Don't mix up pre- and post-handshake verification of clients.

When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain. Reported by Ralf Paffrath. Reported and analysed by Ralf Paffrath. Addresses issue RADSECPROXY-43.

Don't mix up pre- and post-handshake verification of clients.
When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain. Reported by Ralf Paffrath. Reported and analysed by Ralf Paffrath. Addresses issue RADSECPROXY-43.
db965c9b · Linus Nordberg · 8d287300 · db965c9b · db965c9b
Commit db965c9b authored Sep 13, 2012 by Linus Nordberg
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 13 deletions

ChangeLog ChangeLog +10 -0

tls.c tls.c +15 -13

No files found.
--- a/ChangeLog
+++ b/ChangeLog
+2012-09-14 1.6.1-dev
+	Bug fixes (security):
+	- When verifying clients, don't consider config blocks with CA
+	settings ('tls') which differ from the one used for verifying the
+	certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43)
+
+	Bug fixes:
+	- Make naptr-eduroam.sh check NAPTR type case insensitively.
+	  Fix from Adam Osuchowski.
+
 2012-04-27 1.6
 	Incompatible changes:
 	- The default shared secret for TLS and DTLS connections change

--- a/tls.c
+++ b/tls.c
@@ -385,6 +385,7 @@ void *tlsservernew(void *arg) {
    SSL_CTX *ctx = NULL;
    unsigned long error;
    struct client *client;
+    struct tls *accepted_tls = NULL;

    s = *(int *)arg;
    if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
@@ -412,22 +413,23 @@ void *tlsservernew(void *arg) {
 	cert = verifytlscert(ssl);
 	if (!cert)
 	    goto exit;
+        accepted_tls = conf->tlsconf;
    }

    while (conf) {
-	if (verifyconfcert(cert, conf)) {
-	    X509_free(cert);
-	    client = addclient(conf, 1);
-	    if (client) {
-		client->ssl = ssl;
-		client->addr = addr_copy((struct sockaddr *)&from);
-		tlsserverrd(client);
-		removeclient(client);
-	    } else
-		debug(DBG_WARN, "tlsservernew: failed to create new client instance");
-	    goto exit;
-	}
-	conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
+        if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
+            X509_free(cert);
+            client = addclient(conf, 1);
+            if (client) {
+                client->ssl = ssl;
+                client->addr = addr_copy((struct sockaddr *)&from);
+                tlsserverrd(client);
+                removeclient(client);
+            } else
+                debug(DBG_WARN, "tlsservernew: failed to create new client instance");
+            goto exit;
+        }
+        conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
    }
    debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
    if (cert)