pppd: EAP-TLS: Verify Subject or CommonName by suffix (#261)

This feature matches closely what OpenVPN and the network-manager-openvpn plugin do for
certificate verification. It allows the end user to configure the certificate to be matched by
its common name (entire string), its subject name, or the suffix of a subject name.
The latter is especially useful if you are trying to match against a random server in a RADIUS
pool. Lastly, it also allows you to turn off the certificate matching altogether.

tls-verify-method can have the following parameter values:
- none
- subject   - The entire subject, e.g. /CN=some.server.org
- name      - The entire common name, e.g. some.server.org
- suffix    - The latter part of a name, e.g. servers.org

Secondly, it also introduces a new parameter 'tls-verify-key-usage' which permits checking
of the 'server' or 'client' side attributes of nsCertType and X509 extended key attributes.
For example, in client mode, it will verify that received certificate has the 'server' side
attributes enabled.

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/pppd/pppd.h b/pppd/pppd.h
index 612902f..05e8e37 100644
--- a/pppd/pppd.h
+++ b/pppd/pppd.h
@@ -336,9 +336,17 @@ extern bool	dryrun;		/* check everything, print options, exit */
 extern int	child_wait;	/* # seconds to wait for children at end */
 
 #ifdef USE_EAPTLS
+
+#define TLS_VERIFY_NONE     "none"
+#define TLS_VERIFY_NAME     "name"
+#define TLS_VERIFY_SUBJECT  "subject"
+#define TLS_VERIFY_SUFFIX   "suffix"
+
 extern char	*crl_dir;
 extern char	*crl_file;
 extern char *max_tls_version;
+extern bool tls_verify_key_usage;
+extern char *tls_verify_method;
 #endif /* USE_EAPTLS */
 
 #ifdef MAXOCTETS