From: Alan T. DeKok Date: Sat, 21 Sep 2013 12:32:39 +0000 (-0400) Subject: check_cert_issuer in EAP-TLS broken in presence of X509v3 extensions X-Git-Tag: release_3_0_0~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aae96fedc827d95a32ed238fcf0a14911740613c;p=thirdparty%2Ffreeradius-server.git check_cert_issuer in EAP-TLS broken in presence of X509v3 extensions Patch from David Wood Manual port of commit ce169385f --- diff --git a/src/main/tls.c b/src/main/tls.c index 510ca4ecc9..e492b4ad7f 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -1469,6 +1469,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) { char subject[1024]; /* Used for the subject name */ char issuer[1024]; /* Used for the issuer name */ + char attribute[1024]; + char value[1024]; char common_name[1024]; char cn_str[1024]; char buf[64]; @@ -1651,7 +1653,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) BIO *out; out = BIO_new(BIO_s_mem()); - strlcpy(subject, "TLS-Client-Cert-", sizeof(subject)); + strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute)); for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) { ASN1_OBJECT *obj; @@ -1662,26 +1664,26 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) obj = X509_EXTENSION_get_object(ext); i2a_ASN1_OBJECT(out, obj); - len = BIO_read(out, subject + 16 , sizeof(subject) - 16 - 1); + len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1); if (len <= 0) continue; - subject[16 + len] = '\0'; + attribute[16 + len] = '\0'; X509V3_EXT_print(out, ext, 0, 0); - len = BIO_read(out, issuer , sizeof(issuer) - 1); + len = BIO_read(out, value , sizeof(issuer) - 1); if (len <= 0) continue; - issuer[len] = '\0'; + value[len] = '\0'; /* * Mash the OpenSSL name to our name, and * create the attribute. */ - for (p = subject + 16; *p != '\0'; p++) { + for (p = value + 16; *p != '\0'; p++) { if (*p == ' ') *p = '-'; } - vp = pairmake(NULL, certs, subject, issuer, T_OP_ADD); + vp = pairmake(NULL, certs, attribute, value, T_OP_ADD); if (vp) debug_pair_list(vp); }