From: Luke Howard <lukeh@padl.com>
Date: Sat, 19 Nov 2011 03:32:07 +0000 (+1100)
Subject: surface RFC822 subject alt name
X-Git-Tag: release_2_2_0~254^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8976d3d4680477d982d28972ebdc68eafec325f;p=thirdparty%2Ffreeradius-server.git

surface RFC822 subject alt name
---

diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index aaaecccc727..139a14dade9 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -532,12 +532,14 @@ post-auth {
 #	       Reply-Message += "%{TLS-Cert-Subject}"
 #	       Reply-Message += "%{TLS-Cert-Issuer}"
 #	       Reply-Message += "%{TLS-Cert-Common-Name}"
+#	       Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
 #
 #	       Reply-Message += "%{TLS-Client-Cert-Serial}"
 #	       Reply-Message += "%{TLS-Client-Cert-Expiration}"
 #	       Reply-Message += "%{TLS-Client-Cert-Subject}"
 #	       Reply-Message += "%{TLS-Client-Cert-Issuer}"
 #	       Reply-Message += "%{TLS-Client-Cert-Common-Name}"
+#	       Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
 #	}
 
 
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 0f598178db9..717116b2422 100644
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -349,13 +349,15 @@ ATTRIBUTE	TLS-Cert-Expiration			1911	string
 ATTRIBUTE	TLS-Cert-Issuer				1912	string
 ATTRIBUTE	TLS-Cert-Subject			1913	string
 ATTRIBUTE	TLS-Cert-Common-Name			1914	string
-# 1915 - 1919: reserved for future cert attributes
+ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Email		1915	string
+# 1916 - 1919: reserved for future cert attributes
 ATTRIBUTE	TLS-Client-Cert-Serial			1920	string
 ATTRIBUTE	TLS-Client-Cert-Expiration		1921	string
 ATTRIBUTE	TLS-Client-Cert-Issuer			1922	string
 ATTRIBUTE	TLS-Client-Cert-Subject			1923	string
 ATTRIBUTE	TLS-Client-Cert-Common-Name		1924	string
 ATTRIBUTE	TLS-Client-Cert-Filename		1925	string
+ATTRIBUTE	TLS-Client-Cert-Subject-Alt-Name-Email	1926	string
 
 #
 #	Range:	1910-2099
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 006eeb313a0..28049cbe2f5 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -36,6 +36,8 @@ RCSID("$Id$")
 #include <openssl/evp.h>
 #endif
 
+#include <openssl/x509.h>
+
 #include "rlm_eap_tls.h"
 #include "config.h"
 
@@ -416,12 +418,13 @@ ocsp_end:
 /*
  *	For creating certificate attributes.
  */
-static const char *cert_attr_names[5][2] = {
+static const char *cert_attr_names[6][2] = {
   { "TLS-Client-Cert-Serial",		"TLS-Cert-Serial" },
   { "TLS-Client-Cert-Expiration",	"TLS-Cert-Expiration" },
   { "TLS-Client-Cert-Subject",		"TLS-Cert-Subject" },
   { "TLS-Client-Cert-Issuer",		"TLS-Cert-Issuer" },
-  { "TLS-Client-Cert-Common-Name",	"TLS-Cert-Common-Name" }
+  { "TLS-Client-Cert-Common-Name",	"TLS-Cert-Common-Name" },
+  { "TLS-Client-Cert-Subject-Alt-Name-Email",	"TLS-Cert-Subject-Alt-Name-Email" }
 };
 
 #define EAPTLS_SERIAL		(0)
@@ -429,6 +432,7 @@ static const char *cert_attr_names[5][2] = {
 #define EAPTLS_SUBJECT		(2)
 #define EAPTLS_ISSUER		(3)
 #define EAPTLS_CN		(4)
+#define EAPTLS_SAN_EMAIL	(5)
 
 /*
  *	Before trusting a certificate, you must make sure that the
@@ -466,7 +470,7 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	X509 *client_cert;
 	X509 *issuer_cert;
 	SSL *ssl;
-	int err, depth, lookup;
+	int err, depth, lookup, loc;
 	EAP_TLS_CONF *conf;
 	int my_ok = ok;
 	REQUEST *request;
@@ -567,6 +571,41 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 			pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
 	}
 
+#ifdef GEN_EMAIL
+	/*
+	 *	Get the RFC822 Subject Alternative Name
+	 */
+	loc = X509_get_ext_by_NID(client_cert, NID_subject_alt_name, 0);
+	if (lookup <= 1 && loc >= 0) {
+		X509_EXTENSION *ext = NULL;
+		GENERAL_NAMES *names = NULL;
+		int i;
+
+		if ((ext = X509_get_ext(client_cert, loc)) &&
+		    (names = X509V3_EXT_d2i(ext))) {
+			for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
+				GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
+
+				switch (name->type) {
+				case GEN_EMAIL:
+					if (ASN1_STRING_length(name->d.rfc822Name) >= MAX_STRING_LEN)
+						break;
+
+					pairadd(&handler->certs,
+						pairmake(cert_attr_names[EAPTLS_SAN_EMAIL][lookup],
+							 ASN1_STRING_data(name->d.rfc822Name), T_OP_SET));
+					break;
+				default:
+					/* XXX TODO handle other SAN types */
+					break;
+				}
+			}
+		}
+		if (names != NULL)
+			sk_GENERAL_NAME_free(names);
+	}
+#endif	/* GEN_EMAIL */
+
 	/*
 	 *	If the CRL has expired, that might still be OK.
 	 */