Additional EAP-TLS Logging Option

Ross, Michael michael.ross2 at boeing.com
Wed Sep 8 01:45:59 CEST 2010


 Alan DeKok wrote:
>
>  It would be better to move that check to just surround the code which creates the TLS-Cert-* attributes.  I've done that.  See the v2.1.x branch.
>
>  If there are no further issues, we should be able to release 2.1.10 soon.  This certificate patch is very, very, useful.

Missed the check on Common Name (segmentation fault).  Other than that the logging during successful requests works well.  I'll continue looking into the logging of the failure cases.

---
 .../rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c        |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index 255c17a..cb4c846 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -364,7 +364,7 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
 				  NID_commonName, common_name, sizeof(common_name));
 	common_name[sizeof(common_name) - 1] = '\0';
-	if (common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
+	if ((lookup <= 1) && common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
 		pairadd(&handler->certs,
 			pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
 	}
-- 
1.7.0.4





More information about the Freeradius-Devel mailing list