TLS-*-Cert-Common-Name if no certificate subject - patch

[Matthew Newton]

The client certificate on the device I'm testing with here has no
Subject, and has a subjectAltName instead. This seems allowed
(mandated? - the text is unclear to me) by RFC3280 s4.1.2.6.

Correctly, the TLS-Client-Cert-Subject vp is _not_ added.

Incorrectly, TLS-Client-Cert-Common-Name IS added, with the value
of the common name from the issuer certificate.

Below mini-patch only tries to add the common-name vp if it
previously found a subject.

Cheers,

Matthew


>From 921bd453c11697830b0d4871aa7aac51601a0ee5 Mon Sep 17 00:00:00 2001
From: Matthew Newton <mcn4 at leicester.ac.uk>
Date: Fri, 3 Feb 2012 13:33:26 +0000
Subject: [PATCH] rlm_eap_tls.c - only add TLS-*-Cert-Common-Name if there was a subject

---
 .../rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c        |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
index e548961..0132ae0 100644
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -636,12 +636,12 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 	}
 
 	/*
-	 *	Get the Common Name
+	 *	Get the Common Name, if there is a subject
 	 */
 	X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert),
 				  NID_commonName, common_name, sizeof(common_name));
 	common_name[sizeof(common_name) - 1] = '\0';
-	if ((lookup <= 1) && common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) {
+	if ((lookup <= 1) && common_name[0] && subject[0] && (strlen(common_name) < MAX_STRING_LEN)) {
 		pairadd(&handler->certs,
 			pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET));
 	}
-- 
1.7.2.5



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>