Commit 4f87524a authored by venaas's avatar venaas Committed by venaas
Browse files

skip match of cert vs host when host contains / (prefix)

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@189 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent 7f9ecad0
...@@ -600,46 +600,48 @@ int tlsverifycert(SSL *ssl, struct clsrvconf *conf) { ...@@ -600,46 +600,48 @@ int tlsverifycert(SSL *ssl, struct clsrvconf *conf) {
debug(DBG_ERR, "tlsverifycert: failed to obtain certificate"); debug(DBG_ERR, "tlsverifycert: failed to obtain certificate");
return 0; return 0;
} }
if (inet_pton(AF_INET, conf->host, &addr))
type = AF_INET;
else if (inet_pton(AF_INET6, conf->host, &addr))
type = AF_INET6;
r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL); if (conf->prefixlen == 255) {
if (r) { if (inet_pton(AF_INET, conf->host, &addr))
if (r < 0) { type = AF_INET;
X509_free(cert); else if (inet_pton(AF_INET6, conf->host, &addr))
debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host); type = AF_INET6;
return 0;
} r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host); if (r) {
} else { if (r < 0) {
nm = X509_get_subject_name(cert); X509_free(cert);
loc = -1; debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
for (;;) { return 0;
loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc); }
if (loc == -1) debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
break; } else {
e = X509_NAME_get_entry(nm, loc); nm = X509_get_subject_name(cert);
s = X509_NAME_ENTRY_get_data(e); loc = -1;
v = (char *) ASN1_STRING_data(s); for (;;) {
l = ASN1_STRING_length(s); loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
if (l < 0) if (loc == -1)
continue; break;
e = X509_NAME_get_entry(nm, loc);
s = X509_NAME_ENTRY_get_data(e);
v = (char *) ASN1_STRING_data(s);
l = ASN1_STRING_length(s);
if (l < 0)
continue;
#ifdef DEBUG #ifdef DEBUG
printfchars(NULL, "cn", NULL, v, l); printfchars(NULL, "cn", NULL, v, l);
#endif #endif
if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) { if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) {
r = 1; r = 1;
debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host); debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host);
break; break;
}
}
if (!r) {
X509_free(cert);
debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
return 0;
} }
}
if (!r) {
X509_free(cert);
debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
return 0;
} }
} }
if (conf->certuriregex) { if (conf->certuriregex) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment