*/
static const char *cert_attr_names[5][2] = {
{ "TLS-Client-Cert-Serial", "TLS-Cert-Serial" },
- { "TLS-Client-Cert-Expiration", "TLS-Cert-Expiraton" },
- { "TLS-Client-Cert-Issuer", "TLS-Cert-Issuer" },
+ { "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" },
{ "TLS-Client-Cert-Subject", "TLS-Cert-Subject" },
+ { "TLS-Client-Cert-Issuer", "TLS-Cert-Issuer" },
{ "TLS-Client-Cert-Common-Name", "TLS-Cert-Common-Name" }
};
+#define EAPTLS_SERIAL (0)
+#define EAPTLS_EXPIRATION (1)
+#define EAPTLS_SUBJECT (2)
+#define EAPTLS_ISSUER (3)
+#define EAPTLS_CN (4)
/*
* Before trusting a certificate, you must make sure that the
depth = X509_STORE_CTX_get_error_depth(ctx);
lookup = depth;
- if (lookup > 1) lookup = 1;
+
+ /*
+ * Log client/issuing cert. If there's an error, log
+ * issuing cert.
+ */
+ if ((lookup > 1) && !my_ok) lookup = 1;
/*
* Retrieve the pointer to the SSL of the connection currently treated
*/
buf[0] = '\0';
sn = X509_get_serialNumber(client_cert);
- if (sn && (sn->length < (sizeof(buf) / 2))) {
+
+ /*
+ * For this next bit, we create the attributes *only* if
+ * we're at the client or issuing certificate.
+ */
+ if ((lookup <= 1) && sn && (sn->length < (sizeof(buf) / 2))) {
char *p = buf;
int i;
for (i = 0; i < sn->length; i++) {
- sprintf(buf, "%02x", (unsigned int)sn->data[i]);
+ sprintf(p, "%02x", (unsigned int)sn->data[i]);
p += 2;
}
pairadd(&handler->certs,
- pairmake(cert_attr_names[0][lookup], buf, T_OP_SET));
+ pairmake(cert_attr_names[EAPTLS_SERIAL][lookup], buf, T_OP_SET));
}
*/
buf[0] = '\0';
asn_time = X509_get_notAfter(client_cert);
- if (asn_time && (asn_time->length < MAX_STRING_LEN)) {
+ if ((lookup <= 1) && asn_time && (asn_time->length < MAX_STRING_LEN)) {
memcpy(buf, (char*) asn_time->data, asn_time->length);
buf[asn_time->length] = '\0';
pairadd(&handler->certs,
- pairmake(cert_attr_names[1][lookup], buf, T_OP_SET));
+ pairmake(cert_attr_names[EAPTLS_EXPIRATION][lookup], buf, T_OP_SET));
}
/*
X509_NAME_oneline(X509_get_subject_name(client_cert), subject,
sizeof(subject));
subject[sizeof(subject) - 1] = '\0';
- if (subject[0] && (strlen(subject) < MAX_STRING_LEN)) {
+ if ((lookup <= 1) && subject[0] && (strlen(subject) < MAX_STRING_LEN)) {
pairadd(&handler->certs,
- pairmake(cert_attr_names[2][lookup], subject, T_OP_SET));
+ pairmake(cert_attr_names[EAPTLS_SUBJECT][lookup], subject, T_OP_SET));
}
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer,
sizeof(issuer));
issuer[sizeof(issuer) - 1] = '\0';
- if (issuer[0] && (strlen(issuer) < MAX_STRING_LEN)) {
+ if ((lookup <= 1) && issuer[0] && (strlen(issuer) < MAX_STRING_LEN)) {
pairadd(&handler->certs,
- pairmake(cert_attr_names[3][lookup], issuer, T_OP_SET));
+ pairmake(cert_attr_names[EAPTLS_ISSUER][lookup], issuer, T_OP_SET));
}
/*
X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
NID_commonName, common_name, sizeof(common_name));
common_name[sizeof(common_name) - 1] = '\0';
- if (common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
+ if ((lookup <= 1) && common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
pairadd(&handler->certs,
- pairmake(cert_attr_names[4][lookup], common_name, T_OP_SET));
+ pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
}
if (!my_ok) {
* information.
*/
if (eaptls_handle_idx < 0) {
- eaptls_handle_idx = SSL_get_ex_new_index(0, "eaptls_handle_idx",
- NULL, NULL, NULL);
+ eaptls_handle_idx = SSL_get_ex_new_index(0, &eaptls_handle_idx,
+ NULL, NULL, NULL);
}
if (eaptls_conf_idx < 0) {
- eaptls_conf_idx = SSL_get_ex_new_index(0, "eaptls_conf_idx",
+ eaptls_conf_idx = SSL_get_ex_new_index(0, &eaptls_conf_idx,
NULL, NULL, NULL);
}
if (eaptls_session_idx < 0) {
- eaptls_session_idx = SSL_get_ex_new_index(0, "eaptls_session_idx",
+ eaptls_session_idx = SSL_get_ex_new_index(0, &eaptls_session_idx,
NULL, NULL,
eaptls_session_free);
}
projects / freeradius.git / blobdiff