Commit db965c9b authored by Linus Nordberg's avatar Linus Nordberg

Don't mix up pre- and post-handshake verification of clients.

When verifying clients, don't consider config blocks with CA
settings ('tls') which differ from the one used for verifying the
certificate chain. Reported by Ralf Paffrath.

Reported and analysed by Ralf Paffrath.

Addresses issue RADSECPROXY-43.
parent 8d287300
2012-09-14 1.6.1-dev
Bug fixes (security):
- When verifying clients, don't consider config blocks with CA
settings ('tls') which differ from the one used for verifying the
certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43)
Bug fixes:
- Make naptr-eduroam.sh check NAPTR type case insensitively.
Fix from Adam Osuchowski.
2012-04-27 1.6
Incompatible changes:
- The default shared secret for TLS and DTLS connections change
......
......@@ -385,6 +385,7 @@ void *tlsservernew(void *arg) {
SSL_CTX *ctx = NULL;
unsigned long error;
struct client *client;
struct tls *accepted_tls = NULL;
s = *(int *)arg;
if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
......@@ -412,22 +413,23 @@ void *tlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
accepted_tls = conf->tlsconf;
}
while (conf) {
if (verifyconfcert(cert, conf)) {
X509_free(cert);
client = addclient(conf, 1);
if (client) {
client->ssl = ssl;
client->addr = addr_copy((struct sockaddr *)&from);
tlsserverrd(client);
removeclient(client);
} else
debug(DBG_WARN, "tlsservernew: failed to create new client instance");
goto exit;
}
conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
X509_free(cert);
client = addclient(conf, 1);
if (client) {
client->ssl = ssl;
client->addr = addr_copy((struct sockaddr *)&from);
tlsserverrd(client);
removeclient(client);
} else
debug(DBG_WARN, "tlsservernew: failed to create new client instance");
goto exit;
}
conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
}
debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
if (cert)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment