added certificatenamecheck option to client/server for disabling default altsubjectname/cn check

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@245 e88ac4ed-0b26-0410-9574-a7f39faa03bf
author: venaas <venaas> 2008-04-29 11:49:16 +0000
committer: venaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf> 2008-04-29 11:49:16 +0000
commit: 6b99b3dc0fcce1ebd639c93e9a74c1b61da8befe (patch)
tree: f1f781b591759fe3680d1987542b09bebbc964e0
parent: b4644fb5a08feffaf1a433cf39c37b04d6f16f6d (diff)
4 files changed, 32 insertions, 22 deletions
diff --git a/gconfig.c b/gconfig.c
index 904ad7d..af73db1 100644
--- a/gconfig.c
+++ b/gconfig.c
@@ -153,6 +153,7 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) {
     char line[1024];
     /* initialise lots of stuff to avoid stupid compiler warnings */
     char *tokens[3], *s, *opt = NULL, *val = NULL, *word, *optval, **str = NULL, ***mstr = NULL;
+    uint8_t *bln;
     int type = 0, tcount, conftype = 0, n;
     void (*cbk)(struct gconffile **, char *, char *, char *) = NULL;
 
@@ -230,6 +231,11 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) {
 		if (!mstr)
 		    debugx(1, DBG_ERR, "getgenericconfig: internal parameter error");
 		break;
+	    case CONF_BLN:
+		bln = va_arg(ap, uint8_t *);
+		if (!bln)
+		    debugx(1, DBG_ERR, "getgenericconfig: internal parameter error");
+		break;
 	    case CONF_CBK:
 		cbk = va_arg(ap, void (*)(struct gconffile **, char *, char *, char *));
 		break;
@@ -247,7 +253,7 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) {
 	    debugx(1, DBG_ERR, "configuration error, unknown option %s", opt);
 	}
 
-	if (((type == CONF_STR || type == CONF_MSTR) && conftype != CONF_STR) ||
+	if (((type == CONF_STR || type == CONF_MSTR || type == CONF_BLN) && conftype != CONF_STR) ||
 	    (type == CONF_CBK && conftype != CONF_CBK)) {
 	    if (block)
 		debugx(1, DBG_ERR, "configuration error in block %s, wrong syntax for option %s", block, opt);
@@ -256,10 +262,6 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) {
 
 	switch (type) {
 	case CONF_STR:
-	    if (block)
-		debug(DBG_DBG, "getgenericconfig: block %s: %s = %s", block, opt, val);
-	    else 
-		debug(DBG_DBG, "getgenericconfig: %s = %s", opt, val);
 	    if (*str)
 		debugx(1, DBG_ERR, "configuration error, option %s already set to %s", opt, *str);
 	    *str = stringcopy(val, 0);
@@ -267,10 +269,6 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) {
 		debugx(1, DBG_ERR, "malloc failed");
 	    break;
 	case CONF_MSTR:
-	    if (block)
-		debug(DBG_DBG, "getgenericconfig: block %s: %s = %s", block, opt, val);
-	    else 
-		debug(DBG_DBG, "getgenericconfig: %s = %s", opt, val);
 	    if (*mstr)
 		for (n = 0; (*mstr)[n]; n++);
 	    else
@@ -281,6 +279,16 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) {
 	    (*mstr)[n] = stringcopy(val, 0);
 	    (*mstr)[n + 1] = NULL;
 	    break;
+	case CONF_BLN:
+	    if (!strcasecmp(val, "on"))
+		*bln = 1;
+	    else if (!strcasecmp(val, "off"))
+		*bln = 0;
+	    else if (block)
+		debugx(1, DBG_ERR, "configuration error in block %s, value for option %s must be on or off, not %s", block, opt, val);
+	    else
+		debugx(1, DBG_ERR, "configuration error, value for option %s must be on or off, not %s", opt, val);
+	    break;
 	case CONF_CBK:
 	    optval = malloc(strlen(opt) + strlen(val) + 2);
 	    if (!optval)
@@ -288,9 +296,13 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) {
 	    sprintf(optval, "%s %s", opt, val);
 	    cbk(cf, optval, opt, val);
 	    free(optval);
-	    break;
+	    continue;
 	default:
 	    debugx(1, DBG_ERR, "getgenericconfig: internal parameter error");
 	}
+	if (block)
+	    debug(DBG_DBG, "getgenericconfig: block %s: %s = %s", block, opt, val);
+	else 
+	    debug(DBG_DBG, "getgenericconfig: %s = %s", opt, val);
     }
 }
diff --git a/gconfig.h b/gconfig.h
index 409b1ba..be48165 100644
--- a/gconfig.h
+++ b/gconfig.h
@@ -1,6 +1,7 @@
 #define CONF_STR 1
 #define CONF_CBK 2
 #define CONF_MSTR 3
+#define CONF_BLN 4
 
 struct gconffile {
     char *path;
diff --git a/radsecproxy.c b/radsecproxy.c
index 01d032b..3f78f5b 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -766,7 +766,7 @@ int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
     uint8_t type = 0; /* 0 for DNS, AF_INET for IPv4, AF_INET6 for IPv6 */
     struct in6_addr addr;
     
-    if (conf->prefixlen == 255) {
+    if (conf->certnamecheck && conf->prefixlen == 255) {
 	if (inet_pton(AF_INET, conf->host, &addr))
 	    type = AF_INET;
 	else if (inet_pton(AF_INET6, conf->host, &addr))
@@ -2960,6 +2960,7 @@ void confclient_cb(struct gconffile **cf, char *block, char *opt, char *val) {
     if (!conf || !list_push(clconfs, conf))
 	debugx(1, DBG_ERR, "malloc failed");
     memset(conf, 0, sizeof(struct clsrvconf));
+    conf->certnamecheck = 1;
     
     getgenericconfig(cf, block,
 		     "type", CONF_STR, &type,
@@ -2967,6 +2968,7 @@ void confclient_cb(struct gconffile **cf, char *block, char *opt, char *val) {
 		     "secret", CONF_STR, &conf->secret,
 		     "tls", CONF_STR, &tls,
 		     "matchcertificateattribute", CONF_STR, &matchcertattr,
+		     "CertificateNameCheck", CONF_BLN, &conf->certnamecheck,
 		     "rewrite", CONF_STR, &rewrite,
 		     "rewriteattribute", CONF_STR, &rewriteattr,
 		     NULL
@@ -3014,7 +3016,7 @@ void confclient_cb(struct gconffile **cf, char *block, char *opt, char *val) {
 }
 
 void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) {
-    char *type = NULL, *tls = NULL, *matchcertattr = NULL, *statusserver = NULL, *rewrite = NULL;
+    char *type = NULL, *tls = NULL, *matchcertattr = NULL, *rewrite = NULL;
     struct clsrvconf *conf;
     
     debug(DBG_DBG, "confserver_cb called for %s", block);
@@ -3023,6 +3025,7 @@ void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) {
     if (!conf || !list_push(srvconfs, conf))
 	debugx(1, DBG_ERR, "malloc failed");
     memset(conf, 0, sizeof(struct clsrvconf));
+    conf->certnamecheck = 1;
     
     getgenericconfig(cf, block,
 		     "type", CONF_STR, &type,
@@ -3030,9 +3033,10 @@ void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) {
 		     "port", CONF_STR, &conf->port,
 		     "secret", CONF_STR, &conf->secret,
 		     "tls", CONF_STR, &tls,
-		     "matchcertificateattribute", CONF_STR, &matchcertattr,
+		     "MatchCertificateAttribute", CONF_STR, &matchcertattr,
 		     "rewrite", CONF_STR, &rewrite,
-		     "StatusServer", CONF_STR, &statusserver,
+		     "StatusServer", CONF_BLN, &conf->statusserver,
+		     "CertificateNameCheck", CONF_BLN, &conf->certnamecheck,
 		     NULL
 		     );
 
@@ -3073,14 +3077,6 @@ void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) {
 	    debugx(1, DBG_ERR, "error in block %s, secret must be specified for UDP", block);
 	conf->secret = stringcopy(DEFAULT_TLS_SECRET, 0);
     }
-    
-    if (statusserver) {
-	if (!strcasecmp(statusserver, "on"))
-	    conf->statusserver = 1;
-	else if (strcasecmp(statusserver, "off"))
-	    debugx(1, DBG_ERR, "error in block %s, StatusServer is %s, must be on or off", block, statusserver);
-	free(statusserver);
-    }
 }
 
 void confrealm_cb(struct gconffile **cf, char *block, char *opt, char *val) {
diff --git a/radsecproxy.h b/radsecproxy.h
index f60d3a3..2ba6153 100644
--- a/radsecproxy.h
+++ b/radsecproxy.h
@@ -84,6 +84,7 @@ struct clsrvconf {
     regex_t *rewriteattrregex;
     char *rewriteattrreplacement;
     uint8_t statusserver;
+    uint8_t certnamecheck;
     SSL_CTX *ssl_ctx;
     struct rewrite *rewrite;
     struct addrinfo *addrinfo;
author	venaas <venaas>	2008-04-29 11:49:16 +0000
committer	venaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>	2008-04-29 11:49:16 +0000
commit	6b99b3dc0fcce1ebd639c93e9a74c1b61da8befe (patch)
tree	f1f781b591759fe3680d1987542b09bebbc964e0
parent	b4644fb5a08feffaf1a433cf39c37b04d6f16f6d (diff)