(_x)
 #endif
@@ -745,6 +749,13 @@ void request_stats_reply(REQUEST *request)
 		 *	Not found: don't do anything
 		 */
 		this = listener_find_byipaddr(&ipaddr, server_port->vp_integer, IPPROTO_UDP);
+
+#ifdef WITH_TCP
+		if (!this) {
+		this = listener_find_byipaddr(&ipaddr, server_port->vp_integer, IPPROTO_TCP);
+		}
+#endif
+
 		if (!this) {
 			stats_error(request, "No such listener");
 			return;
@@ -819,6 +830,13 @@ void request_stats_reply(REQUEST *request)
 		 *	Not found: don't do anything
 		 */
 		home = home_server_find(&ipaddr, server_port->vp_integer, IPPROTO_UDP);
+
+#ifdef WITH_TCP
+		if (!home) {
+			home = home_server_find(&ipaddr, server_port->vp_integer, IPPROTO_TCP);
+		}
+#endif
+
 		if (!home) {
 			stats_error(request, "Failed to find home server IP");
 			return;

diff --git a/src/main/tls.c b/src/main/tls.c
@@ -2880,7 +2880,7 @@ static ocsp_status_t ocsp_check(REQUEST *request, X509_STORE *store, X509 *issue
 /*
  *	For creating certificate attributes.
  */
-static char const *cert_attr_names[9][2] = {
+static char const *cert_attr_names[10][2] = {
 	{ "TLS-Client-Cert-Serial",			"TLS-Cert-Serial" },
 	{ "TLS-Client-Cert-Expiration",			"TLS-Cert-Expiration" },
 	{ "TLS-Client-Cert-Subject",			"TLS-Cert-Subject" },
@@ -2889,7 +2889,8 @@ static char const *cert_attr_names[9][2] = {
 	{ "TLS-Client-Cert-Subject-Alt-Name-Email",	"TLS-Cert-Subject-Alt-Name-Email" },
 	{ "TLS-Client-Cert-Subject-Alt-Name-Dns",	"TLS-Cert-Subject-Alt-Name-Dns" },
 	{ "TLS-Client-Cert-Subject-Alt-Name-Upn",	"TLS-Cert-Subject-Alt-Name-Upn" },
-	{ "TLS-Client-Cert-Valid-Since",		"TLS-Cert-Valid-Since" }
+	{ "TLS-Client-Cert-Valid-Since",		"TLS-Cert-Valid-Since" },
+	{ "TLS-Client-Cert-CRL-Distribution-Points",	"TLS-Cert-CRL-Distribution-Points"}
 };
 
 #define FR_TLS_SERIAL		(0)
@@ -2901,11 +2902,39 @@ static char const *cert_attr_names[9][2] = {
 #define FR_TLS_SAN_DNS          (6)
 #define FR_TLS_SAN_UPN          (7)
 #define FR_TLS_VALID_SINCE	(8)
+#define FR_TLS_CDP		(9)
+
 
 static const char *cert_names[2] = {
 	"client", "server",
 };
 
+/*
+ *	Extract Certification Distribution point URL from the certificate
+ */
+const char *get_dp_url(DIST_POINT *dp)
+{
+	GENERAL_NAMES *gens;
+	GENERAL_NAME *gen;
+	int i, gtype;
+	ASN1_STRING *uri;
+
+	if (dp == NULL || !dp->distpoint || dp->distpoint->type != 0) {
+		return NULL;
+	}
+	gens = dp->distpoint->name.fullname;
+	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+		gen = sk_GENERAL_NAME_value(gens, i);
+		uri = GENERAL_NAME_get0_value(gen, &gtype);
+		if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
+			const char *url_ptr = (const char*) ASN1_STRING_get0_data(uri);
+			return url_ptr;
+		}
+	}
+	return NULL;
+}
+
+
 /*
  *	Before trusting a certificate, you must make sure that the
  *	certificate is 'valid'. There are several steps that your
@@ -2940,6 +2969,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	char		common_name[1024];
 	char		cn_str[1024];
 	char		buf[64];
+        char            cdp[1024];
 	X509		*client_cert;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 	const STACK_OF(X509_EXTENSION) *ext_list;
@@ -3079,6 +3109,28 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
 	}
 
+	/*
+	 *	Get the Certificate Distribution points
+	 */
+	STACK_OF(DIST_POINT) *crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+	DIST_POINT *dp;
+	const char *url_ptr = NULL;
+	if (crl_dp != NULL) {
+		for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
+			dp = sk_DIST_POINT_value(crl_dp, i);
+			if (dp != NULL) {
+				cdp[0] = '\0';
+				url_ptr = get_dp_url(dp);
+				if (url_ptr != NULL) {
+					strncpy(cdp, (char*) url_ptr, (int) strlen(url_ptr));
+					cdp[strlen(url_ptr)] = '\0';
+					vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
+					rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
+				}
+			}
+		}
+	}
+
 	/*
 	 *	Get the RFC822 Subject Alternative Name
 	 */