summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvenaas <venaas>2007-10-31 12:16:11 +0000
committervenaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>2007-10-31 12:16:11 +0000
commit4f87524ad119741cbefeba292c826769e816e88d (patch)
tree87a357dab4c36364d735ebdc291b37d2ed2244dd
parent7f9ecad0e56321d3c759621f0177dcd80ef0d0dd (diff)
skip match of cert vs host when host contains / (prefix)
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@189 e88ac4ed-0b26-0410-9574-a7f39faa03bf
-rw-r--r--radsecproxy.c74
1 files changed, 38 insertions, 36 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index 9ebe7dc..cb729fe 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -600,46 +600,48 @@ int tlsverifycert(SSL *ssl, struct clsrvconf *conf) {
debug(DBG_ERR, "tlsverifycert: failed to obtain certificate");
return 0;
}
-
- if (inet_pton(AF_INET, conf->host, &addr))
- type = AF_INET;
- else if (inet_pton(AF_INET6, conf->host, &addr))
- type = AF_INET6;
- r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
- if (r) {
- if (r < 0) {
- X509_free(cert);
- debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
- return 0;
- }
- debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
- } else {
- nm = X509_get_subject_name(cert);
- loc = -1;
- for (;;) {
- loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
- if (loc == -1)
- break;
- e = X509_NAME_get_entry(nm, loc);
- s = X509_NAME_ENTRY_get_data(e);
- v = (char *) ASN1_STRING_data(s);
- l = ASN1_STRING_length(s);
- if (l < 0)
- continue;
+ if (conf->prefixlen == 255) {
+ if (inet_pton(AF_INET, conf->host, &addr))
+ type = AF_INET;
+ else if (inet_pton(AF_INET6, conf->host, &addr))
+ type = AF_INET6;
+
+ r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, conf->host, NULL);
+ if (r) {
+ if (r < 0) {
+ X509_free(cert);
+ debug(DBG_DBG, "tlsverifycert: No subjectaltname matching %s %s", type ? "address" : "host", conf->host);
+ return 0;
+ }
+ debug(DBG_DBG, "tlsverifycert: Found subjectaltname matching %s %s", type ? "address" : "host", conf->host);
+ } else {
+ nm = X509_get_subject_name(cert);
+ loc = -1;
+ for (;;) {
+ loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc);
+ if (loc == -1)
+ break;
+ e = X509_NAME_get_entry(nm, loc);
+ s = X509_NAME_ENTRY_get_data(e);
+ v = (char *) ASN1_STRING_data(s);
+ l = ASN1_STRING_length(s);
+ if (l < 0)
+ continue;
#ifdef DEBUG
- printfchars(NULL, "cn", NULL, v, l);
+ printfchars(NULL, "cn", NULL, v, l);
#endif
- if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) {
- r = 1;
- debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host);
- break;
+ if (l == strlen(conf->host) && !strncasecmp(conf->host, v, l)) {
+ r = 1;
+ debug(DBG_DBG, "tlsverifycert: Found cn matching host %s", conf->host);
+ break;
+ }
+ }
+ if (!r) {
+ X509_free(cert);
+ debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
+ return 0;
}
- }
- if (!r) {
- X509_free(cert);
- debug(DBG_ERR, "tlsverifycert: cn not matching host %s", conf->host);
- return 0;
}
}
if (conf->certuriregex) {