skip match of cert vs host when host contains / (prefix)

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@189 e88ac4ed-0b26-0410-9574-a7f39faa03bf

skip match of cert vs host when host contains / (prefix)
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@189 e88ac4ed-0b26-0410-9574-a7f39faa03bf
4f87524a · venaas · venaas · 7f9ecad0 · 4f87524a
Commit 4f87524a authored Oct 31, 2007 by venaas Committed by venaas Oct 31, 2007
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -600,46 +600,48 @@ int tlsverifycert(SSL *ssl, struct clsrvconf *conf) {
 	debug(DBG_ERR, "tlsverifycert: failed to obtain certificate");
 	return 0;
    }
-    if (inet_pton(AF_INET, conf->host, &addr))
-	type = AF_INET;
-    else if (inet_pton(AF_INET6, conf->host, &addr))
-	type = AF_INET6;
-    r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
+    if (conf->prefixlen == 255) {
-    if (r) {
+	if (inet_pton(AF_INET, conf->host, &addr))
-	if (r < 0) {
+	    type = AF_INET;
-	    X509_free(cert);
+	else if (inet_pton(AF_INET6, conf->host, &addr))
-	    debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
+	    type = AF_INET6;
-	    return 0;
-	}
+	r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
-	debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
+	if (r) {
-    } else {
+	    if (r < 0) {
-	nm = X509_get_subject_name(cert);
+		X509_free(cert);
-	loc = -1;
+		debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
-	for (;;) {
+		return 0;
-	    loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
+	    }
-	    if (loc == -1)
+	    debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
-		break;
+	} else {
-	    e = X509_NAME_get_entry(nm, loc);
+	    nm = X509_get_subject_name(cert);
-	    s = X509_NAME_ENTRY_get_data(e);
+	    loc = -1;
-	    v = (char *) ASN1_STRING_data(s);
+	    for (;;) {
-	    l = ASN1_STRING_length(s);
+		loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
-	    if (l < 0)
+		if (loc == -1)
-		continue;
+		    break;
+		e = X509_NAME_get_entry(nm, loc);
+		s = X509_NAME_ENTRY_get_data(e);
+		v = (char *) ASN1_STRING_data(s);
+		l = ASN1_STRING_length(s);
+		if (l < 0)
+		    continue;
 #ifdef DEBUG
-	    printfchars(NULL, "cn", NULL, v, l);
+		printfchars(NULL, "cn", NULL, v, l);
 #endif	    
-	    if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) {
+		if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) {
-		r = 1;
+		    r = 1;
-		debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host);
+		    debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host);
-		break;
+		    break;
+		}
+	    }
+	    if (!r) {
+		X509_free(cert);
+		debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
+		return 0;
 	    }
-	}
-	if (!r) {
-	    X509_free(cert);
-	    debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
-	    return 0;
 	}
    }
    if (conf->certuriregex) {