From: Alan T. DeKok <aland@freeradius.org>
Date: Fri, 13 May 2011 09:05:08 +0000 (+0200)
Subject: Create TLS-* attrs only for EAP, not RadSec
X-Git-Tag: release_3_0_0_beta0~831
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cb0e2cd0c8b7c81f22453f5c6e13c213eed614d;p=thirdparty%2Ffreeradius-server.git

Create TLS-* attrs only for EAP, not RadSec
---

diff --git a/src/main/tls.c b/src/main/tls.c
index 4d1e587df4f..3db72756f3f 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -1195,9 +1195,12 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 
 	/*
 	 *	For this next bit, we create the attributes *only* if
-	 *	we're at the client or issuing certificate.
+	 *	we're at the client or issuing certificate, AND we
+	 *	have a user identity.  i.e. we don't create the
+	 *	attributes for RadSec connections.
 	 */
-	if ((lookup <= 1) && sn && ((size_t) sn->length < (sizeof(buf) / 2))) {
+	if (identity && 
+	    (lookup <= 1) && sn && ((size_t) sn->length < (sizeof(buf) / 2))) {
 		char *p = buf;
 		int i;
 
@@ -1215,7 +1218,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	 */
 	buf[0] = '\0';
 	asn_time = X509_get_notAfter(client_cert);
-	if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
+	if (identity && (lookup <= 1) && asn_time &&
+	    (asn_time->length < MAX_STRING_LEN)) {
 		memcpy(buf, (char*) asn_time->data, asn_time->length);
 		buf[asn_time->length] = '\0';
 		pairadd(certs,
@@ -1229,7 +1233,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	X509_NAME_oneline(X509_get_subject_name(client_cert), subject,
 			  sizeof(subject));
 	subject[sizeof(subject) - 1] = '\0';
-	if ((lookup <= 1) && subject[0] && (strlen(subject) < MAX_STRING_LEN)) {
+	if (identity && (lookup <= 1) && subject[0] &&
+	    (strlen(subject) < MAX_STRING_LEN)) {
 		pairadd(certs,
 			pairmake(cert_attr_names[FR_TLS_SUBJECT][lookup], subject, T_OP_SET));
 	}
@@ -1237,7 +1242,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer,
 			  sizeof(issuer));
 	issuer[sizeof(issuer) - 1] = '\0';
-	if ((lookup <= 1) && issuer[0] && (strlen(issuer) < MAX_STRING_LEN)) {
+	if (identity && (lookup <= 1) && issuer[0] &&
+	    (strlen(issuer) < MAX_STRING_LEN)) {
 		pairadd(certs,
 			pairmake(cert_attr_names[FR_TLS_ISSUER][lookup], issuer, T_OP_SET));
 	}
@@ -1248,7 +1254,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
 				  NID_commonName, common_name, sizeof(common_name));
 	common_name[sizeof(common_name) - 1] = '\0';
-	if ((lookup <= 1) && common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
+	if (identity && (lookup <= 1) && common_name[0] &&
+	    (strlen(common_name) < MAX_STRING_LEN)) {
 		pairadd(certs,
 			pairmake(cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET));
 	}
@@ -2327,6 +2334,12 @@ static int tls_socket_recv(rad_listen_t *listener)
 	}
 
 app:
+	/*
+	 *	FIXME: Run the packet through a virtual server in
+	 *	order to see if we like the certificate presented by
+	 *	the client.
+	 */
+
 	status = tls_application_data(sock->ssn, request);
 	RDEBUG("Application data status %d", status);