From: Luke Howard Date: Sat, 19 Nov 2011 03:32:07 +0000 (+1100) Subject: surface RFC822 subject alt name X-Git-Tag: release_3_0_0_beta0~493 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c0ef3f2f2bee189c3965a7341c4814cdd4e831d;p=thirdparty%2Ffreeradius-server.git surface RFC822 subject alt name --- diff --git a/raddb/sites-available/default b/raddb/sites-available/default index 281f04a5a80..552586b7d54 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -532,12 +532,14 @@ post-auth { # Reply-Message += "%{TLS-Cert-Subject}" # Reply-Message += "%{TLS-Cert-Issuer}" # Reply-Message += "%{TLS-Cert-Common-Name}" +# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}" # # Reply-Message += "%{TLS-Client-Cert-Serial}" # Reply-Message += "%{TLS-Client-Cert-Expiration}" # Reply-Message += "%{TLS-Client-Cert-Subject}" # Reply-Message += "%{TLS-Client-Cert-Issuer}" # Reply-Message += "%{TLS-Client-Cert-Common-Name}" +# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}" # } diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index dc8ffd215b2..42754340d09 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -354,13 +354,15 @@ ATTRIBUTE TLS-Cert-Expiration 1911 string ATTRIBUTE TLS-Cert-Issuer 1912 string ATTRIBUTE TLS-Cert-Subject 1913 string ATTRIBUTE TLS-Cert-Common-Name 1914 string -# 1915 - 1919: reserved for future cert attributes +ATTRIBUTE TLS-Cert-Subject-Alt-Name-Email 1915 string +# 1916 - 1919: reserved for future cert attributes ATTRIBUTE TLS-Client-Cert-Serial 1920 string ATTRIBUTE TLS-Client-Cert-Expiration 1921 string ATTRIBUTE TLS-Client-Cert-Issuer 1922 string ATTRIBUTE TLS-Client-Cert-Subject 1923 string ATTRIBUTE TLS-Client-Cert-Common-Name 1924 string ATTRIBUTE TLS-Client-Cert-Filename 1925 string +ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Email 1926 string # # Range: 1910-2099 diff --git a/src/main/tls.c b/src/main/tls.c index 37d3618c143..10caec4a195 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -1132,12 +1132,13 @@ ocsp_end: /* * For creating certificate attributes. */ -static const char *cert_attr_names[5][2] = { +static const char *cert_attr_names[6][2] = { { "TLS-Client-Cert-Serial", "TLS-Cert-Serial" }, { "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" }, { "TLS-Client-Cert-Subject", "TLS-Cert-Subject" }, { "TLS-Client-Cert-Issuer", "TLS-Cert-Issuer" }, - { "TLS-Client-Cert-Common-Name", "TLS-Cert-Common-Name" } + { "TLS-Client-Cert-Common-Name", "TLS-Cert-Common-Name" }, + { "TLS-Client-Cert-Subject-Alt-Name-Email", "TLS-Cert-Subject-Alt-Name-Email" } }; #define FR_TLS_SERIAL (0) @@ -1145,6 +1146,7 @@ static const char *cert_attr_names[5][2] = { #define FR_TLS_SUBJECT (2) #define FR_TLS_ISSUER (3) #define FR_TLS_CN (4) +#define FR_TLS_SAN_EMAIL (5) /* * Before trusting a certificate, you must make sure that the @@ -1180,7 +1182,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) char buf[64]; X509 *client_cert; SSL *ssl; - int err, depth, lookup; + int err, depth, lookup, loc; fr_tls_server_conf_t *conf; int my_ok = ok; REQUEST *request; @@ -1299,6 +1301,41 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) pairmake(cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET)); } +#ifdef GEN_EMAIL + /* + * Get the RFC822 Subject Alternative Name + */ + loc = X509_get_ext_by_NID(client_cert, NID_subject_alt_name, 0); + if (lookup <= 1 && loc >= 0) { + X509_EXTENSION *ext = NULL; + GENERAL_NAMES *names = NULL; + int i; + + if ((ext = X509_get_ext(client_cert, loc)) && + (names = X509V3_EXT_d2i(ext))) { + for (i = 0; i < sk_GENERAL_NAME_num(names); i++) { + GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i); + + switch (name->type) { + case GEN_EMAIL: + if (ASN1_STRING_length(name->d.rfc822Name) >= MAX_STRING_LEN) + break; + + pairadd(certs, + pairmake(cert_attr_names[FR_TLS_SAN_EMAIL][lookup], + ASN1_STRING_data(name->d.rfc822Name), T_OP_SET)); + break; + default: + /* XXX TODO handle other SAN types */ + break; + } + } + } + if (names != NULL) + sk_GENERAL_NAME_free(names); + } +#endif /* GEN_EMAIL */ + /* * If the CRL has expired, that might still be OK. */