surface RFC822 subject alt name

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index aaaecccc727238624ef8a246d0ea10a37a75ba8a..139a14dade9c59d85e375783c0141da348571ccb 100644 (file)
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -532,12 +532,14 @@ post-auth {
 #             Reply-Message += "%{TLS-Cert-Subject}"
 #             Reply-Message += "%{TLS-Cert-Issuer}"
 #             Reply-Message += "%{TLS-Cert-Common-Name}"
+#             Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
 #
 #             Reply-Message += "%{TLS-Client-Cert-Serial}"
 #             Reply-Message += "%{TLS-Client-Cert-Expiration}"
 #             Reply-Message += "%{TLS-Client-Cert-Subject}"
 #             Reply-Message += "%{TLS-Client-Cert-Issuer}"
 #             Reply-Message += "%{TLS-Client-Cert-Common-Name}"
+#             Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
 #      }
 
 

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 0f598178db917497af185d4ceb0a16c96a99e82d..717116b24228c9f98080807b2cef79bb8895ffb4 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -349,13 +349,15 @@ ATTRIBUTE TLS-Cert-Expiration                     1911    string
 ATTRIBUTE      TLS-Cert-Issuer                         1912    string
 ATTRIBUTE      TLS-Cert-Subject                        1913    string
 ATTRIBUTE      TLS-Cert-Common-Name                    1914    string
-# 1915 - 1919: reserved for future cert attributes
+ATTRIBUTE      TLS-Cert-Subject-Alt-Name-Email         1915    string
+# 1916 - 1919: reserved for future cert attributes
 ATTRIBUTE      TLS-Client-Cert-Serial                  1920    string
 ATTRIBUTE      TLS-Client-Cert-Expiration              1921    string
 ATTRIBUTE      TLS-Client-Cert-Issuer                  1922    string
 ATTRIBUTE      TLS-Client-Cert-Subject                 1923    string
 ATTRIBUTE      TLS-Client-Cert-Common-Name             1924    string
 ATTRIBUTE      TLS-Client-Cert-Filename                1925    string
+ATTRIBUTE      TLS-Client-Cert-Subject-Alt-Name-Email  1926    string
 
 #
 #      Range:  1910-2099

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 006eeb313a0ef6e95d0eb402c7ab5d12f8b6aab6..28049cbe2f55eb475bd9caefbf48ccc456b7b66d 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -36,6 +36,8 @@ RCSID("$Id$")
 #include <openssl/evp.h>
 #endif
 
+#include <openssl/x509.h>
+
 #include "rlm_eap_tls.h"
 #include "config.h"
 
@@ -416,12 +418,13 @@ ocsp_end:
 /*
  *     For creating certificate attributes.
  */
-static const char *cert_attr_names[5][2] = {
+static const char *cert_attr_names[6][2] = {
   { "TLS-Client-Cert-Serial",          "TLS-Cert-Serial" },
   { "TLS-Client-Cert-Expiration",      "TLS-Cert-Expiration" },
   { "TLS-Client-Cert-Subject",         "TLS-Cert-Subject" },
   { "TLS-Client-Cert-Issuer",          "TLS-Cert-Issuer" },
-  { "TLS-Client-Cert-Common-Name",     "TLS-Cert-Common-Name" }
+  { "TLS-Client-Cert-Common-Name",     "TLS-Cert-Common-Name" },
+  { "TLS-Client-Cert-Subject-Alt-Name-Email",  "TLS-Cert-Subject-Alt-Name-Email" }
 };
 
 #define EAPTLS_SERIAL          (0)
@@ -429,6 +432,7 @@ static const char *cert_attr_names[5][2] = {
 #define EAPTLS_SUBJECT         (2)
 #define EAPTLS_ISSUER          (3)
 #define EAPTLS_CN              (4)
+#define EAPTLS_SAN_EMAIL       (5)
 
 /*
  *     Before trusting a certificate, you must make sure that the
@@ -466,7 +470,7 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
        X509 *client_cert;
        X509 *issuer_cert;
        SSL *ssl;
-       int err, depth, lookup;
+       int err, depth, lookup, loc;
        EAP_TLS_CONF *conf;
        int my_ok = ok;
        REQUEST *request;
@@ -567,6 +571,41 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
                        pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
        }
 
+#ifdef GEN_EMAIL
+       /*
+        *      Get the RFC822 Subject Alternative Name
+        */
+       loc = X509_get_ext_by_NID(client_cert, NID_subject_alt_name, 0);
+       if (lookup <= 1 && loc >= 0) {
+               X509_EXTENSION *ext = NULL;
+               GENERAL_NAMES *names = NULL;
+               int i;
+
+               if ((ext = X509_get_ext(client_cert, loc)) &&
+                   (names = X509V3_EXT_d2i(ext))) {
+                       for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
+                               GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
+
+                               switch (name->type) {
+                               case GEN_EMAIL:
+                                       if (ASN1_STRING_length(name->d.rfc822Name) >= MAX_STRING_LEN)
+                                               break;
+
+                                       pairadd(&handler->certs,
+                                               pairmake(cert_attr_names[EAPTLS_SAN_EMAIL][lookup],
+                                                        ASN1_STRING_data(name->d.rfc822Name), T_OP_SET));
+                                       break;
+                               default:
+                                       /* XXX TODO handle other SAN types */
+                                       break;
+                               }
+                       }
+               }
+               if (names != NULL)
+                       sk_GENERAL_NAME_free(names);
+       }
+#endif /* GEN_EMAIL */
+
        /*
         *      If the CRL has expired, that might still be OK.
         */