Commit 4f87524a authored by venaas's avatar venaas Committed by venaas
Browse files

skip match of cert vs host when host contains / (prefix)

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@189 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent 7f9ecad0
......@@ -600,46 +600,48 @@ int tlsverifycert(SSL *ssl, struct clsrvconf *conf) {
debug(DBG_ERR, "tlsverifycert: failed to obtain certificate");
return 0;
}
if (inet_pton(AF_INET, conf->host, &addr))
type = AF_INET;
else if (inet_pton(AF_INET6, conf->host, &addr))
type = AF_INET6;
r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
if (r) {
if (r < 0) {
X509_free(cert);
debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
return 0;
}
debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
} else {
nm = X509_get_subject_name(cert);
loc = -1;
for (;;) {
loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
if (loc == -1)
break;
e = X509_NAME_get_entry(nm, loc);
s = X509_NAME_ENTRY_get_data(e);
v = (char *) ASN1_STRING_data(s);
l = ASN1_STRING_length(s);
if (l < 0)
continue;
if (conf->prefixlen == 255) {
if (inet_pton(AF_INET, conf->host, &addr))
type = AF_INET;
else if (inet_pton(AF_INET6, conf->host, &addr))
type = AF_INET6;
r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
if (r) {
if (r < 0) {
X509_free(cert);
debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
return 0;
}
debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
} else {
nm = X509_get_subject_name(cert);
loc = -1;
for (;;) {
loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
if (loc == -1)
break;
e = X509_NAME_get_entry(nm, loc);
s = X509_NAME_ENTRY_get_data(e);
v = (char *) ASN1_STRING_data(s);
l = ASN1_STRING_length(s);
if (l < 0)
continue;
#ifdef DEBUG
printfchars(NULL, "cn", NULL, v, l);
printfchars(NULL, "cn", NULL, v, l);
#endif
if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) {
r = 1;
debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host);
break;
if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) {
r = 1;
debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host);
break;
}
}
if (!r) {
X509_free(cert);
debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
return 0;
}
}
if (!r) {
X509_free(cert);
debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
return 0;
}
}
if (conf->certuriregex) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment